Last December, the Commission of the EU Parliament in charge approved the final text of the new General Data Protection Regulation (GDPR) thus closing the negotiation among EU Parliament, Commission and Council (the so called trilogue). Now only some formal approval steps are still missing to have it in force. Steps that shoul be completed by the end of Q1 or around it.
Compared to the current legislation, the approved version includes many innovations, while the existing rules which are not replaced by new ones remain in force.
The meeting that Europrivacy.info is organizing on January 29th 2016 has the goal to offer the first opportunity to analyse the most important ones concerning the IT security and IT management issues.
According to the approved version, the new Regulation will apply 24 month after the date in which it will enter in force: 24 months for processors and controllers to get compliant.
Two years may seem a timeframe long enough to allow a slow approach: so, why start worrying now?
We started our blog Europrivacy.info because we think that there are good reasons to start working immediately on these issues and the overall profile and the main features of the GDPR reinforces this approach. Hereafter some of these features:
- The overall approach of the GDPR impacts the business organization in depth: the IT impact is just the last, mandatory consequence of a set of changes at different levels within the organization. Changes that require time to be put in place.
- Controllers and processors will be required to document the adopted measures, to verify periodically that they are really in place and to track operations. They may be required to demonstrate their compliance backwards in case of inspection or if a security event occurs, even if they take place long time after the due date for compliance.
- Fines are really relevant: they can reach 4% of the worldwide revenues and they don’t cancel the controller’s or processor’s responsibility towards data subjetcs and possible related lawsuits involving a very high number of subjects with a high economic and image impact.
- The GDPR introduces the opportunity to certify the company’s operations getting a data protection seal that could become a relevant differentiator from the competition in the customer relations.
The protection of personal data of employees, business partners and consumers is just one of the reasons why it is mandatory and urgent to set up a more secure and controlled organization, able to face the emerging risks related to the digital transformation of social and economic relations: similar reasons may be referred to the protection of intellectual property and of all the sensible or secret information which the company’s know how is made up of. The ability itself to leverage on the digital transformation potential depends on this.
The urgency to comply depends much more on the speed of the evolution of the technology, on the new behaviours that it causes with the related business opportunities and on the new risks that it causes than on the bureaucratic need to comply. It is more a business issue than a compliance one.
The GDPR reflects the same approach of all the security management and business control best practices. Therefore the investments aimed at the GDPR compliance will have a positive impact also on other business contexts with an overall benefit for the organization.
For all these reasons Europrivacy.info decided to start immediately an open debate on these issues: the event that will be held on Jan. 29th will be the first public opportunity for it.