Personal data protection. The EU GDPR text has been approved: and now? Conference on January 29th 16

By | Monday January 11th, 2016

Last December, the Commission of the EU Parliament in charge approved the final text of the new General Data Protection Regulation (GDPR) thus closing the negotiation among EU Parliament, Commission and Council (the so called trilogue). Now only some formal approval steps are still missing to have it in force. Steps that shoul be completed by the end of Q1 or around it.

Compared to the current legislation, the approved version includes many innovations, while the existing rules which are not replaced by new ones remain in  force.

The meeting that is organizing on January 29th 2016 has the goal to offer the first opportunity to analyse the most important ones concerning the IT security and IT management issues.

According to the approved version, the new Regulation will apply 24 month after the date in which it will enter in force: 24 months for processors and controllers to get compliant.

Two years may seem a timeframe long enough to allow a slow approach: so, why start worrying now?

We started our blog because we think that there are good reasons to start working immediately on these issues and the overall profile and the main features of the GDPR reinforces this approach. Hereafter some of these features:

  • The overall approach of the GDPR impacts the business organization in depth: the IT impact is just the last, mandatory consequence of a set of changes at different levels within the organization. Changes that require time to be put in place.
  • Controllers and processors will be required to document the adopted measures, to verify periodically that they are really in place and to track operations. They may be required to demonstrate their compliance backwards in case of inspection or if a security event occurs, even if they take place long time after the due date for compliance.
  • Fines are really relevant: they can reach 4% of the worldwide revenues and they don’t cancel the controller’s or processor’s responsibility towards data subjetcs and possible related lawsuits  involving a very high number of subjects with a high economic and image impact.
  • The GDPR introduces the opportunity to certify the company’s operations getting a data protection seal that could become a relevant differentiator from the competition in the customer relations.

The protection of personal data of employees, business partners and consumers is just one of the reasons why it is mandatory and urgent to set up a more secure and controlled organization, able to face the emerging risks related to the digital transformation of social and economic relations: similar reasons may be referred to the protection of intellectual property and of all the sensible or secret information which the company’s know how is made up of. The ability itself to leverage on the digital transformation potential depends on this.

The urgency to comply depends much more on the speed of the evolution of the technology, on the new behaviours that it causes with the related business opportunities and on the new risks that it causes than on the bureaucratic need to comply. It is more a business issue than a compliance one.

The GDPR reflects the same approach of all the security management and business control best practices. Therefore the investments aimed at the GDPR compliance will have a positive impact also on other business contexts with an overall benefit for the organization.

For all these reasons decided to start immediately an open debate on these issues: the event that will be held on Jan. 29th will be the first public opportunity for it.

One thought on “Personal data protection. The EU GDPR text has been approved: and now? Conference on January 29th 16

  1. paolo calvi

    Within the EUROPRIVACY #Ready4EUDataP workshop, dedicated to the practical consequences of the new EU General Data Protection Regulation, I found particularly interesting the topic concerning the role of the Data Protection Officer, discussed in the speech of Biagio Lammoglia with Fabio Guasconi. Various aspects have been taken into consideration:
    DESIGNATION (art. 35 of the GDPR) – mandatory for public entities, conditioned by the presence of certain circumstances for private companies: systematic personal data process as core business (someone said BIG DATA?) or sensitive/judicial data large scale process. It will be crucial to see the translation of the terms used and what will be their interpretation in order to define the perimeter of the companies “forced” to appoint the DPO.
    POSITION (Art. 36) – the role will have to be characterized by cross-disciplinarity, adequate financial resources, autonomy, protection, higher hierarchical level and absence of conflict of interest with any other roles of the same person. In my opinion such a configuration makes it extremely onerous to locate this position within the company. Consulting firms can therefore legitimately expect that the majority of companies, small and medium-sized at least, will prefer to rely on an external DPO?
    TASKS (art.37) – The DPO appears to be vested with the responsibility of raising awareness (information and advice), control (supervise compliance, liability, training and auditing), strategic support (help PIA and risk assessment) and representation (in front of the DP Authority): all of these tasks are far from operating activities; it would then appear that the role of the DPO, as outlined by GDPR, takes the form of an eminently “oversight” professional (albeit apart from the Internal Audit), very different from those who have the responsibility to “implement” privacy.
    It could therefore seem necessary to duplicate the positions: a DPO (as described above) and a distinct position, which could be called PRIVACY OFFICER, invested with all operational activities. It is clear that many companies will not like this redundancy, but it is hard to think that they can appoint only an oversight function (and then who does what has to be done?), or that the person can also assume operational duties (in that way he would control himself). Once again, one would think that the Privacy Officer is appropriately placed within the company, while the DPO would better be hired externally. But this may be an opinion overly influenced by the expectations of external consultants (which I happen to be…).
    It will be interesting to follow how this matter will be discussed in Italy in the context of the UNINFO E14D00036 project, which has the task of issuing a UNI specification for the Professionals of Privacy, according to the 4/2013 law on non-organized professions and using the EU “e- CF” scheme (e-competence framework).

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.