GDPR - General Data Protection Regulation - S.B.S. Consulting - Strategic Business Solutions - Management Consulting - Strategic Consulting - ESG/CSR Consulting - Growth Strategies Implementation - Export - Strategic Marketing

Go to content
25th May 2018 - GDPR entered fully into force (General Data Protection Regulation - UE 2016/679)


This is the regulation issued by the European Commission, born with the assumption to harmonize the existing laws extending and keeping them homogeneous in the whole European Union. The purpose is to strenghten the protection of the citizens' personal data in the European Union and also outside its own boundaries, defending the interested people and enterprises.

Born on the basis of specific increasing requirements of granting integrity, legality and security of data, it states the principles of lawfulness of processing and the limits of the purposes, the right to accept or to withdraw the consent of data processing, the right to a transparent and clear information about their processing, their possible transfer, the conservation of personal and/or sensitive data, having the availability to ask for their modification, cancellation at any time, or to be informed about the origin of the data and require their check.

The norm already entered in force in 2016 has been applied since 25th May 2018 and is also very complex revolutioning the whole system-enterprises and the relationship with citizens and also among the enterprises themselves.

The regulation is being applied to all enterprises also to the foreign ones which deal with the collection and processing of the citizens data residenting in the European Union, indipendently by the place of the legal and of the operative office where the activities are processed and indipendently by the processing purpose.  

The regulation is huge and needs the highest attention by the side of all enterprises and organizations in order to observe the European Commission requirements in all those aspects and fields where they are involved in. The regulation, in fact, implies the implementation of an organizational process called "Process by-Design" (Privacy by-Design) and the implementation of another one called "Process by-Default" (Privacy by-Default). This means that the whole internal organization of the enterprise must be built according to the logic of protection and security of data, on the basis of the consent or of a withdrawal of their processing, the availability of checking, modification, cancellation of the same ones by the side of the Users of the service. This means that project models of the data processes must be implemented, evaluating the impact of all default risks of the systems in each step, that is loss of data, accidental and natural events, the destruction of data and the access to them by the side of outsiders or third parties withount being in charge, and the divulgation of data without authorization. Specific modifications or the loss of data and specific data-breach which might have a certain kind of impact (after careful evaluation by the side of the enterprise), must be notified within 72 hours to the European Commission, informing the damaged ones with a consequent economic loss and image damage for the enterprise.

The European Commission therefore has introduced firstly the Consent to the data processing which allows the data processing mapping, and further to the project models of Process by-Design and Process by-Default another document called "Private Assessment Register" (PIA), a register which must be compulsorily dynamic, that is, daily updated, an internal Audit Register which deals with the data-breach risks.

The regulation strongly impacts on all the digital activities, on the traditional and digital marketing ones, therefore the whole digital area starting from the construction of the web-site, of the web platform/portal, of the e-commerce must be projected according to the regulation; that is all the marketing activities either traditional and digital must be carefully evaluated and processed according to the GDPR logic. The new Regulation, with the purpose of Awareness and the own Responsability (Principle of Accountability) concerning the personal data processing and data Security, concerns however all enterprises. This means to re-think the own organization, re-designing the processes, the internal responsabilities and/also those esternal ones, too. Enterprises with more than 250 employees, big-sized companies, Public Administration and enterprises with particular kinds of activities are obliged to hire the Data Protection Officer (D.P.O.), who is appointed as the Reference Person between the Enterprise and the Authority.

On 25 May 2018 all enterprises had to be ready compulsorily in order to avoid very heavy penalties: penalties can reach even Euros 20.000.000,00 or 4% of the worldwide GDP. Extension of adjustment until January 2019 and then post-poned up to May 2019.

Sanctions will be evaluated however also on the basis of the adopted company's style, the enterprise size and in consideration of the gravity of committed irregularity.

The norm has to be well understood in all its wideness and in consideration of the evaluation and project of processes, functions, activities and responsibilities with the opportunity of a higher efficiency and efficacy of the enterprise. This creates a competitive advantage and an added value recognised by citizens and enterprises which appreciate those ones dealing with transparency, security, building up the basis for a long-lasting relationship based on trust.

Moreover, it is important to remember that in July 2018 also enterprises that do not work with the public administration and the Professionals should have to adopt the electronic invoice, which has been entered completely in force since January 2019; moreover, enterprises without a certified web-site/portal/platform will be widely penalized by the providers. In a phase of great changes and of important regulations it is necessary to evaluate also these aspects in order to harmonize investments with a vision able to give positive outcomes in the future.

To be mentioned that the Education to Cyber Security and to Internet is necessary for all Enterprises, Employees and Citizens, too.

Back to content