Andrea Strano | 11 Jun 2018

On 25 May 2018 the General Data Protection Regulation (GDPR), which came into force in May 2016, will be directly applicable in all EU Member States. The foreseen formalities will concern all public and private subjects that process data for a task of public interest. There will therefore be news for citizens, companies, public bodies, associations, freelancers.

The objectives of the DDPR are: to create a uniform data management framework within the Union and to strengthen the control exercisable on archiving and use of personal data. It was adopted in 2016 and, after a two-year transition period, has entered into force.

The regulation consists of 99 articles all aimed at giving greater control to citizens of their personal data, and clarify the responsibilities in case of violations of privacy.

The GDPR introduces new procedural and organisational obligations for “data processors”, a category in which both companies and public bodies fall, and gives greater rights to “data subjects”, namely individual users. Public and private organisations tend to accumulate data even before knowing how they will use them and the GDPR goes against this habit, specifying that data processors should not collect data other than those strictly necessary for their immediate interaction with consumers. In fact, article 39 of the GDPR on data collection says about the data collection that it must be “adequate, relevant and limited to the minimum necessary in relation to the purposes for which they are processed”.

The substantial innovations introduced by the GDPR compared to the previous privacy regulations concern 4 specific areas: the territorial area, the obtaining of consent, the introduction of the DPO and the sanctions.

The territorial scope provides that the new law applies to the data of all European citizens and to all companies that process or manage such data, regardless of the country in which they have their registered office or where the data are processed.

Obtaining consent: as before, consent to the processing of data must be free, informed and explicit, as tacit or presumed consent will not be accepted in any way. News regarding minors, whose consent will be considered valid starting from 16 years, before that age the consent must be expressed by a parent or by whoever takes his place.

Linked to obtaining consent is the introduction of the DPO, is the Data Protection Officer. This is an independent figure responsible for ensuring proper management of personal data.

Finally, the GDPR imposes extremely high penalties on companies that do not respect it. An intentional or repeated violation of the principles established by the GDPR will result in a fine of up to 20 million euro, or up to 4% of the world’s annual turnover, whichever is greater than the two and regular checks by the authorities will also be carried out.

EU linked data flows to trade flows: any country wishing to sign a trade agreement with the EU will have to comply with the GDPR. In the last ten years, the United States has become the “economic police of the world”, inflicting huge sanctions on banks for failing to comply with its anti-money laundering regulations. With the GDPR, will the EU become the world data protection champion?

All online platforms and social networks are updating their privacy policies and terms of service. The way in which Facebook uses personal data has in fact been the subject of careful analysis because of the Cambridge Analytica scandal, which has led many users to delete their accounts. Since then Facebook has already changed its privacy settings by bringing new features but in any case, all social networks and online platforms will have to comply with the new regulation, so expect to receive notifications about the new terms and conditions related to the use and navigation.

Antonello Soro President of the Italian Guarantor for the protection of personal data said:
“Until now the European Guarantors did not have sufficient instruments of control and sanctions on non-European companies. The protection of privacy was so often forced to stop at national borders, the GDPR, on the contrary, extends the jurisdiction of the European Privacy Guarantors to all foreign companies – starting with the big names of the US and Asian network – who offer services to any person is inside the European Union.
Minors may be less aware of the risks, consequences and safeguards, as well as their rights, companies and public bodies, therefore, must guarantee specific protection regarding the use of personal data of young people, for example for marketing or creating personality profiles.

Companies and public bodies will have more responsibility, especially in the analysis of risks regarding data processing, but they will also be able to benefit from various simplifications in their obligations.”

The scale and scale of the GDPR meant that brands remained so mired with the quirks of regulatory compliance that they were unable to focus on the fundamentals of brand protection. GDPR compliance cannot be achieved simply through some minor changes to your existing system, it requires a radical change in workflows, processes and data storage and has already proved to be a considerable waste of money and resources for many companies.

The consequent knock-on effect is that companies no longer have the resources to maintain the basic activities of protecting the brand and consumers, or simply forget to do so in the face of the urgency of the problem. In an ideal world, companies should have additional resources entirely dedicated to the GDPR, while existing staff can continue to monitor and manage traditional methods of protecting the brand and consumers.

At first glance, the implementation of the GDPR will be the dawn of a new era, in which consumers will be able to surf the Internet without fear that their personal information may be misused.

However, the unwanted effects of the regulation could actually make it more difficult for brands and consumers to protect themselves against fraud, piracy, counterfeiting and more. With brands that employ incredible amounts of time and effort in achieving and maintaining compliance. Companies, law enforcement agencies, non-profit organisations and brand protection companies will have to find new ways to deal with these threats once the waters have calmed down in the post-GDPR world.