General Data Protection Regulation

The General Data Protection Regulation (GDPR 679/2016) has been in force since May 25, 2018 in all member countries of the European Union, and subsequently updated to corrections published in the Official Journal of the European Union 127 on May 23, 2018.

The Regulation imposes stringent obligations on the processing and management of European citizens' data.

This regulation in Italy is supplemented by Legislative Decree 101/2018, which adapts the previous national legislation on personal data protection (Legislative Decree 196/2003) to GDPR 679/2016.
The goal of the GDPR is to update and standardize data protection regulations at the European level by adapting them to the new economic and social environment.

To whom does it apply
To all Data Controllers, i.e., all entities that by necessity of the performance of their activities process personal data: associations, entities, companies and professionals that collect, record, store, use, process, and communicate data related to natural persons. The regulations must be complied with by both companies based in the European Union and those based outside the EU that process and collect data from citizens of one of the 27 member states.

What is at risk
Violations of the GDPR carry severe penalties, with fines of up to 20 million euros or 4 percent of the previous year's total annual turnover. The amount of sanctions will be determined by an assessment of a set of factors including: the nature, severity and duration of the violation, the number of those affected by the harm and the level of harm, the intentional or negligent nature of the violation, the measures taken, the degree of cooperation with the supervisory authorities, and many others.

How We Operate
We manage Client and in-house projects using a modular and flexible process to achieve a data protection management system fully compliant with European and national regulations. The process includes the sequence of steps described below depending on the type of data processed, the activity and the needs of the Client:

1. Gap Analysis
Comparison of the current state and the set of regulatory and technical-process compliance requirements for GDPR to identify and plan actions essential to implement the principles of accountability, privacy by design by default that are the building blocks of the European regulation.

2. Mapping of treatments
Analysis of activities and identification of personal data processing handled by the Client as Owner or Manager and preparation of the Processing Register.

3. Risk Analysis
Risk analysis and evaluation of existing measures and controls to be supplemented/implemented.

4. Data Protection Impact Assessment
Analysis of data subjects' privacy impacts for high-risk processing.

5. Documentation
Adjustment of privacy organization chart and corporate document system (delegations, designations, authorizations, disclosures, internal regulations, agreements).

6. Data breach management
Preparation of procedures for handling violations, notifications to the guarantor and data subjects in compliance with European reference standards.

7. Audit planning and training
Drafting the work plan to plan for internal audit and training/update on regulatory compliance.

For more information and details contact