Within the last decade, personal information has become the main performers of several business strategies and models. In fact, personal information about millions of individuals is being collected on a daily basis under several purposes. Then, it is possible to affirm that personal information has become an economic asset, exploitable by companies and subject of many possible legal issues.

With the General Data Protection Regulation, the European Union has officially recognised personal data as an economic asset and thus worthy of protection. The General Data Protection Regulation (hereinafter GDPR) is the most important change in data privacy regulation in 20 years. In fact, the regulation will fundamentally reshape the way in which data is handled across every sector, from healthcare to banking, from marketing to HR services and beyond. In conclusion, data privacy has now become a new legal sector which each undertaking must be compliant.

GDPR main objectives are: 

• Harmonise data privacy laws across Europe;
• Protect and empower all EU citizens data privacy;
• Reshape the way organizations across the region approach data privacy.

In order to achieve the aforementioned objectives, GDPR has implemented new key changes which reshape how organisations approach data privacy. 

GDPR Territorial Scope

The most relevant shift concerns the jurisdiction of the GDPR. In fact, the regulation applies to all companies processing personal information of individuals residing within the EU, regardless of the company’s geographical location. Then, GDPR makes its applicability very clear. In fact, it applies to the processing of personal data by controllers and processors; regardless of whether the processing takes place in the EU or not. 

Penalties

Uncompliant organisations might be fined up to 4% of annual global turnover or €20 Million. This is the most relevant fine that can be imposed. However, Data Protection Authorities may exercise their control and security power limiting or stopping data processing or the amount of data processed.

Consent

Consent has been deeply reinforced. In fact, Consent under the GDPR must be freely given, specific, informed and unambiguous, and involve a clear affirmative action (an opt-in). Moreover, the request for consent must be given in an intelligible and easily accessible form. Furthermore, consent must be clear and distinguishable from other matters. Also, the data subject will always have the right to withdrawal the consent. 

Data Protection Officer

According to the GDPR, organisations have obligations of keeping an internal record with the purpose of respect accountability principle. Furthermore, undertakings that process personal data requiring the systematic monitoring of data subjects on a large scale or of special categories of data or information relating to criminal convictions and offences must appoint the Data Protection Officer. The DPO has been introduced by the GDPR and it represents the point of connection between the Data Protection Authority and the organisation where it has been appointed.

Data Subject Rights 

GDPR has reinforced the position of data subjects. In fact, the Regulation has introduced a new set of rights such as: right to access, right to be forgotten, right to data portability, right of rectification, right to restrict, right to object, right to be informed. 

At VGS Lawyers we care about your personal information and our team is strongly specialised on European Data Protection Law and GDPR compliance. Data privacy is now a mandatory legal requirement for any kind of undertaking which brings several responsibilities on both data controller and processor. 

For further information please contact info@vgslawyers.com or leave your details on the Contact Form and you will be contacted within 24 hours.