On April 14, 2016, the European Parliament and the Council definitively approved the Regulation on the protection of personal data (GDPR), which came into force on May 25, 2016. After a transition period of two years, from May 25, 2018 the provisions contained therein will be directly applicable throughout the European Union.
The main innovations expected are related to 5 areas, which could impact several organizational variables:
Prior assessment of the impact of processing on data protection of Privacy.
- Incorporation of Privacy from the design of the process and processing of only the personal data necessary to achieve the specific purpose.
- Recognition of specific rights of the person concerned including portability and oblivion.
- Appointment of a Data Protection Officer (DPO) to monitor the processing of personal data.
- Rules for actions to be taken in the event of a breach of personal data to report violations to the competent authorities and the person concerned.
The DPO must be:
Expert in data protection, whose task is to evaluate and organize the management of the processing of personal data, and therefore their protection, within a company, so that they are processed in a lawful and relevant manner;
Suitable for designing, verifying and maintaining an organised personal data management system, interacting with company management systems, to ensure the adoption of minimum security measures aimed at data protection, which meet the requirements of the law. (Art.37 - GDPR Regulation).
Tema provides the Data Controller with a valid support to carry out the data protection impact assessment (DPIA).
In particular, this support provides a complete and reasoned assessment of the data protection impact:
- whether or not to conduct a DPIA;
- the choice of methodology to be adopted in the conduct of the DPIA;
- the opportunity to conduct the DPIA with internal resources or by outsourcing it;
- the safeguards to be applied, including technical and organisational measures, to mitigate risks to the rights and interests of data subjects;
- compliance of the conclusions with the requirements of the RGPD.