1. What is the GDPR and when does it come into force?
The GDPR (acronym for General Data Protection Regulation) is a new pan-European legislation that promises to revolutionize the way that personal data on the web is intended and managed, with a view to transparency, simplification, and unification between countries.
It was approved by the European Union in 2016 and it has formally already entered into force. Because, however, it is a deferred application regulation, it becomes fully operational two years after its approval, on May 25, 2018. A date that is a true watershed time marking a time “before” and a time “after”.
2. What is the difference compared to the current legislation?
The GDPR is a new generation legislation, it does not impose only new regulations, but also marks an actual revolution in the approach to the processing of personal data. The current regulations on data protection (dating back to 1995) were conceived in a period in which the internet was in its infancy and data collection was radically different from the current one.
Today, data is a raw material, an essential asset of the economy. To understand the extent of the phenomenon, we need only to consider that without the collection and efficient exchange of data the sharing economy, behavioral marketing, behavioral advertising and the Internet of Things, could not exist.
The new legislation allows for developing this economic potential, while preventing European companies from having a competitive disadvantage compared to businesses in other geographical areas, where less restrictive laws are in force.
3. What is new in obtaining consent?
The obtaining of consent is the main point around which the main critical issues are articulated for companies that use data. Currently, there is a (very rigid and formal) mechanism in Italy for express consent (or opt-in method): the consent is valid only if collected by declaration of the party concerned agreeing to the use of their data. Silence-tacit agreement is not enough.
Other European countries have long espoused the logic of presumed consent based on the user’s behavior. In the United Kingdom, for example, the mechanism of opting-out is in place; consent is automatically assumed unless it is explicitly denied.
To harmonize different provisions and regulations, the new regulation, tries to find a balance, the consent will be valid if manifested unequivocally through conclusive-positive behaviors. It must, therefore, not be specified with a checked box or by signing a form, but it is valid if it originate from an action performed by the user.
We are already used to this type of consent thanks to the operation of cookies banners. However, typically Italian forms of consent (with boxes to be checked and forms to be signed) are still valid, but new scenarios and new possibilities have opened up.
4. Currently, is it already possible to collect data in accordance with the new regulation, namely via Positive Conclusive Behavior?
No, the European regulation of the GDPR becomes applicable from May 25, 2018. What can be done in this period is to carry out tests to verify the effectiveness of these alternative mechanisms for the collection of consents and the adequacy of technical solutions.
Likewise, it is not yet possible to obtain consent with reference to the new EU 2016 regulation, but it is necessary to keep to the 196/2003 wording.
5. Is a specific consent necessary if the data is analyzed using computer tools and its processing is subjected to a party’s prior evaluation?
There are cases in which the collected data, interpreted in advance by human operators, may give rise to discrimination against individuals; for example because of the possibility of access or denial of certain services, an instance that the new regulation intends to prevent.
The GDPR provides clear information and a specific consent for this type of processing, unlike the general consent, in this case consent must be express.
6. How is it best to deal with data that companies publicly disclose, for example data available online?
Such data, even if they are freely available, cannot be used freely for direct marketing actions in the absence of an informed consent that is specific and formulated unequivocally by the party concerned.
7. Is it possible that there are “co-owners” of the data?
Yes. The legislation foresees this role. In particular, European Regulation 2016/679 dedicates Article 26 to this type of data controller.
8. How does one behave towards street data collection, in the case of associations and the like that do not release information?
It is prohibited to collect data without having made a disclosure and collecting the necessary consents in cases where they are necessary. Non-profit associations are required to release the information even if they collect the data in an impromptu mode (indeed, even more so), to allow the party concerned to know how to exercise his/her rights in reference to the data processed.
9. Is the double opt-in still recommended?
The double opt-in provides for a double confirmation step by the user about the desire to receive communications. It is not a legally binding mechanism, but it is certainly a worthy mechanism, thus, it is absolutely recommended.
10. How does the information change?
We are used to mile-long disclosures, overflowing with regulatory references, rendering them illegible; a true defeat for a conscious and effective use of data. The GDPR revolutionizes disclosure; simple, transparent, understandable, without regulatory references, written in plain language. It must allow us to understand, at a glance, what happens to the data provided.
The disclosure must be structured to facilitate a multilevel or progressive reading: a very simple first level of reading to be followed by more in depth paragraphs, greater references and, why not, even a video clip that explains the purposes of the data processing.
11. Should sensitive data be encrypted?
The GDPR does not provide for an absolute obligation to do so. The security measures to be adopted are those provided for by Art. 32 of Regulation 2016/679
12. What can be done with data collected under the old legislation?
The data already collected should not be considered lost, it must undergo careful analysis to evaluate if it can continue to be used, also in view of the new legislation.
It is not permitted to keep data in the database without worrying about evaluating how and when it was collected. There is no precise expiry date; the important thing is that, as of May 25, 2018, each company carry out said verification and define an updated collection program according to the new regulations.
To revitalize the data it will be appropriate to send a clear and explicit communication, not of a legal nature, but rather, with the intent of sharing the information on the use and the purpose of the data, in a manner that reassures the user.
13. Is there a standard text to be used to revitalize the old contact?
No. It is necessary to carefully examine the context, the data collection methods, the purpose of use, and any other useful element. It is wrong to make evaluations of a general nature with respect to this issue, instead specific analyses are needed defined on an actual case by case basis. What is true for a given case is not an absolute fact in other cases.
14. Who defines the expiration date of the data? How can it be determined if it has become obsolete?
It is the duty of the data controller and his/her data processors to establish data retention times. There are currently no binding indications. The legislation limits itself to stating that personal data should be adequate, relevant, and limited to what is necessary for the purposes of its processing.
This requires, in particular, ensuring that the period during which the personal data is stored is limited to the strict minimum necessary. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means.
15. For the purpose of applying the penalties, is it necessary to demonstrate the actual “analysis” and/or revitalization of the data collected with the old legislation? If the result is negative, should the data be deleted or in any case be retained?
It must be shown that the retention times have been defined according to precise criteria, which must also be included in the disclosure to be made to the interested party after May 25, 2018. If there are no legitimate reasons justifying data retention, it must be deleted or made anonymous.
16. What to do with expired data?
It must be deleted or alternatively rendered irreversibly anonymous, to be used in order to perform aggregate analyses.
17. Example from the e-commerce world: if a customer leaves his email to receive information on the order, but does not check the box to receive commercial communications, how should we behave?
In this case the person, by avoiding checking the box, clearly stated that they do not intend to receive commercial messages. Therefore, in this case the current criterion based on which the consent has not been validly issued, remains valid. It is necessary to rethink the way in which the consent of the interested party is requested. If there are boxes to be checked to express consent, the failure to select the boxes is tantamount to refusing consent.
18. Is there a difference in processing between the hypothetical addresses email@example.com, or firstname.lastname@example.org (not directly associated with natural persons), and email@example.com?
Yes, since data related to natural persons and company data is processed differently. The addresses referencing persons (such as firstname.lastname@example.org) qualify as personal data. Those referencing company departments (email@example.com or firstname.lastname@example.org) are not deemed personal data.
19. Which companies need to equip themselves with a DPO?
The Data Protection Officer (abbreviated as DPO) is a new key figure introduced by the GDPR. An internal position for companies that has the task of verifying the correct processing of data, preparing the Privacy Impact Assessment document, and in general, assessing that there are no risks related to the processing of data.
The obligation to appoint the DPO is only required in the cases indicated by Art. 37 of Regulation 2016/679.
20. If there are no qualified persons in the company to oversee the GDPR, are there any roles capable of taking on the process of bringing them into compliance?
The legislation provides that the management of data processing obligations is entrusted outside the company, as outsourcing, based on a service contract. There are companies that manage the process of adjustment and subsequent verification of data processing processes under outsourcing.
21. What are the penalties foreseen for companies?
Many companies are subject to the possibility of penalties, in case of non-compliance, as one of the most threatening implications of the GDPR. Let’s clarify a bit.
The penalties imposed by the GDPR will be higher than the current ones. The maximum limit will be established by the national authority , based on the following criteria:
• If the party charged with penalty is a single company (not part of groups), the maximum penalty reaches 20 million euros
• If the party charged with a penalty is part of a group, the penalty is calculated as a percentage of the turnover of the entire group up to 4% of worldwide turnover
They seem to be very high penalties, but it is actually the maximum threshold; the minimum penalty can be very different. The amount of the minimum sanction will be decided by individual national legislators, and is currently under evaluation.
22. Which authorities are willing to verify that everything is in order?
The competent authorities remain the single national Guarantors (in Italy the Guarantor for the protection of personal data) and the competent judges.