GDPR

The European Regulation (679/16) – GDPR (General Data Protection Regulation), also known as the Data Protection Package, has brought about major changes in the approach to privacy and its fulfillments compared to the previous Privacy Code.

The legislation came into effect on May 25th, 2018 and applies to Businesses, Professionals and Entities. The general principles and definitions as we have known them from the previous Privacy Code are unchanged; the radical change is found in the philosophy of the standard itself.

The Regulations introduce a new principle of substantive accountability of the data owner. The purpose of the previous legislation was to certify a protection system capable of guarding data of a personal and/or sensitive nature, minimizing the risks of destruction or loss, even accidental, and preventing access by unauthorized persons.

This is a shift from a logic of compliance with the law to a logic of a true management system or Privacy model. The goal of the Privacy Management System is to be able to demonstrate and document the company’s commitment to protecting personal data. Themethodological approach of the GDPR is risk-based, that is, such that appropriate measures are met based on specific risks.

The European Regulation also changed the penalty system: penalties range from a minimum of 2 percent of turnover to a maximum of 4 percent of the company’s overall turnover.

The European Regulation applies to all organizations established in the EU (even if processing takes place outside the EU), but also to organizations located outside the EU that offer goods or services to data subjects located in the EU.

Implementation of the Privacy Management System

The activity involves an initial analysis of Privacy risks for which internal resources responsible for or areas deemed sensitive for the purposes of the standard are involved. This activity consists of an assessment, a thorough and comprehensive evaluation that allows us to define a plan of intervention and implementation of the appropriate and necessary measures to manage the specific risks detected.

The objective of the assessment is to bring to light any deficiencies at the organizational or procedural level; the goal of the intervention plan is the design and subsequent implementation of a Privacy Management System or Privacy Organizational Model that complies with the requirements of the GDPR.

The Privacy Organizational Model provides for improvement audits and staff training and integrates with any other management systems already implemented.

Request info