Become an email & SMS marketing pro

Subscribe to get news, tips and updates delivered to your inbox.

Notify me on Messenger
10 min
  • 7

 

Approval of the European reform is rapidly approaching, and will significantly rewrite the rules for the use of personal data.

While with the first blog post we outlined an overview of the new regulation, now it is time to go into the new elements of the reform in detail. We have identified 10, and today we’ll describe the top five, from the geographic coverage of the obligations to the introduction of the Privacy Impact Assessment.

In brief, here’s what will change with the reform:

1) The legislation is expanding its boundaries

The question spontaneously arises: “If a non-European company processes the personal data of citizens from the old continent, which law applies?” Until now the answer was that of the data controller, i.e. the entity collecting the data.

This reform changes everything: the obligations of the Regulation will extend to the processing of personal data outside the European Union but used for supplying goods and services to citizens of the 28 EU member countries; the same is also true for processing that involves monitoring data.

This is quite a revolution if we consider that the old rules stipulated that the legislation to be applied was exclusively that of the nation in which the data controller was based.

What about Facebook and Google? How they should behave in the light of the new regulation? The two giants of Silicon Valley will also be subject to European legislation.

2) The new accountability criterion

Under the new regulation it will become mandatory to establish a document system for managing privacy that contains all the records related to the processing of personal data, which must also be regularly updated.

This is the logic of accountability, i.e. the correct organization, documentation and traceability of processing activities. The document system must necessarily include a “nourished” series of details, such as how the data was collected, where and when. It will be like a black box tracking the processing.

Those who do not organize the data management in the best possible way are liable to be sanctioned, regardless of the abuses that may or may not arise from it.

3) New items to be reported in the disclosure document

The disclosure document will no longer be a bureaucratic and formal tool. Under the new regulation it should be made in a concise form that is clear, understandable and easily accessible, with simple and clear language, especially in disclosure documents intended specifically for minors.

The information must be provided in writing, in paper or digital form. If requested by the person concerned, the information can be given orally, provided that the holder’s identity is proven by other means.

Moreover, it will be necessary to inform interested parties about the origin of data processed and indicate their storage time.

4) Amending, supplementing and deleting data 

With the old regulation, interested parties who wanted to amend, supplement and delete their information encountered great difficulties in requesting access to the data.

The new criteria are designed to facilitate the interested parties in the exercising of their rights by including mechanisms to request and obtain access to data for free, and to correct and delete them. One of the duties of those collecting the data will be to prepare the means for forwarding requests electronically, especially in cases where the personal data are processed by electronic means.

5) The introduction of the Privacy Impact Assessment

For years we have been accustomed to managing the so-called Documento Programmatico sulla Sicurezza (DPS – Privacy Policy Document), a kind of photograph that documents the adequacy of the security measures adopted to process personal data.

It stopped being mandatory in 2012 but with the new regulation we will soon have to learn to handle a new tool: the Privacy Impact Assessment (PIA), the document assessing impact in the processing of data.

It entails a full analysis of the potential risks associated with the treatment of the data: the data controller now has the duty of carrying out an assessment of the impacts caused by the processing of the data, from the time of designing the business process and the computer applications supporting the operation, especially in cases where the processing has specific risks for the rights and freedoms of those affected.

The process involves three distinct phases, which must be carried out periodically, at least once a year:

  1. analysis of risks (list analysis);
  2. definition of the list of critical issues (gap list);
  3. definition of the intervention program (action plan).

The probability and the level of risk related to the processing of data must be determined by the nature, scope, context and purpose of the data processing.

It will be a real revolution for those who are accustomed to the comfortable cadences of the DPS. The PIA will introduce deep analysis of business processes with the aim of managing and preventing risks.

Closing the circle

With our Legal & Privacy notebook our aim is to provide you with a map so you can navigate the intricate provisions of the new European Regulation.¬†Follow us on our blog. With our next post we’ll guide you through the last five key points of the reform, offering a focus on news aspects of the profiling activities.

Liked this article? We have plenty more in store for you.

Subscribe to get news, tips and updates delivered to your inbox.

Read also

How to use cookies in compliance with data protection regulations

Cookies and collecting personal data Cookies are essential tools for website to operate, allowing you to manage certain basic functions (for example, recognising a user ...

Read more

Email marketing and privacy: from the Data Privacy Officer to the new sanctions

We have reached the final act of our journey through the new General Data Protection Regulation, being published in the EU Official Journal. Let us together ...

Read more

Email marketing and privacy: turning points in consent and profiling

Our journey to discover the new General Regulation on the Protection of Personal Data continues with a focus on two email marketing pillars: consent and ...

Read more

New regulation for the protection of personal data

Email marketing is constantly evolving in terms of strategies and supporting technology. But the laws that govern activities and processes also change. Therefore, considering the forthcoming entry ...

Read more