GDPR - General Data Protection Regulation

Posted by

  

The GDPR (General Data Protection Regulation) is the most significant privacy law enacted in recent decades. Introduced by the European Union through Regulation EU 2016/679, it entered into force in May 2016 and became fully applicable on May 25, 2018. 

It is not a simple checklist of tasks, but a fundamental shift in mindset: personal data does not belong to the companies that collect it; it remains the property of the individuals.

To understand how it works without getting lost in legalese, let's break down the regulation piece by piece, following a logical and sequential path.

🔗 Do you like Techelopment? Check out the website for all the details!

1. The Core Pillars: Who and What?

Before understanding the rules, we need to define the main subjects and the scope of the law.

  • Personal Data: This refers to any information that can identify an individual, either directly or indirectly. We are not just talking about names and social security numbers, but also IP addresses, smartphone location data, browsing history, and even purchasing habits.
  • The Data Subject: This is you. The living individual to whom the personal data relates.
  • The Data Controller: The company, association, or professional that decides why and how your data is collected (e.g., your bank or the e-commerce platform where you buy your shoes).
  • The Data Processor: A third-party entity that processes personal data on behalf of the controller (e.g., the cloud computing provider hosting the e-commerce website's servers).

2. The 6 Key Principles of Processing

Every time a company handles your data, it must respect six golden rules. If it skips even one, the processing becomes unlawful.

  • Lawfulness, fairness, and transparency: They must clearly inform you about what they will do with your data (the well-known "Privacy Policy") and must have a legal basis to do so.
  • Purpose limitation: Data must be collected only for specified, explicit, and legitimate purposes. If a flashlight app asks for access to your location, it is violating this principle.
  • Data minimization: Only the data strictly necessary for that specific service can be collected. Nothing more.
  • Accuracy: Data must be kept up to date and correct.
  • Storage limitation: Data cannot be kept forever. Once the purpose is fulfilled (e.g., the package is delivered), the data must be deleted or anonymized, unless the law requires it to be kept (e.g., invoices for tax compliance purposes).
  • Integrity and confidentiality: Data must be protected from hackers, accidental loss, or unauthorized access using appropriate security measures (such as encryption).

3. Citizens' Rights (What you can demand)

The GDPR gives you total control over your information through a set of rights that you can exercise at any time and free of charge:

  • Right of Access: You can ask a company: "What data do you have on me? What are you using it for?". They must reply within 30 days.
  • Right to Rectification: If the data is incorrect, you have the right to have it corrected.
  • Right to Erasure (or "Right to be Forgotten"): You can request the deletion of your data if it is no longer necessary or if you withdraw your consent.
  • Right to Data Portability: You can request to receive your data in a structured, commonly used, and machine-readable format (e.g., a CSV file) to easily transfer it from one service to another (e.g., from one telecom operator to another).
  • Right to Object: You can object to the use of your data for specific purposes, such as aggressive direct marketing.

4. Obligations for Companies (What they must do)

For businesses, the GDPR introduces the principle of Accountability. It is not enough to comply with the law; they must be able to demonstrate compliance.

Here are the primary requirements in a logical order of implementation:

  • Records of Processing Activities: This is the starting document. A company must map out all the data it holds, where it is located, who has access to it, and why it is kept. It serves as a comprehensive inventory of corporate data.
  • Privacy by Design and by Default: Data protection must be integrated from the very beginning when designing software, products, or services (Design). Furthermore, by default, settings must ensure the highest possible level of privacy without requiring any user intervention (Default).
  • Data Protection Impact Assessment (DPIA): If data processing poses a high risk to individuals (e.g., facial recognition, large-scale health data analysis), the company must conduct a prior risk analysis to figure out how to minimize the impact on people's lives.
  • Appointment of a DPO: The Data Protection Officer is an independent expert whose appointment is mandatory for public authorities and companies processing sensitive or large-scale data. The DPO acts as an internal referee and serves as a bridge to the Data Protection Authority.

5. Emergency Management: The Data Breach

What happens if a company's systems are hacked and customer data is stolen? The GDPR does not penalize a company simply for being hacked, but it penalizes it severely if it conceals the incident.

In the event of a Data Breach, the Controller is obliged to:

  1. Notify the supervisory Authority within 72 hours of becoming aware of it.
  2. Promptly notify the affected users if the breach is likely to result in a high risk to their rights and freedoms (e.g., if passwords or credit card details were stolen).

6. Fines and Enforcement

The GDPR has become widely known mainly for its "sharp teeth." Sanctions for those who violate the rules are not symbolic, but proportional to global turnover to ensure they are effective and dissuasive.

Fines can reach up to:

  • 20 million euros or
  • 4% of the firm's worldwide annual revenue from the preceding financial year (whichever amount is higher).

National Data Protection Authorities (such as the Garante per la protezione dei dati personali in Italy) oversee compliance with these rules, possessing powers of inspection, sanctioning, and the ability to block unlawful processing.


7. The Privacy Org Chart: Required Roles and Profiles

To put the principle of Accountability into practice, the GDPR requires identifying specific profiles both inside and outside the organization. Each of these figures plays a well-defined role in the data custody chain.

Key Profiles and Their Responsibilities

  • The Data Controller: The legal entity (e.g., a Municipality, a Health Authority, a Joint-Stock Company) that determines the purposes and means of processing. It bears the ultimate legal responsibility for GDPR compliance.
  • The Data Processor: A third-party entity external to the organization (e.g., a software company, an accounting firm) that processes data on behalf of the Controller based on a formal agreement (DPA pursuant to Art. 28 GDPR).
  • The Data Protection Officer (DPO): An independent expert professional. Their appointment is mandatory for all public authorities and for companies conducting large-scale user monitoring. The DPO monitors compliance with the regulation and acts as a liaison with the Data Protection Authority.
  • Persons Authorized to Process Data: Internal employees or collaborators who physically access data in the performance of their daily tasks. They must be formally designated, instructed, and trained by the Data Controller.

Practical Example: GDPR in Public Administration

Let's take the example of a Municipality that decides to launch a new smartphone application for its citizens: "MunicipalityInYourPocket". The app is used to pay fines, book ID card appointments, and receive traffic alerts. Here is how the rules apply.

Project Roles

  • Data Controller: The Municipality itself. The Municipality decides that the app should exist and what data to collect.
  • Data Processor: The software company "TechPA S.p.A.", a private business contracted by the Municipality to develop and technically manage the app. A formal contract prohibits them from using the data for commercial purposes.
  • Data Subjects: The citizens who download the app.

Application of the Principles

  • Transparency: When launching the app, a clear notice appears: "We collect your social security number to process fine payments and your location to alert you about nearby roadworks."
  • Minimization: The app only requests first name, last name, and social security number. It does not request access to the photo gallery or contacts, as they are not needed for the services provided.
  • Storage limitation: Once a fine is paid, the details remain within the Municipality's historical financial systems (as required by tax laws), but they are removed from the app's active history after a predetermined period.

The Public Administration's Sequential Roadmap

Phase 1: Mapping

Records of Processing Activities

The Municipality adds a new entry to its official Records of Processing Activities titled "Management of citizen services via the MunicipalityInYourPocket App," specifying which servers will host the data and who will have access to it.

Phase 2: Design

Privacy by Design and by Default

To send alerts about roadworks, geolocation is required. To respect Privacy by Default, the app is downloaded with geolocation disabled. It is up to the citizen to actively enable it if they wish.

Phase 3: Risk Analysis

Data Protection Impact Assessment (DPIA)

Since the app tracks the geographical location of thousands of people, the Municipality conducts a DPIA. The analysis determines that geographical coordinates will not be saved on central servers, but processed only "locally" on the smartphone to eliminate surveillance risks.

Phase 4: Internal Review

Consultation with the DPO

The municipal manager sends the app project and the DPIA to the organization's DPO. The independent professional reviews the documents, suggests updates to reinforce security, and approves the release of the application.

Exercising Rights and Emergency Management

If a citizen moves away and requests the Right to Erasure, the Municipality removes their account from the app within 30 days.

In the event of a Data Breach (e.g., a cyberattack that steals the list of registered users' social security numbers), the Municipality activates its emergency procedure: it reports the incident to the Data Protection Authority within 72 hours and immediately sends a notification to all users, advising them to look out for potential phishing attempts.



Follow me #techelopment

Official site: www.techelopment.it
facebook: Techelopment
instagram: @techelopment
X: techelopment
Bluesky: @techelopment
telegram: @techelopment_channel
whatsapp: Techelopment
youtube: @techelopment