What is the GDPR regulation?
The GDPR, General Data Protection Regulation, aims to harmonize and strengthen the rules on the collection and processing of personal data of the European Union citizens and residents, both within and outside the borders of the EU. In addition, it simplifies the regulatory environment concerning international affairs by unifying the regulations within the EU.
The text of the General Data Protection Regulation was approved as EU Regulation 2016/679 by the European Parliament and the Council on 27 April 2016. After that, it was published in the Official Journal of the European Union on 4 May 2016, and entered into force on May 24 of the same year. It has been operational since 25 May 2018.
In addition, EU Regulation 2016/679 addresses the issue of exporting personal data outside the European Union. In fact, it obliges all data controllers (even with registered offices outside the EU) who process data of EU residents to fulfill their obligations.
The GDPR requires data controllers and processors to have an adequate degree of:
- Accountability: the adoption of all measures to avoid or contain any violations of personal data;
- Awareness: an adequate level of training and knowledge of company dynamics and of the risks inherent in data processing;
- Reporting: the ability to document and demonstrate to the supervisory authority that data processing complies with the European regulation on privacy.
GDPR regulation: what are the opportunities for companies and professionals?
The GDPR regulation obliges public and private bodies, companies, associations and professionals to adopt technical and organizational measures to protect the personal data of individuals.
However, compliance with EU Regulation 2016/679 is not just a legal obligation. It is an opportunity for companies and professionals to raise production standards and work efficiency. In fact, complying with the GDPR and adapting to the new European regulation on privacy allows to avoid:
- a sanction that for companies ranges from 1 to 4 percent of total annual worldwide turnover and for professionals from 1 to 2 percent;
- any requests for compensation from the interested parties (end users/customers) who may bring civil action against the owner or data processor who has violated personal data;
- stop of work/production activity due to the interruption of IT services violated by external or illegal accesses that have not been managed in a preventive manner following the GDPR;
- the negative effect of violations, caused or suffered, on the image, reputation and reliability of the company or professional and therefore an inflection of the demand for services / products.
12 key points of the GDPR: guidelines of the 2016/679 EU Regulation
Here are the 12 steps to comply with the GDPR:
- Disclosure: disclosure is an effective tool to ensure transparency on the processing of personal data and the exercise of rights;
- Consent: the data subject’s consent to the processing of personal data must be “preventive” and “unambiguous”, even when expressed through electronic means, for example by checking a box on a website. For the European Regulation, consent must also be “explicit” and “granular”;
- Limits to automated data processing: with the European Regulation 2016/679, the limits to the possibility for the data controller to take decisions only on the basis of automated data processing increase;
- Rights of the interested party: the interested party has the right to request access to personal data, rectification or cancellation, limitation of processing, to oppose the treatment, and the right to data portability;
- Data transfer: the transfer of personal data to countries outside the European Union or international organizations that do not meet data protection standards is prohibited;
- Data Breach: the data controller must communicate any violations of personal data (data breach) to the National Data Protection Authority;
- Privacy by Default & by Design: the GDPR promotes the accountability of data controllers and the adoption of policies that consider the risks that the processing of personal data may entail for the rights of the data subjects;
- Appointments: the appointment of the Data Processor and the Data Protection Officer must be express, specific, written and referable to certain tasks;
- Security measures: they must ensure an adequate level of security, balancing implementation and costs with risks;
- Register of activities: this is a requirement that replaces the obligation to notify the authorities of the processing. Together with the impact assessment, it serves to define the appropriate organizational technical measures;
- Risk assessment – Impact assessment: the risk assessment must take into account any accidental or illegal destruction, loss, modification, disclosure, or unauthorized access to personal data transmitted, stored or otherwise processed. Physical, material or immaterial damage must be taken into account.
- Emergency plan: considering the importance of data circulation, the need to manage its flow and lawful processing, actions must be planned in the event of any harmful or dangerous events for the processing of personal data.
Namirial GDPR XLS and Namirial GDPR DOX: the solutions to manage the GDPR regulation
Namirial is the Trust Service Provider operating in the Digital Transaction Management (DTM) market. We offer two different solutions to comply with the GDPR regulation: Namirial GDPR XLS and Namirial GDPR DOX.
Namirial GDPR XLS is the new frontier of privacy for small and medium-sized businesses and verifies the level of compliance with the GDPR.
Let’s see together what are the characteristics of the Namirial GDPR XLS application:
- 100% Accountability
– GDPR compliance: the software provides compliance with the formal obligations required by European legislation (disclosures, letters of appointment, internal policies, risk assessment, treatment register);
– Software Update: the web software updates are automatic, making the procedures compliant with any new national legislative provisions aligned with European legislation;
– Constant monitoring of the necessary interventions: the software suggests to the user regular checks based on the detected compliance status, as required by the monitoring duty of the Data Controller prescribed by the European regulation. - Data management
– Creation of letters of appointment: the software produces letters of appointment for data processors in accordance with the contractual scheme of the European regulation. These letters are useful for the appointment of professionals who carry out consultancy for companies or for companies that carry out activities related to the processing of data for other companies;
– Creation of letters of appointment: the software provides letters that entrust employees and/or collaborators with professional activities that include the processing of personal data;
– Management of the rights of the interested party: the software provides the form through which the company or professional manages and archives the requests for exercise of rights by the interested parties on their personal data;
– Disclosure models: the software generates disclosure models for the various recipients, regulating requests for consent based on the type of relationship with the recipients;
– Request explicit and granular consents: the preparation of consents is carried out in a granular way, so it is differentiated according to the different purposes for the explicit acquisition of consent, allowing both consent and denial;
– Import / Export: the software allows the import of data from management systems and the export of information entered for purposes other than the privacy census. - Remote training and on-site assistance
– Filing system: the system allows the user to archive the compliance documents creating an easy cataloging;
– Alert: the software sends an email to the user to remind the need to update the security measures defined during the risk assessment phase;
– Modular updates: the updating of recommendations and security measures creates a history that certifies the evolution of the state of compliance. - Analysis and assistance
– FAQ: the user can consult the Namirial forum and the FAQ to better understand the European legislation;
– Question form: it is a channel for questions regarding the compliance processes;
– Guidelines: downloadable guidelines on the processing of personal data to deepen the subject and understand its mandatory nature and dissemination;
– Risk analysis and reports: the system provides an analysis of the risks currently present in the company/studio and a report with recommendations that highlight compliance deficits and how to remedy them;
– E-Learning Training: is a platform for mandatory training on the processing of personal data for all subjects who process personal data, as required by the European regulation. The e-learning platform is available at any time and issues a qualified certificate of participation.
Namirial GDPR DOX is the dynamic solution to manage privacy, dedicated to privacy consultants, DPOs and data controllers. GDPR DOX helps the user to implement the privacy organizational model and to achieve legal compliance with the GDPR. In fact, its purpose is to make the management of all obligations more effective.
The Namirial application guarantees:
- Complete control of the obligations and notifications that facilitate dialogue between all those involved;
- Continuous improvement through monitoring, web training, appointment management module with remote digital signature, customizable system templates and preloaded system procedures.
In addition, Namirial GDPR DOX offers live and immediate customer support.
Let’s see what are the characteristics of the Namirial GDPR DOX application:
- 100% Accountability
The application allows the users to manage and track all activities with precise time references. Furthermore, it allows direct management control of violations, deadlines, documents, news and notifications, the exercise of rights, work plans, the direct assignment of tasks, the progress of the documents, training. Finally, it allows the user to identify the activities to be performed, to manage deadlines, to prepare alerts about specific deadline and to avoid any oversights; - Personalized document management
The application offers a series of native templates. It is possible to customize them according to specific needs through a simple drag n ‘drop system. It is useful for the preparation of documents for the collection of information, audits, risk analyzes and to customize forms. The use of digital signatures is already integrated. Furthermore, it is possible to create privacy policies through highly customizable templates. - Cloud services
Possibility of accessing the service in the Cloud, without installation, on PCs and smartphones. The platform allows the user to continuously monitor activities and manage changes, creating areas of collaboration for customers to report on the changes to be made. - Integrated management of risk assessment pursuant to articles 32 and 35
Risk analysis calibrated for each treatment and tailored to the user’s need. - Appointments management
The software allows easy entry of the data of the subjects in charge of the processing of personal data (owners, joint controllers, DPOs, data processors, authorized persons). The composition of the letters of appointment for each role is immediate. - Safety and reliability
GDPR DOX uses a 256-bit encryption system with an encryption key. - Personal data breach log and threat mapping
Recording of data breaches with subsequent control of the management phases of tasks and criticality. - Work plan management, notifications and tasks
With GDPR DOX the user can manage the work plan for each owner, manage notifications in real time, manage and store communications through the Tasks module. - On-site training and assistance
What distinguishes Namirial from its competitors is the focus on user training on the use of the platform and on the GDPR. We at Namirial provides various training moments: a start-up formula, standard remote training (2 hours) or strong (16 hours). In addition, our users can access periodic webinars and on-site training sessions on demand.
