The effects of the GDPR in Italy three years after its launch

There are still few investments in clear privacy policies and low numbers in data breach notifications: 3,460 against 77 thousand in Germany

Privacy cookie (Getty Images) Three years have passed since the entry into force of the Gdpr (Regulation general European data protection standard), which has become a global standard to which countries outside the European Union also refer. The aim of the regulation is to protect personal data in the digital world. The Gdpr has guaranteed more clarity in the formulation of information and requests for consent, has established new limits on the processing and transfer of information and has established strict rules in case of data breach, providing for fines of up to 4% of the global turnover of the company.

On the eve of this anniversary, the international law firm Dla Piper conducted a survey with the privacy experts of the Italian privacy think thank, coming from 75 companies active in all the main sectors of the economy Italian, to understand how the business world is dealing with the issue of data processing and protection.

User tracking

In general, for marketing activities, the companies interviewed tend to use minimally invasive forms of profiling, limiting user tracking. However, only 18% require the use of data for "legitimate interest", a low-impact form of profiling that allows personal data to be used only for direct advertising and to protect the company from fraud or other risks. 64% continue to request two separate consents for advertising and user profiling, without specifying the legitimate interest, while 8% ask for a single consent for the two activities, something never validated by the Privacy Guarantor. As for advertising on third-party sites, only 19% of companies track users through cookies installed on other sites, 11% promote on other platforms but without using tracking technologies and 49% do not carry out any activity. of marketing on third party sites.

Data retention

The Gdpr does not impose a specific time limit for the removal of data, limiting itself to establishing that these can be kept "for a period of time not exceeding the achievement of the purposes for which they were processed ". While the Italian Guarantor has established a limit of 24 months for both marketing and profiling, in a provision relating to "loyalty cards". However, companies behave in a heterogeneous way, interpreting the indications of the GDPR differently. For marketing, only 19% remove data following the indications of the GDPR, 23% consider 24 months from the last user interaction with the brand, while 21% keep the data indefinitely, until the data subject does not request cancellation, violating the principle of minimization. The same goes for profiling, in this case 19% of companies do not delete aggregate data and 8% do not delete any data.

Clarity of information

To communicate transparently with users, many companies have shown an interest in the so-called legal design, that is, the construction of legal documents in a clear and understandable way, both in terms of content and visual. However, 24% of companies do not consider it an area in which to invest and only 23% are already working in this direction.

The role of the data protection officer

The dpo is a figure who supervises the company to ensure that it follows the principles and rules of the GDPR. For his function to be effective, his independence must be guaranteed and he should not be part of the internal office of the company that deals with privacy (compliance privacy). However, in 24% of cases the DPO has a role of coordinating the privacy compliance of the company, which must demonstrate, according to the principle of accountability, how the independence of the Dpo is respected despite this role.

Data transfer outside the EU

Following the Schrems II ruling, which requires companies to retain data in Europe, 44% of companies have not yet adopted a methodology to check that they are not the principles established by the European Court of Justice have been violated and more than 50% of companies do not carry out checks on data controllers. So it seems that Italian companies are underestimating the issue and could incur sanctions if the Guarantor carries out checks.

Data breaches

In the three years from the entry into force of the GDPR in Italy, only 3,460 cases of data breach (i.e. the intentional or unintentional disclosure of personal data) were notified, compared to approximately 77,000 in Germany. This can show that Italian companies are reluctant to notify the Guarantor in these cases. Furthermore, most companies (74%) use internal structures to assess whether a data breach needs to be notified or not, and not external consultants (26%). This reduces the impartiality and effectiveness of the checks.

Sanctions by the Guarantor

Italy has imposed more sanctions than any other country in the European Union for violations of the Gdpr. In the first months of 2021, the penalties even doubled compared to those of the previous semester. It has therefore become essential for companies to adopt internal procedures for the management of inspections by the authority. So did 43% of the companies interviewed, while 7% have not adopted them and feel they do not need them, while 5%, having already undergone inspections, believe they can manage them without specific procedures.

A first assessment

For the digital rights association Noyb, three years after its launch, countries still have a lot of work to do to strengthen privacy legislation and cases take years to resolve. Furthermore, according to the NGO's lawyers, courts have often been unable to take decisions to protect the rights of users due to lack of specific knowledge on the subject. Finally, the unique approach to the GDPR does not take into account the differences between large industrial giants and small and micro-enterprises, with equal obligations that often spend too much on the shoulders of the latter.








Politics - 2 hours ago

In Bolzano the green pass will be needed also to enter bingo and arcades

adsJSCode ("nativeADV1", [[2,1]], "true", "1", "native", "read-more", "1") ; Tech - 4 hours ago

How technology helps find missing children

adsJSCode ("nativeADV2", [[2,1]], "true", "2", "native "," read-more "," 2 "); Jobs - 22 hours ago

There is a proposal to extend simplified smart working until the end of the year

Topics

Digital business Europe Gdpr Italy Legal Privacy globalData.fldTopic = "Digital business, Europe, Gdpr, Italy, Legal, Privacy"

You may also be interested in

This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License.