In order to adapt, you need a multidisciplinary approach
Privacy in the big data era. The first thing to change is how data holders have to protect data, not just store them. The General Data Protection Regulation (GDPR) will require more attention to informed consent and company responsibility.
The 25th May 2018 will mark an important moment for the privacy law for European citizens, since
the General Data Protection Regulation will fully enter into force.
The regulation aims to harmonise personal data protection rules in all European countries. A stricter approach is envisaged for the application of the informed consent, but some new rights are also added, like data portability, that is the possibility for users to change a provider without restarting the information protection activities from scratch.
Another important issue will be the governance: those who manage data, publicly or privately, will not simply have to stick to norms, but will also have to guarantee having proactively implemented measures, tools and means to tackle the risks due to the processing of sensitive data and information. This also includes proving a responsible conduct.
The new regulation also introduces another new professional, the Data Protection Officer (DPO).
Data Protection Officers will be strategic professionals dealing with privacy and security. They
must have a solid legal and technical training, be independent, equipped with all the necessary tools, autonomous in performing their activities in the total absence of conflicts of interest with the data processor.
In some cases, enterprises, which are still not very experienced, have appointed their IT manager as in-house DPO. A specific case took place in Germany, where a company was fined by the Authority on Fair Competition for appointing a non-independent professional, thus giving rise to a conflict of interest due to the clear incompatibility of the two roles. The Authority on Fair Competition enforces the two main concepts related with the DPO: no one can be appointed as controller of him/herself, and the data owner must clearly and undeniably prove the training and the requirements of the appointed subject. Therefore, in the DPO selection process it will be necessary to choose independent professionals meeting the necessary technical requirements. The new regulation envisages the need to choose the DPO among subjects outside the company, such as
consultants or professionals fulfilling the requirements.
© All rights reserved