The General Data Protection Regulation (DGPS) entered into force on 25 May. The Regulation is a set of rules on the protection of personal data that have two main objectives: to give European citizens full control over their personal data and to simplify the regulatory framework for companies that manage such data. The GDPR rules protect the data of European citizens and apply to all companies that process or manage such data, regardless of the country in which they have their registered office or the place where the data are processed. Companies that offer goods or services (whether or not they are paid for) or that monitor the behaviour of EU residents are subject to the GDPR.
The impact is greater than we think, because the GDPR concerns companies that manage all types of personal data - from information about their employees to customer profiling for third parties. In addition, it introduces economic fines for companies that do not comply with the regulations, which can reach up to 4% of the overall annual turnover or €20 million. A company is liable to sanctions if, for example, it does not have adequate policies on consent to the processing of personal data or if it violates the principles underlying the concept of "Privacy by Design". Among the obligations to be taken into account are a clear request for consent (Article 7), the establishment of a data processing register (Article 30), the notification of data breaches within 72 hours (Article 33), the appointment of a "Data Protection Officer" (Article 37) and the establishment of a procedure enabling the data subject to easily exercise his rights (Articles 15-22).