The evolution of privacy: the key role of the GDPR and the Data Protection Officer

May 25, 2018 marked the entry into force of Regulation (EU) 2016/679, known as GDPR, which aims to standardize the protection of personal data in the European Union. This regulation presents several innovative objectives, including the strengthening of data subjects' rights and the emphasis on the principles of responsibility, privacy by design and by default. Furthermore, it introduces more severe fines, which can reach €20,000,000 or 4% of the group's annual worldwide turnover. A key figure in the GDPR is the Data Protection Officer (DPO), responsible for overseeing compliance with the rules. Organizations must therefore develop a privacy management system, which includes various components essential for compliance.

Management of treatments and information

One of the fundamental elements for compliance with the GDPR is the Processing Register, which must be maintained by the Data Controller. It must contain details such as the contact details of the controller and, if applicable, the DPO, the purposes of the data processing, a description of the categories of data subjects and personal data, the categories of recipients of the data and, where applicable, the transfers to third countries or international organizations. Furthermore, it includes data retention terms and a description of the security measures adopted. The Data Controller is also required to provide clear and transparent information to interested parties on the use of their data. These information must cover various aspects, including the identity of the Data Controller, the purposes of the processing and the rights of the interested parties.

Designations and procedures

In addition to the management of processing, the Data Controller must issue Letters of Designation for anyone who processes personal data on his behalf, whether they are Data Processors (suppliers) or Authorized Persons (employees, including System Administrators). These designations must be in writing and contain specific instructions. Operational procedures must be well defined and compliant with the GDPR, including Privacy by Design and DPIA (Data Protection Impact Assessment), management of data breaches (Data Breach), and processes for exercising data subjects' rights and the appointment of Managers and Authorized Persons. These procedures guarantee the correct and secure management of personal data.

Risk analysis and privacy by design

According to Article 32 of the GDPR, the Data Controller must conduct a risk analysis to determine appropriate security measures. This analysis must consider the state of the art, the costs of implementation, and the risks to the rights and freedoms of data subjects. Measures may include pseudonymisation and encryption of data, the ability to ensure confidentiality, integrity, availability and resilience of systems, and the ability to promptly restore access to data in the event of incidents. The concept of Privacy by Design, outlined in art. 25 of the GDPR, requires integrating data protection right from the design of new processes or systems. For processing involving high risks, the Data Controller must carry out a DPIA, i.e. a data protection impact assessment, to ensure safe and regulatory compliant management.