GDPR 679/2016

The GDPR (General Data Protection Regulation), which entered into force in April 2016 following its publication in the Official Journal of the European Union, is applicable from May 2018 and is mandatory in all its elements and directly applicable in each of the Member States.

RINA offers different services to the organizations, in relationship to the business context and the sector of affiliation:

• gap analysis on the GDPR
• certification of the professional figures in comparison to the norm UNI 11697
• training
• IT services certifications according to ISO 27001, ISO 20000 and ISO 22301 standards.

Regulatory focus

The regulation establishes rules concerning the protection of physical people with regard to the treatment of personal data, as well as rules concerning the free movement of such data.
Protects the rights and the fundamental freedoms of the physical people, in particular the right to the protection of personal data.

"Personal data" intends any information regarding a physical person, identified or identifiable through information such as the name, an identification number, location data, an online identifier or one or more characteristic elements of its physical identity, physiological, genetic, psychic, economic, cultural or social GDPR 679/2016, ex art. 4).

With the GDPR, have been underlined a series of points of fundamental importance, such as:

• personal data
• data transfer to the foreign countries
• data portability
• consent
• privacy impact assessment
• privacy by default e privacy by design
• data protection officer
• data breach notification
• right to the erasure of data “right to be  forgotten”
• security of personal data

Deliverables

The steps to reach to compliance with the GDPR can be summarized with the following steps:

• check what you do and what you are doing (assessment with  "As is" analysis)
• risk assessment and PIA (evaluation of the impact on privacy, mapping of sensitive processes, arrangement of a risk assessment, etc.)
• assessment and Gap Analysis
• data protection impact assessment and prior consultation
• remediation plan
• designations and roles of the involved subjects (ex. Titular, treatment Responsible, Authorized, Responsible of the data protection / DPO if anticipated etc.)
• information / training of the personnel involved
• periodic update of the system.

Why RINA?

Over time we have developed skills - both on the field and in working groups - in services applicable to the management of personal data and IT processes.

We are accredited for the personnel certification on various standards, as well as for the certification of IT services such as ISO 27001, ISO 20000, ISO 22301 and substitute replacement.

The extensiveness of our offices is a point of strength that allows us to meet customer demands quickly, providing useful support with the help of the teams located in the world.

FAQ

The GDPR apply even if the processing of data does not occur in EU territory?
The rule applies independently if the treatment is carried out on EU territory: this means which it also concerns to the data controller not established in the EU but in a place subject to the law of a Member State under international public law.

What penalties apply to those who don’t comply with the requirements of the standard?
The controller who does not comply with the provisions of the GDPR may incur administrative sanctions (up to € 20,000,000 for companies, up to 4% of the total annual worldwide turnover, if higher), civil and / or penal.