In case of violation of GDPR, companies risk fines of up to 20 million euro or the 4% the entire annual turnover of a company
From 25 May 2018 It will enter into force in Italy the new legislation on data protection (GDPR - EU Regulation. 679/2016) to adapt the rules on the protection of personal data to the new economic and social context.
The aim is to strengthen the technical and organizational measures to give a 'proper data security by reducing the risk of leakage or theft, thus avoiding to violate the privacy of citizens.
What is GDPR (General data Protection Regulation) and what changes for companies.
The general rules on data protection was adopted by the European Parliament in April 2016 "To strengthen and make the protection of personal data more homogeneous". The provisions strengthen data protection and must be respected both by companies based in the EU, both those who are based outside of it but which address data of nationals of a Member State.
All companies that process personal data must necessarily adopt the figure of Data Protection Officer and a register of processing operations so that it can be supervised by the Guarantor. The owner of the data must also adopt an incident Registry where all cases of violation or data corruption will be noted in order to prevent future accidents and improve safety measures.
The new regulation introduces a principle recognized by the Privacy: the principle of accountability, which states that it will be for the companies or authorities which own citizens' data to keep an attitude that goes toward their preservation.
The GDPR also deals data breach: it comes to loss, modification, breach or unauthorized access to data; in this case the data controller is obliged to inform the infringer the supervisory authority within 72 hours from the time when it came to knowledge.
If there is a high risk for the rights and freedoms of data subjects, These should be advised without delay. The GDPR, Furthermore, introduces the right to be forgotten: the interested party may request deletion of your personal data and the data controller, even after they have been made public, They have an obligation to inform the request for cancellation other holders who have access to the same data subject to delete them.
Why is it important to adjust their operations to GDPR?
If your site serves individuals from the EU and you, or integrated third-party services, such as Google and Facebook, process any type of personal information, you need to follow all the new rules that have to do with the consent of visitors (such as the data request form and tracking the visit with web analytics toolss), the legislation that buy banners on the website and the information privacy. If there are instances of cyber attacks or thefts, It must verify that the company has put in place the protections and the appropriate procedures.
In case of violation of GDPR, companies risk penalties of up to 20 million euro or the 4% the entire annual revenue. Add to that the risk of reputational damage company.
To design and / or adapt an existing website to Regulation GDPR?
You are afraid of the risk that the entry into force of GDPR could bring? Do you feel you ancge of multi millionaires coming for those who do not fit? Well, If you're reading this at least you're wondering about what are the practices to be implemented to ensure that you are not forced to pay millions in fines and then close shop.
But first things first and let's examine the two possible cases: develop a new site from scratch; update and adapt an existing website.
If you are about to develop a new website will be sufficient to follow and obey immediately all the instructions contained in the GDPR keeping in mind the principles of “Privacy by design” e “Privacy by default. This is still the simplest case, however, and in order not to risk anything will be enough to consult a specialist who will guide you step by step.
Case study different is instead that for the upgrading of an existing website. If you already have a website that performs processing of personal data is in fact appropriate to take action as soon as possible and evaluate interventions to load the following items:
Registration Forms / Aree private.
If Vs.. website hosting registration forms, Adaptation to GDPR might be far from painless. In this case you should check that the vs. System integrates some features, and in particular that it is always allowed user:
access their data;
change your data;
modify their consent in relation to / the treatment / s made from the site;
unsubscribe (and all your data).
E’ also necessary to ensure that data processed, following consents obtained before the entry into force of GDPR, comply with the requirements of the new legislation in relation to, often cited, principles “Privacy by design” e “Privacy by default”, otherwise it will be necessary to plan structural interventions aimed at adapting its technological infrastructure.
In this case you must inform users of all those who will be informed of the data and verify that the application does not carry some kind of user profiling.
Mass hand to the web site structure our actions are not in any case concluded. Nearly all websites in fact integrate an access measurement system. The most famous (and used) among these it is certainly Google Analytics. In this case the GDPR rules oblige us to adequately inform the user before tracking (in other words, the IP registration access must take place after the user has given consent in the manner and within the terms already seen previously). If you do not want to go down this road will still need to anonymize the IP, so as to transform the Analytics activity takes statistical value and no longer covered by the definition of “personal information”.
With the entry into force of GDPR, publishers using AdSense will make changes to their websites, in order to obtain prior consent from the user about any profiling tools and ad personalization.
The use of widgets like, eg, maps, video or social buttons, It will have some impact in optical GDPR. In this case, the website operator is required to obtain your consent about any transactions made by third parties.
With GDPR closes the era of indiscriminate spam, emails sent to contacts drawn randomly. If a user accepts the processing of their data to receive news ONLY, you can no longer send advertising messages. Every purpose requires explicit consent (for which, in the case of email marketing, the system of the double opt-in continues to be the preferable solution). But what to do with “older lists”, that is, with lists of email addresses collected before GDPR? Definitely not be thrown but, in the light of the reform, it seems appropriate to send an informative email to all contacts to reassure the recipient about the use of your data and the objectives pursued by the list manager.
Management of private areas: What changes with the GDPR?
In the case of private areas it will be necessary to draw up a diary that records all events related to the personal data in order to have proof of each activity.