“Anyone has the right to protect its personal data”
Reviewed by Fabio Concina
On 25th May, 2018, the General Data Protection Regulation (GDPR) will be fully enforceable in the European Union. This new regulation succeeds the Data Protection Directive, a two-decade old directive that’s grown slowly in recent years due to the growth of available online information. The technology landscape was very different 20 years ago, when the Directive was first adopted. Today, with the widespread usage of social media, apps, and internet generally, personal data is being shared and transferred across borders more than ever before, and many felt that the Directive was due for a review after these changes.
On 15th March, 2018 at Buildo there was an event organized by Data Science Milan about GDPR topic.
GDPR: keep calm and be compliant by Anna Capoluongo, Studio Legale Capoluongo Law Firm
GDPR is applied to all process where are involved personal data, by individuals (data controllers or data processors) who carry out their activities in the European Union. A big news regards accountability principle about personal data protection: information needs to be processed lawfully, fairly and in transparent manner. Some relevant topics about the application of accountability principle are data protection by Design and by Default, clear roles and responsibilities, assessment of the risks and the adoption of measures suitable to mitigate these risks. There is a new function: the Data Protection Officer (DPO), which is at the heart of the process of implementing the principle of “accountability” and is responsible for the data protection. This role is not mandatory, only for public administration, for large-scale monitoring activities and for sensitive personal data treatment. DPO is a point of contact between Company and the Supervisory Authority.
The violation of personal data (so-called “Data breach”) consists of any event that puts at risk the personal data held by the data controller. When there is a violation of personal data the data controller proceeds to the notification of the violation to the Supervisory Authority. It means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. All data breaches have to be reported within 72 hours, notification without unjustified delay must be explained. If the risk is really high, notification must reach individuals and also is mandatory a book of violations. There are administrative fines divided into two brackets: from 10 million euro or up to 2% of the total worldwide annual turnover to 20 million or up 4% of the total worldwide annual turnover.
Come adeguarsi al GDPR in pratica, con e senza iubenda by Andrea Giannangelo, founder of iubenda
Iubenda is a service that allows you to create privacy and policy conditions quickly. The service covers not only websites but also a mobile app and a Facebook app.
Andrea carry on GDPR topic stating that Companies must prepare internal documentation observing certain guidelines in which are indicated security measures, how and which data to process, the instruction of responsibilities and response times in case of request by customers. For example, Companies must have an internal document about instructions in case of data breach, a document with instructions when customers want to exercise their rights. Inside of all these documents there is a corporate risk register: a sort of corporate privacy statement. It’s a written document, also in electronic format, which contains a series of information concerning the processing activities performed by the data controller. The register is mandatory for Companies or organizations that have more than 250 employees. It contains information as conditions about data processed and interested parties involved, purposes, security measures, where they are stored and how long and so on. Data protection assessment is an assessment document to draw up when Companies are starting a new project embedding which data are involved and why, with an assessment on risks and all measures to mitigate it. About web and cookies topics, privacy statement requires owner’s data, purposes, third parties involved, legal basis…is important to store offline forms and documents signed by customers because could raise a dispute about the request to receive promotions.
Turn GDPR into an added-value for your business by Andy Petrella, Kensu
Andy introduces perspective between data science catalog and data science governance tools and so how GDPR can add value to enterprise.
Data science is an umbrella on top of all activities on data and data pipeline connect activities on data from input to output transforming data, involving several assumptions and technologies: an end-to-end processing line to solve one problem, to take a decision. Data science governance controls that data activity meets precise standards and involves monitoring against production data activity: how accurate is the model, what are the patterns. In this process are involved technologies, users (who is responsible), sources, data and processing. Many tools are using data and the number of processing activities are growing so all this information is connected, “data flow”, in this way is possible to create a map by graphs about tools and process, know what data regards transactions, what data regards customers and so on. With this map is possible to assess governance activities such as impact analysis, dependency analysis, pipeline optimization, data/model recommendation. Accountability principle of GDPR requires to implement adequate technical solutions and internal audits of processing activities, with data science governance you can monitor activities (ex. machine learning performance) realizing a process registry with all data involved and tasks pursued. In this way are realized transparent reports of activities across the whole chain of processing.
Author: Claudio Giancaterino
Actuary & Data Science Enthusiast