Email marketing and privacy: from the Data Privacy Officer to the new sanctions
In this article
We have reached the final act of our journey through the new General Data Protection Regulation, being published in the EU Official Journal. Let us together recap the path taken:
- we have drawn up a review of the new reform;
- we have meandered through legal text by exploring the first five essential points;
- we set aside time to dwell on two key points of the company’s privacy: consensus and profiling, which are also affected by the reform.
Do not miss the complete circle, by detailing the last five substantial innovations of the European Reform. Let us start.
6) Less bureaucracy: goodbye to the notification
Until now, those who carried out certain treatments (geolocation, genetic research, profiling, analysis of timely payments and other types of particularly invasive treatments) were required to provide an advance notice of their activities to the Guarantor for the protection of personal data.
With the European reform, which will come into force in 2018, this obligation to notify the Guarantor is abolished. Considered too burdensome, both administratively and financially – and never really effective -, the notification will be replaced with mechanisms and procedures that focus on the processing operations that present potential risks to the rights and freedoms of subjects due to their nature, scope or purpose.
Under the new regulation, it is necessary to assess the degree of impact that such treatment may have on the privacy of the contacts.
7) A new protagonist: the Data Privacy Officer
Get ready for a new key figure that will be responsible for privacy on behalf of the company: thus was born the Data Privacy Officer, or the person responsible for the protection of personal data. A mandatory figure, in cases, where:
- the entity which processes data is a public entity;
- the company is revealing a lot of personal data;
- the company is systematically treating sensitive or judicial data.
The Data Privacy Officer, who can be a company consultant, must meet the requirements of professionalism, independence and autonomous spending, thus becoming a sort of internal auditor to oversee treatment processes of personal data and be the referent for the Guarantor of privacy, who can be contacted in case the authority is seeking information or contesting certain processing activities.
The essential tasks of the Data Privacy Officer are:
- informing and advising the owner or manager of the treatment about their obligations under the European Regulation;
- monitoring the implementation and application of the policy holder or the controller in the field of protection of personal data, including the assignment of responsibilities, training of staff involved in treatment and related audits;
- verifying the implementation and application of European Regulation; security of data; response to the requests of the parties concerned to exercise the rights recognized in the Regulation;
- guarantee the conservation of documents relating to the treatment of data from the owner;
- checking that the violations of personal data are documented, communicated and reported;
- checking that the owner or the controller carries out the impact assessment of data protection and requires prior authorization or prior consultation in the cases;
- acting as point of contact between the company and the Guarantor;
- checking that the demands of the Guarantor are carried out and, within its powers, cooperating on its own initiative or at the request thereof.
8) Privacy by design, privacy by default
The reform introduces two new founding principles: privacy by design and privacy by default.
Privacy by design means that the protection of personal data must be planned and organized right from the design stage of information collection: it thus becomes mandatory to incorporate protection mechanisms while designing activities and for the entire management of the data lifecycle; you need to analyze the data flows associated with the asset you want to create and adopt policies that minimize the risks for treatment and reduce the amount of processed data (the so-called minimization of data activities).
Privacy by default means the obligation to prevent the collection of data is not necessary for the purposes sought: it is necessary to avoid capturing information in excess of the objectives stated in the policy.
This privacy ceases to be a mere legal requirement and becomes an intrinsic part of the information management process: this is the true essence of the reform, and whoever does not adhere to the new concept is destined to wander in search of a permanent center of gravity.
Privacy by design and by default merge into a single organizational precept that then becomes the true lodestar on the path to correct processing of data.
9) The obligation of self-denunciation for violations
This has existed in foreign countries for some time, and is called data breach notification and refers to the obligation of the Authority to report data breaches (or personal data breaches) which range from the destruction, loss, alteration, unauthorized disclosure or access, accidental or unlawful manner, of personal data transmitted, stored or otherwise processed.
With the European reform, every entity will have the duty to adapt to this new safety standard. Who, in case of violation, must:
- notify such a violation to the supervisory authority within 72 hours of the breach;
- report it to the person concerned, without undue delay.
This new security parameter is driving companies to adopt monitoring software, which reports violations immediately, and to obtain adequate insurance cover to protect them from the growing risks associated with the so-called cyber risk.
10) New generation sanctions
With the passing of the reform, the sanctions have been tightened:
- up to EUR 20 million for individuals and businesses that are not a part of corporate groups;
- up to 4% of total turnover (consolidated) for corporate groups.
It is a significant change of pace, dictated by the desire to influence and oversee the conduct of big corporations who process data in different geographic areas and try to identify the legal havens for treatment in order to evade the law.
Our journey on the new regulation ends here. We hope to have offered you complete picture of the reform, which will affect your processing activities of personal data. Do you have doubts and uncertainty about the new points system? Do not hesitate to write to us or send us your comment. We will be happy to help!