On 25 May 2018, the General Data Protection Regulation (EU) 2016/679 (hereinafter GDPR) came into force. The GDPR is a step forward for the control and protection of citizens’ personal data as it is a fundamental right, establishing a data protection regime directly applicable to all EU states.

All companies must adapt to the GDPR approved by the European Parliament, which harmonises the obligations of companies in terms of data protection and the right to privacy of individuals.

In Denemax Consulting we offer a comprehensive solution for adaptation to the RGPD, providing a service tailored to the needs of each client, analysis and diagnosis of the situation of the company in this area and evaluate the risks of possible breaches, therefore, the maximum guarantee of a true adaptation.

With comprehensive quality advice and after a prior study of your activity, we will document procedures, clauses and contracts, we will locate the habits and methods used that may give rise to risk situations and, fundamentally, we will define the Data Protection Policy that should prevail in your activity, including the protective measures that will help to avoid any incident.

The GDPR proposes a substantial change in the approach to data protection: this change of approach stems from the greater self-government that the GDPR grants individuals over their own personal information and this implies a very important change in the way of informing and obtaining consent that is imposed on data controllers.

The GDPR is more demanding with respect to companies, entities and professionals, as it not only obliges them to establish more conscious and diligent measures necessary to ensure the proper processing of the personal data they hold and manage, but also urges them to demonstrate that they are doing so.

Denemax Consulting offers a Global Consultancy service, providing solutions to both legal deficiencies and those that may affect you on a technical and organisational level. Taking such a comprehensive approach to your protection ensures a consistent implementation of all necessary measures, privacy by design and by default.

In addition to the legal requirements set out in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and the free movement of such data, imposing obligations on all those who process personal data; Law 34/2002 on Information Society Services and Electronic Commerce also provides requirements that require preventive and corrective advice on websites, E-Commerce platforms, etc., which Denemax Consulting includes in its consulting services.

The new European Data Protection Regulation establishes a new obligation for data controllers to carry out a Privacy Impact Assessment (PIA).

Where a type of processing, in particular where it uses new technologies, is likely, by its nature, scope, context or purposes, to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to processing, carry out an assessment of the impact of the processing operations on the protection of personal data.

A Personal Data Protection Impact Assessment (PPRIA) is an exercise of analysing the risks that a given information system, product or service may entail for the fundamental right to data protection of data subjects and, following that analysis, effectively managing the risks to be eliminated or mitigated by adopting a series of security measures.

Impact assessments fall within the scope of preventive measures or actions, since it is an assessment process that must be carried out before starting personal data processing operations; in this sense, it connects with the concept of privacy by design, which in the GDPR is identified as «data protection by design». This means that, both when defining the different processing operations and when determining and applying the means to be used to process personal data, the principles, rights and obligations set out in the regulations applicable to the processing operations to be carried out must be taken into account.

Notwithstanding the previous paragraph, there is no obstacle to consider a PIA for existing processing operations. In fact, the impact assessment should be carried out using a method that allows it to be repeated, since in certain circumstances it will have to be revised and updated.

It is worth bearing in mind that a PIA is a very useful instrument in relation to the principle of proactive accountability, since it facilitates not only compliance with the standard, but also the ability to demonstrate it, etc., which Denemax Consulting contemplates as part of its consultancy services.