data portability
• right to be forgotten, until now recognised just at case-law level
• right to be informed in a transparent, fear and dynamic way about the processing of personal data and right to control them
• right to be informed about data breaches
Therefore the text in question recognises a high and uniform level of data protection and has the purpose of giving to citizens a greater control on their use. Besides, citizens have the rights to be advised by Public Administrations and companies about data breach (data breach notification) within 72 hours.
The regulation implies also a cultural change: protect data means protect people, their identity and their freedom. The text requires a strong accountability and a proactive approach. Data protection becomes, finally, a strategic asset which must be assessed before, during the design of new procedures, products or services (principles of “data protection by design” and “data protection by default”), without bureaucratic sideslip that often in the past have reduced the data protection to a mere formalization of signing the privacy policy or the consent for processing health data. Following to the European regulation provisions, Public Administrations and firms has the obligation to carry out a preliminary impact assessment on data processing when they involve in particular the use of new technology and, considering their nature, object, context and purpose, can be a high risk for the rights and the freedom of individuals. In short words, the impact assessment on privacy requires a punctual and documented analysis of risks for citizens rights and freedom.
With GDPR the “principle of accountability” comes into our legislation: PA and companies that process personal data must demonstrate the application of proper security measures, effective to protect data and that they are keeping them constantly updated. In addition, firms must demonstrate that their activities and processing are compliant with the principles and provisions of GDPR, including the efficiency of security measures.
In the next post we will talk about DPO, a new important professional introduced by GDPR, stay tuned!
Still not compliant with GDPR? Hurry up, time is running out: request a free consulting with our experts!