The European Regulation (679/16) – GDPR (General Data Protection Regulation), also known as the Data Protection Package, has brought about major changes in the approach to privacy and its fulfillments compared to the previous Privacy Code.

The legislation came into effect on May 25th, 2018 and applies to Businesses, Professionals and Entities. The general principles and definitions as we have known them from the previous Privacy Code are unchanged; the radical change is found in the philosophy of the standard itself.

The Regulations introduce a new principle of substantive accountability of the data owner. The purpose of the previous legislation was to certify a protection system capable of guarding data of a personal and/or sensitive nature, minimizing the risks of destruction or loss, even accidental, and preventing access by unauthorized persons.

This is a shift from a logic of compliance with the law to a logic of a true management system or Privacy model. The goal of the Privacy Management System is to be able to demonstrate and document the company’s commitment to protecting personal data. Themethodological approach of the GDPR is risk-based, that is, such that appropriate measures are met based on specific risks.

The European Regulation also changed the penalty system: penalties range from a minimum of 2 percent of turnover to a maximum of 4 percent of the company’s overall turnover.

The European Regulation applies to all organizations established in the EU (even if processing takes place outside the EU), but also to organizations located outside the EU that offer goods or services to data subjects located in the EU.