Privacy 679 / 2016 last call for Italy - PRIVACY 679 / 2016 EU, already in force for the other European States by 2016 and in which it has already found full application where the European Union, for Italy, because of the problems linked to a persistent crisis that the same Europe has taken on by recognizing its size, has granted the date as the last term 25 May 2018, creating many problems for companies and associations that had not considered the importance or had always been underestimated or snubbed.
La SHADOIT BUSINESS CONSULTANCY LTD, has created a service designed to carry out and analyze all the procedures for compliance with the law to comply with the GDPR 679 / 2016 EU, thanks to the experience already gained in Italy for the former Legislative Decree 196 / 2003 thanks to the experience of its technical consultants, some from this State, already prepared and aware of the new stringent rules concerning the processing of personal data and the importance of the security of data processed digitally, having already adopted and tightened the meshes for the protection of operating environments exposed to the Internet and visits by external company personnel that under no circumstances must be able to visually observe the data present in the company systems if not authorized.
PRIVACY - WHAT CHANGES
In compliance with the 679 / 2016 EU Privacy, only 27% of the Italian Companies know the new legal obligations and many have always considered them superficially ... we must hope you are not among these?
From 25 May 2018, without intermediate periods, the new European privacy regulation GDPR 679 / 2016 EU will be fully operational.
Shrugs are not contemplated in response to this important news and do you know why?
Because you too will have to take into account the new European regulation concerning the personal data of your customers.
The year 2016, considered by experts as the most disastrous year from the point of view of Digital Security, has led the competent authorities to decide that it was necessary to intervene on the current legislation in order to contain in any way all the risks coming from the digital world.
It seems that, on an average of 100 companies, only 5 can claim to have a sufficient level of security thus ensuring those who have entrusted their data.
The May 25 will enter into force the European Data Protection Regulation, where many rules remain unchanged and others are re-elaborated and some have been introduced from scratch.
The GDPR (General Data Protection Regulation) will have a significant impact not only from the technological point of view, but also, and above all, from an organizational and legal point of view.
PRIVACY BY DESIGN CONCEPT
According to this principle, in the matter of 679 / 2016 privacy, it is necessary to prevent not to correct, so all the precautions must be taken already in the design phase and not subsequently applied to the occurrence of the lack of protection; this consideration is an integral part of a concept devised in 2010 and already present in Canada and in the United States of America, although often disregarded by some lobbies (see Facebook and others).
PRIVACY CONCEPT BY DEAFULT
According to this concept it is necessary that all companies have predefined settings that can process their customers' data only to the extent necessary for the purposes set and strictly within the time strictly necessary to achieve the purpose whose settings and times are strictly predefined and already included in the design phase.
According to the GDPR 679 / 2016 EU, it is necessary to have an attitude based on the evaluation of the danger deriving from the treatment, to be fully aware of all the treatments that can cause physical or immaterial physical damage by carrying out a preventive analysis and a careful evaluation.
LA DPIA (data protection impact assessment)
This is a procedure that can measure and confirm the suitability of the treatment with the rules regarding the protection of personal data (Privacy 679 / 2016 EU).
In reality, it must also be applied where it is not mandatory as it is an extremely useful method to monitor the activity in progress.
Its obligatory nature is determined by at least two of the criteria established by the regulation, for example, in the case of video surveillance and in the case of the processing of sensitive data.
THE REGISTER OF TREATMENTS
This register is necessary and shows the treatments carried out and the safety procedures adopted not being a mere formality but an integral part of the system for the correct management of personal data.
For this reason, beyond the company size, it is always advisable to use this register, which is often kept for convenience as a spreadsheet.
ADOPTION OF SAFETY MEASURES
All the structures must adopt behaviors aimed at concretely demonstrating the adoption of measures aimed at ensuring the correct application of the regulation by entrusting the owners with the task of autonomously deciding on the modalities, the guarantees and limits of the processing of their data according to the GDPR 679 / 2016 EU, as also reported by us in ours Legal Info
NOTIFICATION OF DATA VIOLATIONS
Commonly defined as Data Breach, notification occurs whenever there is a breach in the security procedure that involves the accidental or unlawful loss, modification, disclosure or access of personal data.
The GDPR 679 / 2016 EU, establishes that the holders of the treatments will be obliged to notify the Control Authority within 72 hours and unfortunately to date they spend about 205 days between the data breach and the moment in which the institution or the company or the association gets to know it.
The violation must be such as to manifest a high risk for the rights and freedom of persons (legally understood in a physical sense) for the respect of the Privacy 679 / 2016 EU.
In compliance with the 679 / 2016 EU Privacy all the information must contain new references and among the various changes emerges the introduction of the retention period of the data and the criteria established to define it.
After the indicated period the data must be canceled (introduction of the right to be forgotten).
In compliance with the 679 / 2016 EU Privacy Law, the storage time of a data is typically linked to the purposes of the processing and the right to be forgotten is configured as the obligation of the data controllers not only to cancel the data. data but also to inform of the request for cancellation the other owners who process the data including links or reproductions.
DPO - Data Protection Officer
Not all companies and / or associations have a video surveillance system, not all companies and / or associations proceed to target customers and not all of them carry out direct marketing activities, but ... all process personal data.
We address the issue in a generic way and according to what appears on the website of the Guarantor, thinking that tThe various changes introduced to stand out is the fact that the new legislation on Privacy 679 / 2016 EU strongly empowers companies and / or associations before the concrete and correct application of the established provisions.
We do not have to worry, it's about charges that affect so many, many, many other managers and every business and / or association, he will therefore have to use a professional, a consultant, able to verify and direct the structure in all these legislative adjustments.
The DPO is a professional already known in some European countries and is an expert in information technology, organization and in the field of risk management, being guarantor of the observation, evaluation and management of treatment, storage and protection of personal data for this to happen in compliance with national and European legislation.
The Data Protection Officer must have regulatory, technical and communication skills and a deep knowledge of the organization of the IT sector.
We speak of the strict sanctions regime that will intervene in this regard:
administrative sanctions are expected much harsher than in the past.
The fines can even reach € 20.000.000 (millions of euros).
Administrative measures also come into play when the concept of Privacy by Design is not complied with.