General Data Protection Regulation: how Cerberoos is approaching the deadline?
On May 25, 2018 the Regulation 2016/679 (the so-called “GDPR”) on the protection of personal data will enter into force. This Regulation will replace all the previous provisions of the Member States, and will be directly applicable, without the need to be implemented through national legislation.
The Regulation was adopted on 27 April 2016, and will therefore be applied after a two-year transition period (still ongoing) during which all the subjects involved – companies, data subjects, associations, and even institutions themselves – they are striving to arrive prepared upon entry into force.
But what are the significant changes for companies like Cerberoos? What are we doing to implement the new Regulation?
In the first instance, we started from the analysis of the principle of accountability (or accountability). This is the basic principle that goes through the whole Regulation. This principle is based on the respect of the other processing principles (as per article 5.1 of the Regulation) and in the capacity of Cerberoos to demonstrate that it has observed them.
In light of the principle of accountability, all the companies are asked to put in place technical and organizational measures to ensure, and at the same time be able to demonstrate, that any processing activity is carried out in compliance with the GDPR.
By virtue of this principle therefore, controllers and processors are required from the beginning to act in compliance with the law. Summary of these new duties are the two principles introduced together with accountability: privacy by design and privacy by default.
Cerberoos has always recognized the importance of any data protection regulation and has constantly worked on keeping a secure environment for all services provided (also when it acts as processor). We are in a process of privacy assessment, followed by an Italian lawyer and we are evaluating all the processing activities carried out by the company during our business activities.
Our technologies are regularly reviewed and aligned to industry standards and best practices. In the unlikely event of any security incident, processes are in place to isolate and manage such incidents to conclusion.
Our teams, processing personal data, are constantly evaluating the risks for the persons posed by the processing. We are reviewing the already implemented safety measures under Legislative Decree n. 196/2003 (the Italian Privacy Code) and we plan to introduce new technical and organisational measures taking into account several factors like the costs of implementation, the nature, scope, context and purposes of processing as well as its risk.
New privacy policies are going to be issued, in particular for employees, suppliers, clients, users. We renewed all our data processing agreement and we appointed all the persons, who have access to personal data, with specific tasks and instructions. We implemented records of processing activities in order to be able to demonstrate – in the event of disputes – the compliance of all processing with the principles set out in the GDPR, and we created procedures for the notification of data breach to authority or data subjects in the time established by the GDPR.
We also appointed specific persons and put in place specific procedures in order to be able to grant individuals all the rights established by the GDPR.
And you? Are you ready for GDPR?