The GDPR is coming, the new privacy legislation: what will change and what impact it will have on the safety of individuals

(To Andrea Puligheddu)
26/01/18

The 25 May 2018 will be directly applicable in all EU countries the new EU Regulation 2016 / 679. This is a real historical turning point in terms of protection of personal data, aimed at ensuring greater security for the rights and freedoms of individuals. Waiting to see the real fruits, will be presented some "pills" from which to draw inspiration for further reflections on the interrelations between personal data protection and security.

The Regulation, as mentioned, will introduce different rules and obligations, addressed to both the public and private sectors. In addition to greater clarity and simplicity in terms of information and consent, the attempt of the Regulation (otherwise called GDPR, General Data Protection Regulation) will be to ensure greater protection for all citizens of the Union, although it will be possible for each State to adapt independently to the contents of the Regulation. The advantage of this new legislation is to come out together with another instrument, the so-called PNR Directive (No. 680/2016) on the competent authorities for the purposes of prevention, investigation, detection and prosecution of crimes or execution of criminal sanctions, aimed at promoting the circulation of personal data between the Security Authorities. Once again, the institution appointed to carry out this task will be the Privacy Guarantor, which becomes a real National Supervisory Authority. In this sense, the recent protocol signed between the Authority and the DIS in the framework of greater security for the Republic is not unexpected (v.link). Now let's see together 5 key points of the new legislation, which will certainly impact - with the necessary mitigating and peculiarities - also for the Defense System:

1) Introduced the concept of "responsibility" of the owner (Accountability)

With the GDPR, the Data Controller is required (the natural or legal person who alone or together with others determines the purposes and the tools of the processing of personal data) to take a step towards greater responsibility towards the data subjects (the subjects to to which the personal data processed refer). In particular, the Data Controller is obliged to document every choice, active or omissive, with respect to processing activities: decisions regarding data security, preservation, protection of the rights of data subjects and analysis of data are included in this logic. risks for the rights and freedoms of the individual, in order to generate a reward mechanism towards the virtuous holders on these issues and penalize with a greater degree of responsibility the most careless holders.

2) Obligation to report to the Authority in case of violation of personal data (data breach)

The GDPR introduces the obligation to communicate personal data breaches to all data processing personal data controllers. Even public bodies, in addition to companies, must promptly notify the Guarantor of any violation of the personal data of the parties concerned. Please note that due to "violation of personal data", the Regulation means a security breach that involves accidental or unlawful destruction, loss, modification, unauthorized disclosure or access to personal data transmitted, stored or otherwise treated. It goes without saying that even the mere access and display peacefully corresponds to a data breach, while for actions with less impact - such as port scanning - there are no specific indications to date. Among the prescriptions provided for in the art. 34 of the GDPR, reference rule on the data breach, including a notification period of 72h from the moment in which the Controller becomes aware of the violation, within which it is necessary that certain specifications of the violation to the Authority be communicated: in the most serious cases , this obligation will also be extended to those involved in the processing.

3) Specific protections for the personal data of those affected by treatments based on automated decisions

With the new Regulation, the interested party should have the right not to be subjected to a decision that may include a measure that evaluates personal aspects related to him, which is based solely on automated processing and which produces legal effects that affect or affect him analogous way on his person. This processing includes "profiling", which consists of a form of automated processing of personal data that evaluates personal aspects concerning a natural person, in particular in order to analyze or predict aspects concerning professional performance, economic situation, health, preferences or personal interests, reliability or behavior, location or movements of the interested party, where this produces legal effects that concern him or similarly significantly affects his person. However, decisions on the basis of such processing, including profiling, should be allowed if this is expressly provided for by the law of the Union or of the Member States to which the data controller is subject, including for the purposes of monitoring and preventing fraud. and tax evasion according to the regulations, standards and recommendations of the Union institutions or national supervisory bodies and to guarantee the safety and reliability of a service provided by the data controller, or if it is necessary for the conclusion or the execution of a contract between the data subject and a data controller, or if the data subject has given his explicit consent. In any case, such processing should be subject to adequate safeguards, which should include specific information to the data subject and the right to obtain human intervention, to express one's opinion, to obtain an explanation of the decision reached after such evaluation and to challenge the decision. This measure should not concern a minor. Note that this assumption would also and above all hold true with reference to the possible decisions that an AI (Artificial Intelligence) could take to evaluate - for example - the safety of a place or the danger of an individual (we know that today, algorithms such as this aimed at preventing crime - cd Pre-Crime - they are reality).

4) Obligation to conduct an impact assessment on the protection of personal data (DPIA)

It is foreseen in art. 35 of the Regulation the obligation for the owners or managers to carry out an impact assessment on the protection of personal data, so-called "DPIA" (Data Protection Impact Assessment), aimed at mapping the prospective risks - compared to a treatment - for the rights and freedoms of those concerned. DPIA is a particularly complex procedure, with extremely stringent technical specifications. It must be completed when a type of treatment, where it foresees in particular the use of new technologies, considering the nature, the object, the context and the purposes of the treatment, may present a high risk for the rights and freedoms of natural persons . A single assessment can also examine a set of similar treatments that present similar high risks. There are several cases of mandatory DPIA, all four impacting in terms of protection of public safety:

(a) when a systematic and comprehensive assessment of personal aspects relating to natural persons is carried out, based on automated processing, including profiling, and on which decisions having legal effects or significantly affect such individuals are based;

b) when the processing, on a large scale, of particular categories of personal data (eg on health, political opinions, religious convictions, etc.) or judicial data

(c) when a large-scale systematic surveillance of a publicly accessible area is carried out.

5) Officially introduced the new figure of the Data Protection Officer (DPO)

Finally, the Regulation introduces the new figure of the DPO, Data Protection Officer. This is to all intents and purposes a person in charge of data protection (also translated into Italian) who, among his tasks, has to ensure the correctness - in terms of privacy - constant and updated data security and compliance with Entity / Company to the GDPR.

Note that, for public bodies, this figure is mandatory and must be able to report directly to the management summit.

(photo: US DoD)