FABLAB Catania

Make Your Idea

FABLAB Catania

GDPR, everything that there is to know to be in good standing


On may 25, 2018 and shall enter into force the new regulation on data protection GDPR stands for General Data Protection Regulation.

A B O U T   U S

Our mission is to transform your ideas into reality
The Fablab Catania is a place in which makers have the opportunity to experiment directly with their ideas. We want to support small and medium-sized enterprises in the growth of their business., offering services, products and customized advice. We are a mix between a workshop and digital lab, and the full title is described as "industry 4.0".

    In this page you will be able to:

Make Your Idea



Read the latest newsletter

© 2018 Alfab Srl – All rights reserved

Powered by WebSite DIY

Because the DGPR will be an advantage for companies and professionals? Considerations and suggestions concerning the Regulation (EU) 2016/679


Subtitle: I wanted to write a blog short but it was not to be
Carmen Russo

This article is subject to additions and changes in the light of the evolution of the reflection at national and european level. GDPR is the acronym for the General Data Protection Regulation and does not replace in any way the directives expressed by the Privacy authority.


also published on the online magazine at Dol's


The rules of the game have changed and to protect themselves, or attempt to do so, from the data breaches must be a priority for all companies, professionals, and anyone working with the data of others.
Let's say first that this regulation, which shall enter into force on the 25th of may is not only web sites but all of the companies that treat data of customers and employees in accordance with the article 2 material Scope of application, in particular to the paragraphs:
1. This regulation applies to the processing, wholly or partly by automated means, of personal data and on the non-automated processing of personal data contained in a store or are intended to be included in such
2. This regulation does not apply to the processing of personal data: by a natural person for the exercise of activities which are exclusively personal or domestic,

Are you a hairdresser who send Christmas greetings via e-mail or WhatsApp? Send to your customers of promotions or to inform of changes in opening hours or a special event? You have a delicatessen with home delivery? The phone number, the home address, the name and surname of the person is the data that you are dealing with and therefore you have to adapt the information that you provide to your customers before collecting these data, or in the event that you have had in the past communicating that you have appropriate standards of treatment and asking for their confirmation electronically or in writing.

Note that here I am talking about to inform your customers and to ask for consent, however, necessary to perform the service. That is, data are, on the web and not, that you, as a user I need to force things to release if you want I will provide the service or give you the product.
My biggest fear, that is to say, I have much worse but let's say in the field of GDPR, is that consumers, who have read little or nothing of this regulation, to begin to make confusion between data needed and additional data are not needed, for which you can avoid giving your consent.
However, this was already evident in the legislation currently in force. One of the check boxes that no one checks ever, or that the owner of a company marked as “necessary” is to give consent to the disclosure of data beyond the mere carrying out of the service. For this we have calls from the call center and business proposals by e-mail or paper without which we do not know who these companies.
From the 25th of may there will be check boxes were made compulsory, if not for the data necessary for processing. This shall apply both to the sites for the paper. The next time you do a seasonal card of the supermarket to deal with it.


Make your professional website at just € 99

In practice

any business should start a process that checks the current state of its practices for the handling of data and implement the necessary changes. It can be communicated clearly to users what's going to read and which of the rules refers the information. A consensus is an advantage for companies because they protect against possible fraudulent actions. Preserving the log data, and consents received from customers can prove you have actually received permission to record and use the data in question. The document issued by the EC states that the consent will be done with digital means, paper, or other means. I imagine that you intend to also voice recordings, which you can request a copy, or video recordings.

It is understood that the customer or user in general, you can request cancellation at any time without the need to justify the reason unless it falls within certain categories for which it is necessary to store the data. In this case, the user has the right to request cancellation, but must justify the reason. For example, if the processing is necessary for the exercise of the right to freedom of expression and information, the right to deletion of data will not be applied. The same applies when the processing is necessary for reasons of public interest in the field of public health, for archiving purposes in the public interest, research, scientific, or historical, or to ascertain, in the exercise or protection of a right in court.

The majority of the companies does not fall into this category and then if any person asks you to erase the data that you have recorded you need to make the request.
The data must be deleted if no longer needed for the purposes of treatment for which they were collected; if the person revokes the authorisation; if there is no opposition of the person concerned to the processing of data; if a court orders the deletion; and if you have been treated illegally, that is, if the consumer has not consented. I wonder what will the data banks that will sell you hundreds of data of potential customers.

What does it mean to clear? It means that in your logs, mail, archives, computers, smartphones, mobile phones, storage devices, hard copies, should be deleted, pursuant to Article 17 of the GDPR, what concerns the user the treaty.
It is clear that it is not possible to delete the invoices made to the customer, even if these require the deletion of, or the oblivion of its data. To delete the data from your archives it might be necessary to not only “Delete” key, but also a software that eliminate and clean up in a profound way. Surely the hard copy will be easier to destroy it with a special device that shred sheets of paper.



Women on Work 2019


If the consumer data you passed to third parties for the provision of a service or for management reasons of the customer must also inform these persons in charge of processing the data that your customer has requested the cancellation and assure you that it will happen. For this reason, the regulation provides that those holders of the treatment have a clear relationship and is regulated by a written document with your service providers.
Let's do a simple example. You are a company that performs washing of the carpets and you rely on a company for the pick up and delivery. Clearly you will need to provide their name and address and possibly a phone number of your customer. First, the transporter shall not use those data for his own purposes (i.e. not be able to make proposals, or send other documentation), but should simply provide the service for which the company is to wash carpets commissioned it. Second, if the customer for any reason, moved for example, requires the deletion of the data to the company of washing carpets that will require the cancellation to the carrier.
In favour of greater transparency, the first company will keep a copy of the request in the register and will maintain between the documentation and the request of his customer, which must take place in written form, either the one given to firm transportation.
A lot of work! For this reason, the regulation provides that the holder of the processing of the data may establish and require a fee for the administrative costs and management of the practice, when a user requests a copy of the data present in the records of the holder. Deletion, instead, is free.

What happens to those who are not a business but has a personal web site? Also goes here, post the question in a different way: send information to your visitors? Do you have a contact form in the site? Make checks statistics on the visits and feedback through third parties that they tell you in practice, how many visits has your domain, the age of visitors, gender, the time slots do you prefer? Also this must be communicated in the page dedicated to the policies on cookies, but as aggregated data , and then you do not deal with data that identifies a person, you don't need consensus, but you have to indicate for each third party, such as your visitor may delete these cookies.


The registry for the processing of the data
It is just a simple Excel well-structured, to keep a note of the data collected, the date of insertion, of the person or company that is responsible for the data. You can ask for a copy of the log by filling in the contact form. It goes without saying that you have already read our privacy policy .


You have a project you want to achieve?

Data Breach
Breach notification breach Notification

The GDPR introduces an obligation for all organizations to report certain breaches of the personal data of the GP and, in some cases, to the people affected. A personal data breach means a breach of security that leads to destruction, loss, alteration, unauthorized or unlawful disclosure of personal data.
You have to inform your GP of a violation, unless it is unlikely to cause a risk to the rights and freedoms of the people. Where a violation could result in a high risk for the rights and freedoms of natural persons, it is necessary to notify the interested parties, directly and without undue delay.
In all cases, you must preserve records of violations of the personal data, regardless of whether they are subject to the obligation of notification to the GP.

You need to report a violation of the notifiable to the GP without undue delay, but not later than 72 hours after having become aware of it. The GDPR recognises that it will not always be possible to investigate fully on a violation within that time period and you will be able to provide more information in more phases, provided that this is done without further delay. You should make sure that the staff understands what constitutes a violation of the personal data, and this is more than a loss of personal data.
You need to make sure you have a procedure for reporting violations internal. This will facilitate the decision-making process regarding the need to inform the GP, or the people involved.
In the light of the tight timelines for the reporting of a violation, it is important to have robust procedures of detection of violations, investigations, and internal reporting.
Document the violation, and communicate the violation (within 72 hours after discovery of the violation).
In other words, if you are aware of an event that has compromised the data in your possession, you are obliged to notify within 72 hours the guarantor for privacy. If you don't, you take the whole damage. Let's take an example: you have this data log file in your hardisk and this is stolen from the seat of your car, you must notify the Guarantor of Privacy what has happened, how you came to know of the fact (in the case of theft is easy) and the date in which it happened. This process takes the name of a Data Breach.



The magazine dedicated to the opinine women

Curiosity: The army of Pope Francis: here comes the new helmet low cost pvc

Accountability - Responsibility

That is the policies that your company adopts, and proves to have adopted, for the management of data. The GDPR requires to show how the principles are respected. A policy of this kind will help you to address data protection in a consistent manner and to demonstrate liability under the GDPR. This can be an autonomous political declaration or part of a general staff policy.
The document should clearly define your data protection approach along with responsibilities for policy implementation and compliance monitoring. The management should approve the policy and you should publish it and communicate it to all the staff. The updated policy should be reviewed and updated at scheduled intervals or when required to ensure that it remains relevant. Your activity monitors your compliance with data protection policies and regularly reviews the effectiveness of data management and security controls.
Information risks
You should determine how you (and all your data processors) manage information risk. It is necessary to have a staff member with responsibility for managing information risks, coordinating the procedures put in place to mitigate them and for recording and assessing the risk of information resources. Where information risks have been identified, appropriate action plans must be available to mitigate any unacceptable or resolved risks.
Data Protection by Design
Under the GDPR, the user has a general obligation to implement appropriate technical and organizational measures to demonstrate that they have taken into account and integrated data protection in their processing activities. We talk about data protection by design and by default. Internal policies must be adopted and measures must be implemented to comply with data protection principles, including data minimization, pseudonymisation and transparency measures.
Data Protection Impact Assessments (DPIA)
DPIA help you identify the most effective way to meet your data protection obligations and meet people's privacy expectations. An effective DPIA will help identify and resolve problems at an early stage, reducing associated costs and reputation damage that might otherwise occur. It is necessary to perform a DPIA before starting any kind of processing that "could pose a high risk". This means that although the actual level of risk has not yet been assessed, it is necessary to examine factors that indicate the potential for widespread or severe impact on individuals.

In particular, the GDPR says that you have to do a DPIA if you think about:
* use a systematic and in-depth profiling with significant effects;
* develop a special category or large-scale crime data;
* systematically monitor places accessible to the public on a large scale.
* use new technologies;
* use profiling or special category data to decide access to services;
* profile of large-scale individuals;
* process biometric data;
* processing genetic data;
* combine data or combine data sets from different sources;
* collect personal data from a source other than the individual without providing them with a privacy notice ('invisible processing');
* track the position or behavior of individuals;
* children profile or destination marketing or online services to them;
* process data that could endanger an individual's physical health or safety in the event of a security breach.


Become a Superhero!


How to create a perfect promotion

The DPIA should contain the following information:

* a description of the nature, scope, context and purpose of the processing and, where applicable, of the legitimate interests pursued by your company;
* an assessment of the necessity and proportionality of the treatment in relation to the purpose;
* an objective risk assessment for individuals, which considers both the probability and the severity of the possible damage;
* what checks you have identified to address one of these risks and whether these risks are eliminated, reduced or accepted as a result (including safety).

If a DPIA has been performed that identifies a high risk and measures can not be taken to reduce this risk, it is necessary to consult the GP. You can not proceed with processing until you've done so.
The focus is on "residual risk" after all mitigation measures have been taken. If your DPIA has identified a high risk, but you have taken steps to reduce this risk so that it is no longer a high risk, it is not necessary to consult the guarantor.

Data Protection Officers (DPO) Responsible for data protection. It is important to make sure that someone in your company or an external data protection consultant assumes responsibility for data protection compliance.
It may be necessary to appoint a DPO. Any company can appoint a DPO but it is necessary to do so if:
* are a public authority (with the exception of the courts acting as a judge);
* carry out a regular and systematic monitoring on a large scale of people (eg monitoring of online behavior);
* carry out large-scale processing of special categories of data or data relating to criminal convictions and offenses.

It may be useful to designate a DPO on a voluntary basis even when the GDPR does not require it.
The data protection officer must work independently, report at the highest level of management and have adequate resources to enable the organization to meet its GDPR obligations.
The minimum tasks of the DPO are:

* inform and advise the organization and its employees about their compliance obligations with the GDPR and other data protection laws;
* monitor compliance with the GDPR and other data protection laws, including the management of internal data protection activities, awareness-raising and training of staff and the conduct of internal audits;
* provide advice and monitor impact assessments on data protection;
* act as a point of contact and cooperate with the GP and consult on any matter relating to data protection;
* be the point of contact for people whose data are processed (employees, customers, etc.)

Management Responsibility

You should make sure that decision makers and key people in your company are aware of the GDPR requirements.
Decision makers and key people should lead by example, demonstrate responsibility for complying with the GDPR and fostering a positive culture within your company for data protection.
They should take a leading role in assessing any impacts on your business and encourage a design-based approach to privacy.
They should help to raise awareness among all staff on the importance of good data protection practices.

Security Policy

Personal data must be processed in order to ensure appropriate security. Before you can decide which level of security is right for you, you need to assess the risks to your personal data and choose the security measures appropriate to your needs.
Keeping your IT systems secure and protected can be a complex task and requires time, resources and (potentially) specialized expertise. If you are processing personal data within your IT systems, you must recognize the associated risks and take the appropriate technical and organizational measures to protect your data.
The measures you take should adapt to the needs of your company. They do not necessarily have to be expensive or burdensome. They can also be free or already available within the currently available IT systems.
A good starting point is to establish and implement an information security policy that illustrates your approach to information security, the technical and organizational measures that you will apply and the roles and responsibilities that staff have in relation to maintaining information.

To answer the initial question "Why will DGPR be an advantage for companies and professionals?"

It is clear that the implementation of the regulation will mean that companies and professionals and anyone op

Download the text of the EU Regulation 2016/679




The new trend of Instagram


Facebook and facial recognition

Security Policy

Nestle-Starbucks, a wedding by $ 7 billion

Mother's Day 2018‬‬

Ask for advice

Filling out the form I received a commercial proposal for basic advice that will provide you in detail all the steps you need to improve and those that are missing.

You can evaluate whether to purchase the basic advice and then the various implementation services for your business.

Is your business ready to update? If you do not know where to start, we'll give you a hand.
The advice has a variable cost based on the type of company, the way it collects data and its degree of digitization.


Create a website