Data protection: what changes with the new regulations

A few weeks before the application of the new European regulations, scheduled for May 25th, let us analyse some essential aspects
of the new rules concerning privacy

by Renato Uggeri

Twenty years after Italy’s first privacy law, no. 675 issued in 196 and successively replaced by the Privacy Code in 2003, the topic of data protection seems to be going through a second childhood on account of a new European normative framework, which should lead to greater uniformity, and above all should be more appropriate for the revolution brought about by the digital technologies.

The result of many years of work to ensure data protection
With the new general regulation on data protection (GDPR, General Data Protection Regulation – UE Regulation 2016/679), today the European Commission intends reinforcing and making more uniform the protection of personal data of citizens and residents in the European Union, be it within or outside the boundaries of the Union itself. The EU Regulation n dat a protection, or “European privacy regulation”, is a rather complex document, almost three hundred pages long including foreword and articles proper, designed to replace the old Directive no. 46 dated 1995, which however must be credited with being the first to regulate the sensitive theme of the processing of personal data.
In January, 2012, the Commission had already introduced the so-called “data protection project” having the purpose of ensuring in the whole of the EU a harmonised system regarding privacy. The package includes two different tools: – a proposed Regulation regarding “the protection of individuals with regard to the processing of personal data and the free movement of such data”; the purpose of this Regulation is norming the processing of personal data both in the private and public sector; – a proposed Directive meant to regulate sectors which deal with prevention, contrast and repression of cries.
This specifies even the legal sanctions and their application. On May 24th, 2016, the Regulation was officially enforced, and it will become finally applicable in all EU Countries as from May 25th.

The Regulation’s contents
The Regulation states that processing must be founded on appropriate legal grounds.
The bases of the legitimacy of data processing coincide in general with the ones currently defined by the Privacy Code (consent, compliance with contractual obligations, vital interests of the person concerned or of third parties, legal obligations on the data holder’s part, general interest or exercise of public authority, prevailing legitimate interest of the data holder or of third parties who obtain the data). Particularly, as regards consent, for “sensitive” data this must be “explicit”, just like consent to decisions based on automatic processing (including profiling). It should be noted that consent must not necessarily be “recorded in writing”, nor is “written form” required; besides, the holder must be able to prove that the person concerned consented to a specific form of processing.

Characteristics of consent
Regarding consent, it must be free, specific, informed and unquestionable and tacit or implied consent is not accepted (pre-flagged boxes on a form are therefore not enough). Consent collected before May 25th is valid if it has all the above characteristics. Otherwise, it is advisable to get started before this date to obtain consent of the persons concerned again as prescribed by the regulation. Particularly, it is necessary to verify that the request for consent may be clearly distinguished from other requests or declarations addressed to the person concerned, for instance, within forms. It is also necessary to pay attention to the wording used to obtain consent: this must be understandable, simple and clear. The main innovation introduced by the Regulation is the principle of “accountability” which entrusts the data processors with the task of ensuring, and being able to prove, the respect of applicable principles to the processing of personal data.

Responsibility for data protection
In order to provide a first orientation, the persona data protection Officer recommends that public administrations name Data protection managers taking into account their professional qualities, and the specialistic knowledge of norms regarding data protection. The Regulation also envisages the creation of the Register for processing activities. It is essential to start up as soon as possible the recognition of processing activities carried out and their main characteristics (purpose of the processing, description of data categories and persons concerned, categories of persons to whom communications will be addressed, safety measures, time period during which the data will be kept on file and any other information which the data holder considers appropriate to document the processing activities carried out) which may help in creating the register. Recognition will be the occasion to verify the respect of the fundamental principles, the legitimacy of the data processing (by verifying the adequacy of the legal bases) and the opportunity of the introduction of measures for the protection of data (privacy by design and by default), so as to ensure that, by May 25th, ongoing processing will be fully compliant.
Finally, considering the growing threat to the security of information systems, it is essential to comply with the new measures concerning data breach, considering especially the criteria outlined for risk reduction, and defining as soon as possible appropriate organization procedures to comply with the new rules.
The personal data protection Officer created and “enriched” version of the text of the EU Regulation which, where necessary, suggests further reading corresponding to the articles and paragraphs, so as to provide a more ample and knowledgeable understanding of the new rules.