Complying with GDPR to avoid heavy sanctions

by Renato Uggeri, Honorary President G.I.S.I.

The new European Privacy Regulation is here and companies are complying. On May 25th, the new UE 2016-679 GDPR (General Data Protection Regulations) will become applicable in all UE countries, modifying Italy’s 196/2003 law concerning Privacy. As we explained in the past issue of “Controllo e Misura” in our in-depth analysis, the GDPR was passed two years ago, but only as from May will it be “effective and applicable” in all European countries. As from May 25th, non-compliant countries will be liable to fines, which could reach 4% of annual sales revenues. Any company nowadays manages millions of personal data, both external and internal. In this respect the data processor, that is, whoever collected these data and intends using them, must guarantee that some fundamental rights will be respected; first and foremost, the right to information and consent of the person concerned. The reasons of this new course are evident: it is now easier to identify anyone by means of shared data following the capillary distribution of social media, and especially the most fragile users are exposed to the danger of being abused. The key issue in the new GDPR is just this: personal data may only be used for purposes explicitly approved by the person concerned. The new regulation eliminates the concept of sensitive data, because all personal data (be they biographical, fiscal, physiological, genetic or other data) deserve the same respectful treatment. To study in depth the contents of the new GDPR, G.I.S.I. organized on March 20th a meeting during which the norm was explained to participants. The success of this initiative shows that this topic is considered with great attention, since it is now part of reality. A summary of the meeting is provided in the article “GDPR: the normative framework” on page 12.