Email marketing and privacy: the new regulation in 10 points

While with the first blog post we outlined an overview of the new regulation, now it is time to go into the new elements of the reform in detail. We have identified 10, and today we’ll describe the top five, from the geographic coverage of the obligations to the introduction of the Privacy Impact Assessment.

In brief, here’s what will change with the reform:

The question spontaneously arises: “If a non-European company processes the personal data of citizens from the old continent, which law applies?” Until now the answer was that of the data controller, i.e. the entity collecting the data.

This reform changes everything: the obligations of the Regulation will extend to the processing of personal data outside the European Union but used for supplying goods and services to citizens of the 28 EU member countries; the same is also true for processing that involves monitoring data.

This is quite a revolution if we consider that the old rules stipulated that the legislation to be applied was exclusively that of the nation in which the data controller was based.

What about Facebook and Google? How they should behave in the light of the new regulation? The two giants of Silicon Valley will also be subject to European legislation.

Under the new regulation it will become mandatory to establish a document system for managing privacy that contains all the records related to the processing of personal data, which must also be regularly updated.

This is the logic of accountability, i.e. the correct organization, documentation and traceability of processing activities. The document system must necessarily include a “nourished” series of details, such as how the data was collected, where and when. It will be like a black box tracking the processing.

Those who do not organize the data management in the best possible way are liable to be sanctioned, regardless of the abuses that may or may not arise from it.

The disclosure document will no longer be a bureaucratic and formal tool. Under the new regulation it should be made in a concise form that is clear, understandable and easily accessible, with simple and clear language, especially in disclosure documents intended specifically for minors.

The information must be provided in writing, in paper or digital form. If requested by the person concerned, the information can be given orally, provided that the holder’s identity is proven by other means.

Moreover, it will be necessary to inform interested parties about the origin of data processed and indicate their storage time.

With the old regulation, interested parties who wanted to amend, supplement and delete their information encountered great difficulties in requesting access to the data.

The new criteria are designed to facilitate the interested parties in the exercising of their rights by including mechanisms to request and obtain access to data for free, and to correct and delete them. One of the duties of those collecting the data will be to prepare the means for forwarding requests electronically, especially in cases where the personal data are processed by electronic means.

For years we have been accustomed to managing the so-called Documento Programmatico sulla Sicurezza (DPS – Privacy Policy Document), a kind of photograph that documents the adequacy of the security measures adopted to process personal data.

It stopped being mandatory in 2012 but with the new regulation we will soon have to learn to handle a new tool: the Privacy Impact Assessment (PIA), the document assessing impact in the processing of data.

It entails a full analysis of the potential risks associated with the treatment of the data: the data controller now has the duty of carrying out an assessment of the impacts caused by the processing of the data, from the time of designing the business process and the computer applications supporting the operation, especially in cases where the processing has specific risks for the rights and freedoms of those affected.

The process involves three distinct phases, which must be carried out periodically, at least once a year:

1. analysis of risks (list analysis);
2. definition of the list of critical issues (gap list);
3. definition of the intervention program (action plan).

The probability and the level of risk related to the processing of data must be determined by the nature, scope, context and purpose of the data processing.

It will be a real revolution for those who are accustomed to the comfortable cadences of the DPS. The PIA will introduce deep analysis of business processes with the aim of managing and preventing risks.

With our Legal & Privacy notebook our aim is to provide you with a map so you can navigate the intricate provisions of the new European Regulation. Follow us on our blog. With our next post we’ll guide you through the last five key points of the reform, offering a focus on news aspects of the profiling activities.