(La versione originale di questo post è pubblicata su Diritto24 de Il Sole 24 Ore)

On 25 May 2018, the EU General Data Protection Regulation (no. 679/16, GDPR) will enter into force. It’s a year away, it’s true, but companies will need time to meet the relevant requirements, hence it’s highly recommended that they start preparing now. Getting ready for the scheduled date will be crucial to avoid sanctions reaching 20 million euros or 4% of annual global turnover.

Below is a list of the most important requirements that companies will have to implement by 25 May 2018.

  1. The GDPR requires the company to document the data processing in place and the measures taken to protect personal data, to be verified and updated on a regular basis. Hence, an audit should first be carried out to check the existing documentation: internal policies, appointments of data processors and system administrators, information notices to employees and third parties etc. Such documentation shall then be amended and supplemented as imposed by the GDPR, which requires the adoption of further documents in addition to those provided by current legislation.
  2. Companies must put in place the legal and technical tools needed to ensure compliance with the principles of “privacy by design” and “privacy by default” set out in the GDPR.
  3. A system shall be put in place for the communication of any personal data breach within 72 hours to the relevant Data Protection Authority and to the data subjects concerned.
  4. In the case of processing operations which are likely to result in a high risk to the rights and freedoms of natural persons, the data controller shall assess the impact of such processing on the protection of personal data (Data Protection Impact Assessment, DPIA).
  5. Should the company process special categories of personal data on a large scale or regularly and systematically monitor data subjects on a large scale, it shall designate a Data Protection Officer (DPO) with both legal and technical skills. Such assignment may also be entrusted to an external subject, e.g. a law firm specialising in the field and also having the necessary technical skills.

Our law firm has extensive experience in the matter of data protection, since it has been providing assistance in this field for years to Italian and foreign companies, including multinational IT giants. If you want to discuss any of the above, write to info@martinimanna.com.