This phenomenon has led to the spread of numerous inaccuracies, as well as some valid indications that, however, in a sea of words and alarmism, were unheard.
Now the application is approaching and we can begin to walk the path to achieve the required degree of compliance, without getting caught up with anxiety.
There is not a single fulfillment to be carried out and some of them cannot be performed in advance. For this reason, draw up a proper schedule is the best way to prepare for the application of the Rugulation (that is, May 25, 2018).
To this end, it may be helpful to answer "targeted" questions, as in the following examples:
- Should the Information to data subject be changed right away?
No, unless it is unsatisfactory (in this case it should be changed anyway). A version more compliant to the measures contained in the Regulation may be prepared, calmly, within May. - Should the Data Protection Officer (DPO) be appointed?
Not before figuring out whether we are compelled or not, or if, for some reason, it is preferable to appoint him even in the absence of such obligation. - Should we design the data processing by following the principles of privacy by default and privacy by design?
Yes, this can also be carried out before the actual applicability of the Regulation and is, indeed, appropriate. - Should a data protection impact analysis (so-called DPIA or PIA) be set off?
Before fiercely launching a DPIA, let's determine if it is necessary, nothing will prevent from initiating it if its mandatory nature will be considered on the edge. If, on the other hand, certain elements point to the need for a prior consultation (and that anticipate, for some reason, what in other cases only results from a DPIA), it is advisable to consider this a priority step. - Could the Privacy Code (196 June 2003, no. 196) be disapplied or ignored?
No! The incompatible parts will be revoked but the Government has the power to "amend it", filling, among other things, the many gaps caused by the "generic" nature of the European Regulation.
And if one of the provisions of the Regulation does not concern our company/administration, how do we behave?
The group of European Authorities (the so-called article 29 working party), in the adopted guidelines (currently two: a document on the DPO and one on the data protection impact analysis), has expressed its recommendation to "document" the reasons for the failed performance of a compliance procedure. Such recommendation concerns, in particular, the appointment of the Data Protection Officer.
The first advice to be given is, therefore, not to deal superficially with the matter; the second is to not only read the articles of the Regulation but to focus on words such as "considering" (which often do not have a marginal role but instead clarify concepts used in the Regulation) and to examine the numerous "surrounding" documents (for example, the aforementioned Guidelines). Lastly, it is advisable to carefully schedule each step, starting from the more structural ones and ending with the more "bureaucratic" ones, in order to put in place a project that leads, in an organic and effective way, to the implementation of the provisions of the Regulation.
________________
1Year in which the European Commission submitted the proposal for new EU legislation on personal data protection.
2Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing directive 95/46/EC (General Data Protection Regulation).
3Lawyer, Partner of EXP Legal – Italian and International law firm, expert and professor of Information & Communication Technology, Data Protection and Companies criminal responsibility (legislative decree 231 of 2001).
