EU Regulation 2016/679 (“GDPR”) introduced principles to be respected by companies in order to ensure the protection of personal data. Indeed, pursuant to article 5, the GDPR imposes the obligation of so-called “accountability” and “privacy by design” (i.e. the obligation to include in any process, starting from the design stage, the tools and correct settings to protect personal data) which are embodied in the following burdens on the company, as data controller:

a) analysis of the company and identification of treatment activities: first of all, each company must identify which personal data processing activities are carried out and what types of data are processed within the scope of its operations. This preliminary analysis is essential in order to identify the appropriate strategy to guarantee data protection;

b) creating and updating a "register of processing activities": not all companies are obliged to maintain a register of personal data processing. In particular, subjects for which is mandatory are:

1. companies or organisations with at least 250 employees;
2. any controller or processor (including companies or organisations with fewer than 250 employees) who carries out processing operations that could present a risk - even not a high risk - to the rights and freedoms of the data subject;