Like it or not, GDPR is not going to enter full force on May 25, 2018

With the scorn of those who are trying to milk money from prospect clients by threatening the “4% of the world turnover” fine, GDPR is not going to enter full force on May 25, 2018.

Sections 85 to 90 of the GDPR settle an option for the national members to pass specific local legislations on a wide range of topics, from free-speech to employment, from scientific research to personal identification numbers.

These are critical pieces of the GDPR-related legislations’ puzzle and full compliance can’t be accomplished if . on May 25 – the whole legal framework will still be incomplete.

In Italy, for instance, the draft bill that empowers the Government to pass the amendments to the Data Protection Act and to the rest of the Data-Protection-related legislations is still quietly sleeping between Montecitorio and Palazzo Madama. And since we’re entering into election time, nobody will actually care to move ahead about Data Protection at least until the end of 2018.

The consequence is that relevant part of the GDPR can be enforcend only if a State decided whether or not to pass these specific laws, but if a State doesn’t tell whether these laws will be passed or not, GDPR will hardly be fully enforced.

Enforcing the GDPR is becoming very alike a Catch 22.

Data Breach Notification is not (always) Mandatory

Contrary to a broadly shared belief, under the GDPR not all Data Breaches are created equal. Section 33, first paragraph of the GDPR, indeed, clearly says that

In the case of a personal data breach, the controller shall … notify the personal data breach to the supervisory authority …, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. (emphasis added)

Continue reading “Data Breach Notification is not (always) Mandatory”

What it takes to become an effective DPO

I am actually sick of the attempts to cash-in the needs of professionals that want to get a proper DPO qualification, by proposing useless “seminars” or “masters” or “crash courses” that promise to turn people that never approached the data protection issues before into skilled DPOs. This is exploitation, like promising that in fifteen days you can be turned from a desk geek into somebody able to beat Mike Tyson in his primes. Continue reading “What it takes to become an effective DPO”

The “certified” DPO and how to spot a useless one

With the approaching of May 25, 2018, the number of (self-professed) “Certified DPOs” is growing at an astonishing pace.

Many of the companies that fall within the GDPR’s scope must to include in its ranks this role but HR or Legal department are in the completely in the dark when it comes to set forth the criteria to evaluate a candidate’s fitness for the job.

“Certifications” or “Privacy Master Degree” ownership are a few ways the candidates try to lure a company into hiring them. Continue reading “The “certified” DPO and how to spot a useless one”