The checks by the Guardia di Finanza or the Guarantor for the processing of personal data will be constant and not always communicated in time. Here is a handbook to avoid mistakes that could cost companies dearly. From issue 158 of AboutPharma

AboutPharma – 21 maggio 2018 di Alessio Chiodi

If the landlord knew what time the thief was coming, he wouldn't let his house be broken into. You too get ready…” reads a well-known Gospel parable which can also be useful for the most secular inspections by the authorities in matters of privacy protection. Because now that the rules of the game are changing, the controls may also increase. And it is not known when they will come knocking on the door to ask for an account of the activities of a company.

First point: be ready

If one were to imagine a vademecum of behaviour, in this case, the first rule would be: be ready to manage an inspection by the Guarantor for the protection of personal data. Inspections are usually preceded by reports or appeals. Or they are initiatives of the Guarantor within a well-defined road map. However, if a company is contacted by the competent authority to obtain specific information on its business, then it is likely that an inspection visit will soon take place. Maybe in person. In less serious cases, the Gdf takes care of routine visits. In the most serious cases, it is the inspectors of the Guarantor. And without the support of the core of the Guardia di Finanza. As written by the lawyer Gianluigi Marino, partner of OsborneClarke (AboutPharma n°154, pages 90-91), if the inspection is carried out in person by the inspectors, the situation can be expected to become controversial. The inspection may uncover other possible violations. Therefore, based on the person who carries out the checks, we understand the greater or lesser level of awareness of the authority regarding the problems of the inspected company.

Second point: find the right answers

The checks can be communicated (the day before) or take place by surprise. A document called a “request for information” is required before the inspection. With this element, notified at the time of access to the office, account is requested of all legislative and regulatory obligations regarding personal data. How is consent collected? How is the information given to the interested parties? How are external data processors contracted? All questions that need to be answered.

Third point: have someone who follows the inspections

Internal procedures must be streamlined and fast. The honors of the house must be done immediately. Generally, this task is performed by the internal privacy manager, the head of the legal department, the head of the compliance function or the DPO.

Fourth point: verbalize what happens and what is said

Everything must be transcribed, recorded and checked. Better to reserve the right to verify the correctness of what has been declared. Even better if everything is examined by an internal lawyer of the company or an external consultant.

Fifth point: have well-established privacy compliance

It will be easier to access the required documentation. However, fourteen days are foreseen for sending the material. Nothing to worry about if the inspectors' requests are not met immediately. It happens frequently.

Sixth point: consider the duration of the operations

The investigations last about two or three days. Therefore it is necessary that the company figure in charge of following them draws up an exhaustive report on what happened.

Seventh point: never release original documents

Only copies are better. Furthermore, it is necessary to take note of the databases inspected, obtain a copy of the report from the inspector, and always give truthful information. In case of doubts, better not to answer and postpone to subsequent investigations. As with university exams, it is better to remain silent than to give an incorrect answer. In the case of confidential documentation it is a good idea to cancel or make anonymous sensitive data that you do not want to make known to the inspector. For example, the economic terms of the agreements. Marino wonders: "will the organizations be sufficiently responsible to withstand the impact of the GDPR and the new waves of inspections in the coming semesters?".

Eighth point: there will be no exceptions

In recent weeks, news has circulated, which later turned out to be false, about a possible transitional period to be granted to non-compliant companies after 25 May 2018. The Guarantor had to intervene publicly to deny any information relating to this "bridge period". And confirm the effective entry into force on May 25th. Indeed, to be honest, there has already been a sort of transitional period. The Gdpr came into force in 2016, but the European institutions have decided to grant an additional two years to allow companies to adapt.

Related news: PRIVACY: Fimmg, Here are the steps to comply by the 25th

Note European Privacy Guarantor: «archive»: any structured set of personal data accessible according to specific criteria, regardless of whether this set is centralized, decentralized or distributed in a functional or geographical way;