data privacy risk assessment and accountability

On April 28, 2017, the Italian Data Privacy Authority published a Guide on the application of the new General Data Protection Regulation (GDPR). The Guide does not set out implementing rules of the GDPR but rather provides a summary of “what will remain the same” and “what will change” in the main six areas covered by the GDPR:

  1. Legal basis for the processing
  2. Information to be provided to data subjects
  3. Data subjects’ rights
  4. Data controller,  data processor and persons in charge of the processing
  5. Data privacy risk assessment and accountability
  6. International transfer of data

In addition, for each of the above six macro areas, the Guide provides recommendations on the measures that companies and public entities can already put in place, in order to ensure compliance with specific provisions of the GDPR, which do not need further intervention at a national level for their implementation.

The Guide will be amended, updated or supplemented in light of the development of the debate at a national and European level on the application of the GDPR. The data protection authorities of France and the Netherlands published similar guides respectively on March 15 and April 13, 2017, which are however structured in a slightly different way, as they propose (especially the French one) a more systematic “step by step” methodology in order to help organizations get ready for the GDPR.

Elisabetta Pagone contributed to this blog post.