Data ProtectionPrivacy

Top 5 essential activities to get ready for the European Privacy Regulation

How to get ready for the GDPR right now? This was the topic of the seminar arranged to celebrate the one year deadline from the effective date of the EU Privacy Regulation. 

As previously mentioned on this blog, my law firm arranged a privacy breakfast in order to give practical tips to companies on what shall be done to be prepared for the 25th of May 2018 that is now only in one year time.

Below are my top five takeaways and a video (in Italian) summarizing the topics:

1. GDPR compliant privacy information notice and consents cannot wait

As provided by the recent guidelines of the Italian privacy authority, data protection regulators expect that on the 25th of May 2018 companies already have in place a privacy information notice compliant with the European General Data Protection Regulation and have obtained the required consents.

This step not only requires to put in place a “transitional” privacy information notice, but also to implement technical changes in order to, among others, manage

  1. the deletion of personal data on the expiry of the storage period,
  2. the data portability right and
  3. the new consents to be requested.

2. A data governance system is a “must-have”

The GDPR requires to have a full control of processed data. This can be achieved through the combination of organisational measures and technical tools. A data governance system able to map at any time data in information systems is necessary as otherwise for instance

  1. the record of processing activities cannot be up-to-date,
  2. the storage period of each category of data cannot be monitored and
  3. the exercise of the data portability right risks to be lead to the loss of valuable know-how and assets.

3. The data portability right requires an ad hoc procedure and technical functionalities

The data portability right is definitely the most interesting change introduced by the GDPR. Its management requires

  1. not only to decide how data shall be ported to a third parties, but also
  2. tools to identify which data shall be ported,
  3. organisational measures to obtain the approval by the data subject and
  4. when data is received from a third party solutions to assess which ported data can be retained.

4. Internal technical and organisational checks need to reach a higher level

In a number of companies personal data of customers is accessible to a large number of employees with no major technical restriction to the usage of such data and internal organisational checks on data processing activities are just formalities often ignored.

With the GDPR, the accountability principle requires a major change to privacy compliance which implies

  1. a more detailed review of the profiles of access to personal data;
  2. the implementation of technical solutions to identify potential misuses of personal data; and
  3. a reorganisation of the individuals appointed internally to monitor data protection compliance. The matter cannot be fully delegated to the DPO who also needs to be in a position of independence to be able to perform his activity in compliance with the strict requirements of the GDPR.

5. Checks need to be extended to external suppliers

It is interesting that also very large companies do not have a list of all their external suppliers and the checks performed on them are either only security related or if privacy checks are run these are merely formal.

On the contrary, internal procedures shall be put in place in order to

  1. create a list of all the external suppliers and ensure that they all entered into a GDPR compliant data processing agreement;
  2. run checks on external supplies by means of a checklist at the time of the execution of the contract and during its life;
  3. perform random audits on them and
  4. depending on the specific circumstances of the case, perform also privacy specific trainings to their benefit.

What is your view on the points above? I would be happy to discuss it and below is the presentation displayed during the session. The run of our GDPR/Forrest Gump is close to an end!

And you might find interesting my series of blog posts on the EU Privacy Regulation

You can review the other posts of this series below

#1 Which companies shall care about it?

#2 Will fines be really massive?

#3 Did you run a privacy impact assessment?

#4 New risks for tech suppliers

#5 What changes with the one stop shop rule?

#6 How the new privacy data portability right impacts your industry

#7 What issues for Artificial Intelligence?

#8 How to get the best out of data?

#9 Are you able to monitor your suppliers, agents and shops?

#10 What liabilities for the data protection officer?

#11 Are you able to handle a data breach?

#12 Privacy by design, how to do it?

#13 How data on criminal convictions of employees become a privacy risk

#14 Red flag from privacy authorities on technologies at work

#15 Need a GDPR compliant data processing agreement?

#16 Is your customers’ data protected from your employees?

#18 Data retention periods, an intrigued rebus under the GDPR

#19 Legitimate interest and privacy consent, how to use them?

#20 How privacy consent changes with the GDPR?

If you found this article interesting, please share it on your favourite social media!


Follow me on LinkedIn – Facebook Page – Twitter – TelegramYouTube –  Google+

Don't miss our weekly insights

Show More

Giulio Coraggio

I am the location head of the Italian Intellectual Property & Technology department and the global co-head of the IoT and Gaming and Gambling groups at the world-leading law firm DLA Piper. IoT and artificial intelligence influencer and FinTech and blockchain expert, finding solutions to what's next for our client's success.

Related Articles

Back to top button