Following four years of preparation and debate, GDPR was approved by the European Parliament in April 2016 and the official texts and regulation of the directive were published in all of the official languages of the EU on May 2016. The legislation came into force across the European Union on 25 May 2018, and this date is now widely understood as “year one” for the GDPR.
In that sense, this decree was the last step in a legislative process which profoundly transformed our system, and represents the start of a new era in how we understand privacy. So, how does the entry into force of the European Privacy Regulation affect companies? We discussed this with Federica De Stefani, a lawyer and privacy consultant.
GDPR: how does it affect companies?
The GDPR truly represents the start of a new era, for two different reasons. First of all, personal data is placed at the heart of the regulatory framework, and is defined as "a fundamental human right”. Second, the regulation completely changes the way we used to approach the principle of accountability of the party processing data, providing general principles that they will need to apply concretely.
This means that the norms set out what needs to be done, but don't specify how to do it.
European Regulation 679/2016 is based exactly on his concept. The person processing the data is the only party who, having better knowledge about this work than any legislator, is able to determine the appropriate and adequate measures to carry out the protections that the GDPR demands.
As of May 2018, all organisations are expected to be compliant with GDPR. This means that following potential audits, the sanctions will be fully applied, and may carry the maximum penalties set forth by the European legislation.
Data breach: what should be done in case of a personal data breach?
The data breach aspect is one of the most important innovations introduced by the European Regulation. It lays out the obligation on the part of the data controller to inform the Authority and the concerned parties about any verified breach of personal data.
As per Art. 4, n. 12, a breach of personal data is defined as: “A security breach which entails the accidental or illicit destruction, loss, modification, unauthorized disclosure, or access to personal data that is transmitted, stored, or otherwise processed”. A data breach is an event that needs to be confronted and controlled immediately, with the goal of preventing the incident from having further consequences for the concerned party, including physical, material, or immaterial damages to individuals. This includes, for example, losing control of their personal data or the restriction of their rights, discrimination, identity theft or fraud, financial losses, unauthorized deciphering of their pseudonymization, harm to their reputation, loss of confidentiality regarding personal data protected by professional secrecy, or any other significant economic or social damages affecting the individual concerned.
As soon as a data breach concerning personal data is verified, according to article 33 of the Regulation, the controller is obligated to inform the supervisory authorities of the incident, with a few exceptions. This obligation of notifying the authorities mandates that the relevant supervisory authority has to be notified of the data breach, following art. 55 of the Regulation, without unjustified delays and if possible, within 72 hours from the moment at which the controller became aware of it.
The same article 33, however, also includes an exemption, in the hypothetical case in which: “It is unlikely that the personal data breach poses a risk to the rights and liberties of the individuals.”
In other words, this means that notifying the authorities is mandatory in cases where the data breach poses a serious risk for the individuals.
Social Networks: how do we use them in accordance with the GDPR?
There's no doubt about it, the personal data protection regulation also has a significant impact on social networks.
It's important to keep in mind that social networks offer different tools and services, and this aspect may lead the user to draw completely erroneous conclusions regarding the various responsibilities of the service provider (the social network) and the user themselves, by basing these conclusions on logical reasoning that really have no basis in the legislative framework that regulates the relationship between the platform and the user. Instead, we need to analyze the technical system, the tools each platform offers their users, and also the legal norms that govern this relationship.
This means that processing done within social networks or through them is also subject to this new legislative system. Therefore, we need to analyze individual processes and the individuals methods with which they carried out, and as of today, this analysis is still not complete, nor has it been carried out by everyone using the web to promote their own businesses.
Thank you to Ms. De Stefani for helping us shine some light on this topic.
In conclusion, one year after the arrival of the GDPR – General Data Protection Regulation, we've come a long way in terms of privacy, even if the legal principles and guidelines are still changing.