Greater awareness and transparency in the expression of consent to the processing of data, more powers in the hands of the user who wants to revoke the consent, request the deletion or modification of the data at any time or their portability to another operator that offers the same service. This is the fulcrum of the GDPR, the European data protection regulations that have come into force last May 25th. The new rules have created a lot of interest and some fear.

The General Data Protection Regulation, which will replace the current Italian privacy code and will immediately be applied, has a wide scope and deals with many aspects that have to do with data protection: from the methods of collecting the user’s consent to the exercise of the right to be forgotten, from the portability of the data to the procedures to be activated in the event of a data breach.

The Italian guarantor for the protection of personal data has tried to shed light on the most relevant passages of the regulation by publishing a guide to the application of the GDPR. But what are the most important implications in the design of web services and in the management of digital marketing initiatives? Let’s briefly try to analyze it.

Privacy “by design” and “by default”: first of all the user

In the process of collecting and managing the consent to the processing of data, the GDPR takes up and takes two very important concepts on board, namely those of “Privacy by default” and “Privacy by design”. The protection of personal data – it is the basic idea of ​​the legislation – must be considered upstream of the design of a service.

“Privacy by default” means the principle by which, by default, only “personal data necessary for each specific purpose of processing” (art. 25 GDPR) must be processed. Also, the other principle mentioned in the GDPR is very interesting, that is the one that refers to “Privacy by design”, according to which the protection of privacy must be taken into consideration right from the design phase of a system that includes the data collection of users.

Therefore, in order to guarantee the two principles, measures, which provide «minimizing the processing of personal data, pseudonymization of the personal data as soon as possible, offering transparency with regard to the functions and processing of personal data, and allowing the interested party to control the processing of data and allow the data controller to create and improve security features» must be predicted.