Privacy and Data Protection


Regulation (EU) 2016/679, General Personal Data Protection Regulation (RGPDP), came into force in May 2016. As it is a regulation, it is directly applicable to Member States without the need for transposition. However, from May 2016, Companies have two years to fully adopt the new rules.

This new Regulation introduces not only new rules, but also high fines in case of non-compliance (they can reach 4% of annual turnover or 20 million euros), which requires careful attention from companies that deal with personal data.

The new Regulation is somewhat complex given that the new rules are based on new principles and concepts, new rights for data subjects that mean new duties for the companies that deal with them and also requirements at an organizational level.

The transitional period of two years is not at all long, and adaptation needs may be significant and time-consuming.

Additionally, in July 2016 the so-called NIS - Directive (EU) 2016/1148 on the security of networks and information systems was adopted by the European Parliament. This directive came into force in August 2016, with Member States having 21 months to transpose it into their national legislation and six months to identify operators of essential services. This directive is in line with what is recommended in the aforementioned regulation.

BDO has a complete range of solutions designed to help you adapt to the changes introduced by the RGPDP and NIS Directive:

  • Assess applicability and degree of preparation for new regulation
  • Check-Up for RGPDP: synthetic check-up to frame the applicability and prepare the covered entities (any entity that collects, records, organizes, preserves, adapts, alters, recovers, consults, transmits or carries out any type of operation involving personal data ) for the implementation and compliance with the requirements of the RGPDP, when it becomes applicable (spring 2018);
  • Check-Up for NIS Directive: synthetic check-up to frame applicability and prepare covered entities (essential service providers – energy, transport, banking sector, financial market infrastructures, health sector, drinking water sector, digital infrastructures; and digital service providers) for the implementation and compliance of the Directive.
  • Advise in the preparation of an adaptation plan to the new regulation, specifying actions, deadlines, necessary and responsible resources
  • Define business recovery and resilience planning in the event of a cyber-attack
  • Offer secure systems consultancy services and security consultancy services for classifying and protecting your sensitive data
  • Scan, mapping and identification of threats and vulnerabilities to network segments and equipment and matching with known vulnerability databases
  • Carry out external and internal tests (vulnerability and intrusion testing) to assess computer security based on best international practices
  • Identify services that seek evidence of interest from attackers, be they hackers, hacktivists, cyber criminals, or nation-state attackers, or any other malicious agents, looking for secrets, denial of service or other damage
  • Training on the RGPDP and the NIS Directive
  • Support in the implementation of technology and definition of protocols/procedures most appropriate to data privacy policies
  • Support in the implementation of security requirements and mechanisms for reporting incident 

See the Regulations at: eur-lex.europa.eu

See the Directiv at: eur-lex.europa.eu