Data protection: the “tolerance” period for sanctions is over

Last September, the authorities of the Global Privacy Enforcement Network (GPEN) launched an investigation (SWEEP-2018) to evaluate compliance with the principle of accountability introduced in Europe with the General Regulations for the Protection of Personal Data.

The Italian  Data Protection Authority decided to verify the observance of the principle of accountability by the Regions and Autonomous Provinces as well as by in-house companies.

In particular, the investigation involved 19 public institutions (Regions and Autonomous Provinces) and 54 in-house companies.

The investigation revealed that the institutions examined were lacking in the adoption of internal policies for the management of personal data and in the development of procedures for the management of requests or complaints by data subjects and for intervention in the event of “Data Breach”.

Furthermore, in many cases the Data Protection Impact Assessment (DPIA) were not adopted. (when required by regulation)

In the investigation, employee training was also considered and it was found that, even if the importance of adequate training was recognised, the 40% of organisations do not track the concrete implementation of good data processing practices.

On the other hand the results in terms of transparency are quite good.

As we know, the Regulations does not specify what technical and organisational measures are, but lays down general principles to be observed. Sweep 2018 is the first tool for understanding whether or not what was actually implemented is enough to fulfil the principle of accountability.

From Sweep it is clear, for example, that great importance is given to the training of staff. A correct training leads to an efficient execution of duties when they include also the processing of personal data. Initial training is not enough, but it is necessary to evaluate and eventually update the knowledge acquired with constancy.

Great importance is also given to the procedures for managing requests or complaints and for the data breach. We would like to remind you that the reaction to the data breach must be immediate and the response to the interested parties must be given without undue delay, or at the latest, within one month of receipt, therefore only with appropriate procedures it is possible to respect these strict deadlines.

Another key document is the Data Protection Impact Assessment (DPIA).

If well prepared, the DPIA is also useful in the case of Data Breach, since it allows a rapid assessment of the risk and allows you to determine the actions to deal with the violation and if it is necessary to provide notification (WP250 rev.01 del 06.02.2018)

The protection of personal data is a constant process that must be monitored and updated. Initial fulfilment is not enough if you really want to be compliant.

The time has come for a review.

The transition period provided for in Article 22, paragraph 13, of Legislative Decree 101/2018, in which the Italian Data Protection Authority considered, for the application of the sanctions “the phase of first application of the sanctioning provisions” expires on 19 May, after that date there will be no more justifications.