The EU Privacy Regulation (GDPR) has been applicable for a year to whoever processes personal data of people located in Europe, and here are my recommended top 5 changes to remember.
The top 5 changes of the GDPR
The GDPR provides for burdensome (very burdensome) obligations but, at the same time, if applied correctly, privacy can become a competitive advantage over competitors at the time when data become a significant asset for businesses.
The principles of GDPR are similar to those of the EU Privacy Directive, but there are top 5 significant changes to remember that which are summarized in this article
1. Potential sanctions become huge
One of the top changes introduced by the GDPR is that the sanctions applicable in case of violations have increased up to € 20 million or 4% of the worldwide turnover of the company that performs the breach. This change is significant if, under the current regime, one of the highest sanctions issued in the European Union for privacy breach was adopted by the Italian Data Protection Authority against Google of € 1 million, subsequently beaten by the fine of € 11 million of the Italian Data Protection Authority against five money transfer companies. Google-size companies risk with the GDPR sanctions exceeding $ 4 billion, capable of getting bankrupt any company.
And with such high sanctions, it is not possible to exclude liability claims from shareholders vis-à-vis directors who did not take the necessary measures to comply with the GDPR, as well as the potential criminal liability against directors in countries like Italy.
But that’s not all. These measures would be in addition to possible actions by customers and users who suffered the violation of their personal data that would have a tool at their disposal that is very similar to the “class action.” Therefore, in addition to the order to delete data illicitly collected that could cause enormous operational and economic damages in a business that will increasingly rely on data.
You can read an article in English on the topic in my blog post “Are privacy fines really massive under the GDPR?” and watch in Italian in the video below
2. We need to monitor personal data and who is processing them
One of the aspects that we are exponentially finding in assisting companies that have to comply with the GDPR is the lack of control over data processed by them. There are companies with millions of customers in which most of their employees (and sometimes even agents and suppliers) can access data of all current and past customers. And they never deleted any data, only because it would be too burdensome or because data can be “always useful.”
It is not just a question of drafting the c.d. register of processing activities that shows in a very detailed manner the type of processed data who has access to it, how they are used and how long they are stored. But you must have the support of technical applications that can identify where the data are located inside the company and check if the company treats data correctly.
Indeed, in case of unauthorized access to personal data or loss of data (the so-called data breach), it is necessary in some cases a notification to the data protection authority and even to individuals who suffered the violation of their personal data. A data breach can happen not only because of a hacker that enters into computer systems, but even if an agent loses an unencrypted USB flash drive on the train with last year’s customer data or in case of theft of pay slips left forgotten on a desk.
Therefore it is necessary to implement internal policies for data control and these must be supported by technical applications.
You can read this article in English on the security measures to be implemented “Is your customers’ data protected from your employees?” and watch in Italian in the video below
3. GDPR compliance checks must be effective
In the event of significant regulatory changes such as the GDPR, the most common response by companies has been the adoption of new policies that lawyers adore, but that are useful only if they observed.
The GDPR requires companies to adopt a system of policies, organizational and technical measures that allow having a continuous control on the company’s compliance with privacy legislation and that is a constant “work in progress.”
This activity is supported by the appointment of the so-called data protection officer which is one of the big news of the GDPR, but that is not very useful (and that does not represent adequate protection) if then the DPO cannot verify the data processing carried out by the company. A committee can support the DPO in groups of considerable size, but every investment is not sufficient if not supported by adequate measures of an organizational and technical nature.
We need among others to
- adopt technical measures that are blocking or at least generate “alerts” in case of unusual behavior;
- carry out internal training courses (at least yearly) for its employees, agents, sellers, etc. on internal privacy policies and their obligations;
- carry out checks (also through the so-called compliance checklist) during the establishment of the contractual relationship, periodically and in case of termination of the contract. Such conduct is aimed at verifying that its agents and suppliers have the necessary infrastructures and procedures to process the data in compliance with the GDPR and that at the end of the relationship with them they do not keep data of customers/employees of the instructing party;
- make sure there is a collaboration between technicians, legal, marketing, HR and anyone who processes personal data within the company and outside it on behalf of the company. The GDPR introduces the concept of privacy by design which obliges to prove that measures to preserve privacy from the design of any product/service that treats personal data have been taken.
You can read an article in English on the topic in my blog post “The DPO according to the Italian privacy authority” and watch in Italian in the video below
4. Be prepared to handle portability requests
The right of data portability is another new feature introduced by GDPR that allows users, employees or any person whose data are processed by a third party to be able to “transfer” their data to the new service provider, employer, consultant, etc.
The scope of this right is vast because, for example, new entrants in the market could use this right to reduce the gap of historical data related to customers, offering them incentives in case of exercise of the right of data portability towards their supplier.
And the impact could be even more significant for companies that are not ready to receive these requests which would not be able to handle them, without risking liabilities.
You can read an article in English on the topic in my blog post “How the privacy data portability right impacts you with the GDPR?” and watch in Italian in the video below
5. We must “evangelize” the whole company on GDPR obligations
This change is a kind of summary of all the previous principles. The need to ensure compliance with privacy legislation is no longer a “nice to have,” but cannot be ignored. And this is true even more in a period when companies are facing a process of digitization that involves considerable profiling and in any case high processing of personal data.
Compliance with privacy legislation and certification of the same will often become a mandatory requirement to be able to enter into contracts with banks, insurance companies, tech companies, etc. and to access public tenders. Compliance with privacy legislation can, therefore, become a competitive advantage over competitors, especially in this phase of transition towards the first adoption of the GDPR.
Are you late for the GDPR? Read my article in English on the topic “Running late for the GDPR? What to do now to limit risks of challenges?” and watch the video in Italian below
May 25, 2018, will be remembered as the “millennium bug” of privacy. We must not forget, however, that from that day the GDPR will accompany companies in all their activities and companies that do not change their approach to privacy compliance risk not to survive. These are just the top 5 changes that companies need to implement to be GDPR compliant, but the process is long and never-ending.
These are among the topics that we will discuss during the event of the 29th of May 2019 in Rome, named “A un anno dal GDPR, cosa è successo e cosa succederà?” whose details are available HERE.