EU GDPR 2018
EU GDPR 2018
Services for GDPR
Image by Gerd Altmann from Pixabay

The new General Data Protection Regulation (No. 2016/679, also known as GDPR) came into force on May 24, 2016, and it is the only regulatory source directly applicable in the countries EU member states as of May 25, 2018

In Italy, the GDPR has definitively “retired” the old Privacy Code (Legislative Decree 196/2003), ensuring a uniform discipline throughout the European Union, regarding the processing of personal data. Among the new features introduced are new rights for citizens, customers, and consumers; the GDPR includes new ways of expressing consent, new obligations regarding cybersecurity, and significant penalties for companies that fail to comply.

The imminent applicability of the Regulation, however, should not be considered just an obligation: it can represent an important opportunity for companies to address in a comprehensive and structured way the management of Privacy and security (cyber and otherwise) of collected data. “Data Protection by Design” is in fact the concept that requires companies to adopt, from the design phase, appropriate measures for the protection and security of other people’s data.


Learn more about our services for GDPR!
Find out the FAQs on GDPR!

Our services for GDPR

Thanks to the technical skills we have developed, adequate knowledge of the regulations and experience in the field of Cybersecurity, we can support your company on the path to meeting the new obligations, in a short time and at a reduced cost. We have designed and offer the following services:

“GDPR Awareness” Training Course

The training course is for employees and those involved in data processing. The 4-hour course is held at the Client’s premises and explains the main innovations, new ways of obtaining consent and compliance for minimum security measures. There is a final test to verify the acquired knowledge and the issuance of a named certificate. The course has a fixed cost of €190,00 + VAT.

Next 2.0’s “GDPR FACILE” software

This is the software we designed for the management of the processing register required by Article 30 of the GDPR. Easy to use, equipped with a double level of security and accessible via the web, it allows to describe all the treatments carried out, the figures involved, the resources managed, with specific functions for deadlines and printing. The cost, starting at €149,00 per year + VAT (€119,00 from the second year), is based on increasing levels of complexity of the business organization and data processed.

Technical assistance with compilation

Is GDPR still too complex for your business reality? In addition to offering the right training and software, we also provide technical assistance with compilation and data entry to make it as easy as possible for you to comply with the new obligations. The service is provided in 4-hour packages and includes a company visit and monitoring of the IT resources used and their level of security.

Consulting in the role of Data Protection Officer (DPO)

Certain types of organizations (e.g., Public Entities) or companies that process “sensitive” data must mandatorily appoint a Data Protection Officer (DPO), a professional figure with IT and organizational skills and specific GDPR expertise. The DPO supports the Data Controller in all decisions related to data processing and security, trains staff and generally facilitates the fulfillment of the new obligations.
With our high level of expertise (Master’s degree in Cybersecurity and certifications at the European level) and 20 years of experience in data security and cybercrime prevention, we are the ideal partner to fill the role of Data Protection Officer (DPO). We can take care of:

  • Detect and correct minimum security measures, and design an IT system on “Privacy by Design” criteria.
  • Oversee compliance with the regulation, assessing the risks of each processing in light of its nature, scope, context and purpose.
  • Collaborate with the owner/manager in conducting a data protection impact assessment.
  • Inform, sensitize, train, management and staff to the new obligations of the GDPR.
Discover our GDPR compliance management software!

Questions and Answers

Here are some questions and answers that can help you determine if, when and how to fulfill the new obligations.

The new regulation, which came into force in 2016 but has been mandatory since May 2018, constitutes a major overhaul of current data security and privacy legislation. The new code promotes the empowerment of data controllers and the adoption of approaches and policies that constantly take into account the risk that a given processing of personal data may pose to the rights and freedoms of data subjects.

Yes, the Agenzia per l’Italia Digitale (AGID) reiterated this in Circulars 1/2017 and 2/2017, the latter published in the Gazzetta Ufficiale in May. The minimum ICT security measures must be adopted by all public entities by 31/12/2017 and described in a document, to be digitally signed and time-stamped, by the entity’s ICT Manager.

The Regulation applies to any processing of personal data, whether electronic or on paper, contained in a file, belonging to data subjects located in the European Union. Personal data is understood as “any information relating to an identified or identifiable natural person”.
It is clear that the spectrum of application is wide: any company processes personal data of natural persons, for instance customers or employees; then there is the whole category of processing related to the website or e-mail, commercial communications, phone calls to promote a product; finally, video surveillance systems and personal data received from other companies, which are processed internally. It is therefore not far-fetched to say that all companies must be aware of the new regulation and change their organisation with the new rights of data subjects and the security of their data in mind.

Yes, if my company has more than 250 employees, but also:
  • yes, if the processing carried out may present risks for the rights and freedoms of the data subject;
  • yes, if the processing of data is not occasional;
  • yes, if the processing includes special categories of data (sensitive data, Art. 9) revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership or data concerning genetic, biometric, health, sex life or sexual orientation of the person.

This is the new point of view on which the new European Data Protection Regulation is based. Privacy and data protection must be present right from the conception and design phase of a processing or information system, and behaviour is required that allows for the prevention of possible problems and not just the remedy of violations that have already occurred.

The DPO, or Data Protection Officer, is a figure expressly provided for in the new European Data Protection Regulation, which came into force in May 2016 and is mandatory from May 2018. In a nutshell, it is an external professional figure in charge of ensuring proper management of personal data in companies and public entities.

The appointment of a Data Protection Officer (DPO) is mandatory when:
  • the processing is carried out by a public authority or a public entity;
  • or, in the case of a private company, when the main activities consist of the large-scale processing of sensitive data (within the meaning of Article 9 of the GDPR), or of data relating to criminal convictions or offences referred to in Article 10 of the GDPR.

The Data Protection Officer (or DPO) is a figure provided for by the GPDR to assist the Data Controller in coping with the new data processing processes. The DPO knows the subject matter and has the organisational and professional qualities to facilitate the new processes, based on the principle of “Privacy by Design”. The appointment of a DPO is mandatory in the following cases:
  • public authority or public entity;
  • when the main activity is the regular and systematic monitoring of data subjects on a large scale;
  • or when sensitive or criminal data are processed, again on a large scale.
The appointment may also be made at group or associate level. In general, however, the appointment of a DPO is recommended when the data controller does not possess the appropriate regulatory and technical knowledge to deal with the changes introduced by the GDPR.

The basic principle of processing is that personal data concerning other individuals, if used for commercial purposes or if disclosed to third parties, must be processed for the time strictly necessary for the provision of the service. The processing must be carried out with a minimum use of personal data and the information must be kept for no longer than is necessary for the purpose. Consumers can request (e.g. call centres) where their data has been retrieved and have a number of new rights, such as the possibility of knowing when and how their data is being processed and the security standards used by those processing their data.

Penalties are disbursed by the Supervisory Authority on the basis of seriousness, malicious intent, categories of data processed incorrectly and other criteria set out in Article 83 of the GDPR: “infringement of the provisions is subject to administrative fines of up to EUR 10 million, or for companies, up to 2% of the total annual turnover, if higher (than 10 million)”. Although these amounts will not apply to small and medium-sized enterprises, it is certain that the new legislation takes violations very seriously, especially those committed with serious guilt, i.e. when data are processed unlawfully, without consent, transferred to third parties for commercial purposes or stored without minimum security measures. More generally, the legislator wants to hit those who deliberately ignore the new rights of EU citizens and companies that continue to process large amounts of data without adequate precautions and without informing properly informing the legitimate data subjects.

The new legislation guarantees and strengthens the right to be forgotten, i.e. the possibility to have one’s data deleted if the reason for publication is no longer of public interest. Consumers can request the deletion of their personal data by communicating the revocation of the processing granted to obtain a certain service. A right that until now has remained on paper in the various national laws is in fact enshrined.

Article 9(1) of the regulation regulates the processing of those particular types of personal data previously classified as sensitive data. These are personal data that may reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data intended to uniquely identify a natural person (e.g. fingerprints, eyeprints), data relating to a person’s health or sex life or sexual orientation. The GDPR states that the processing of these data is generally prohibited, except in specific cases, which are precisely stated in Art. 9.

Ask for a consultation

DarkBox® CyberSecurity is a unique partner for the growing security needs in the IT field.

Contact us!