As indicated in the previous article (more) the new European legislation on the protection of personal data is on its doorstep, and with it the entire privacy system currently in force in European countries is being innovated. Although now more or less authoritative interventions have followed one another about the interpretation to be granted to some new features introduced (treatment register, impact assessment on the protection of personal data, (Data Protection Officer or DPO) etc.) the Bodies are discovered today - for the most part - completely unprepared even on basic documentary and organizational requirements already in force - under the Privacy Code - now for twenty years. To affirm this are the results of a research conducted by Senzing, Californian computer company, entitled "Finding The Missing Link in GDPR Compliance"According to which on a sample included in the order of thousands of companies, half (43%) of companies in Italy declare themselves"alarmed", While several others demonstrate a simple and disturbing lack of knowledge about the obligations and sanctions resulting from non-compliance with the GDPR. Which is, among many, the profile that emerges as the most critical and undervalued in these circumstances? Naturally, the answer is simple: that of the security of personal data processed.
It is not enough to read the chronic news of the breach to the public and para-public critical infrastructures (telephony, hospitals, transport, energy, etc.) to give evidence of an existing risk. The national business fabric risks dispersing, once again, the value generated by personal data processed only and solely for lack of awareness and lack of accountability. To lose, without designing science-fiction apocalypses, are likely to be ultimately concerned (the people to whom the personal data refer) who faced with a lack of security could be the unconscious object of the compression of their rights and their liberties. In this sense, with reference to the security side, the GDPR (this is the acronym of General Data Protection Regulation) proposes in art. 32 a complete change of mentality, a real one Switch cultural. Indeed, it is specified that: Taking into account the state of the art and the costs of implementation, as well as the nature, object, context and purpose of the processing, as well as the risk of varying probability and seriousness for the rights and freedoms of individuals, the holder treatment and the controller shall put in place appropriate technical and organizational measures to ensure a level of security appropriate to the risk, which include, inter alia, where appropriate:
a) pseudonymisation and encryption of personal data;
b) the ability to ensure the confidentiality, integrity, availability and resilience of processing systems and services on a permanent basis;
c) the ability to promptly restore the availability and access of personal data in the event of a physical or technical incident;
d) a procedure for testing, verifying and regularly evaluating the effectiveness of technical and organizational measures in order to guarantee the security of the processing.
The Regulation then identifies the approach to security as a real moment of ownership of the owner (consistent with the principle of accountability under Article 25) and intends to give a real sponge to the simplistic method repeatedly adopted by companies (also of a certain strategic importance) that with regard to risk prevention refer to mere standard check or only the minimum measures present in the ALL. B of Legislative Decree n. 196 / 2003, the previous Privacy Code.
With this act the GDPR certainly does not intend to communicate that the security measures hitherto identified by regulatory and para-normative acts (such as those established by the AGID Guidelines for Public Administrations) must disappear: on the contrary, the purpose of the Regulation is to generate a proactivity of the owner, which is considered rewarding according to the mechanism dictated by the principle of accountability mentioned above. In this sense, the Regulation proposes four criteria to be taken in an example and adopted only if appropriate. In particular, it is suggested to consider the adoption of pseudonymisation techniques with respect to the personal data processed (a process that ensures that the data are stored in a format that does not directly identify a specific individual without the use of additional information), to ensure on a permanent confidentiality, integrity, availability and resilience of treatment systems and services, adopt disaster recovery systems and hypothesize periodic testing procedures to verify the efficiency of the security measures adopted. In this way the GDPR draws a real security process, able to guarantee a reasonable security focus on the owner's behalf. Moreover, the norm continues by specifying that "When assessing the appropriate level of security, special consideration shall be given to the risks presented by the processing resulting in particular from destruction, loss, modification, unauthorized disclosure or access, in an accidental or illegal manner, to personal data transmitted, stored or otherwise processed. Adherence to an approved code of conduct referred to in Article 40 or to an approved certification mechanism referred to in Article 42 may be used as an element to demonstrate compliance with the requirements of paragraph 1 of this Article. "
Therefore, specific risk assessments are required, based on synergies with other provisions covered by the GDPR, such as data breaches, codes of conduct, illicit processing of personal data and certification mechanisms. Finally, it is specified - although it was intuitive - the width of the front to be perimeter: "The controller and the controller shall ensure that whoever acts under their authority and has access to personal data does not process such data unless instructed to do so by the controller, unless Union law requires it or Member States ". Il deus ex machina of the entire cycle is of course the owner and in this sense, waiting for new developments dictated by the practices and interpretations that follow, this forecast is once again consistent with the principle of accountability and aims to prevent a part of the supply chain vulnerable in security.
Many open questions remain: what are the appropriate security measures? What standards do each holder need to redo to ensure compliance in the security sector? What best practices?
A few days before the applicability of the Regulation, these remain open questions that question both the strategic sectors for the productivity of the country and the SMEs.
