Six months have passed since the full application of the GDPR, the European legislation on the protection of personal data.
The impacts that the Regulation (to which public and private bodies had to adapt since 2016, year of its entry into force) are now known, particularly with regard to safety management: the prescriptive approach of the last legislation (checklist of minimum measures to be respected, suitable measures et similia) gives way to an approach risk based, according to which the Data Controller and the Data Processor "implement appropriate technical and organizational measures to ensure a level of safety appropriate to the risk, taking into account the state of the art and implementation costs, as well as the nature, purpose, context and purpose of the processing, as well as risk of varying probability and seriousness for the rights and freedoms of natural persons".
However, after this first period of application, it is appropriate to ask ourselves what has really changed and what is the perceived "temperature" in Europe and - more generally in the rest of the world - with respect to the issue of personal data protection.
Precisely with respect to this last profile, it must be said that the GDPR is actually indirectly achieving one of the expectations for which it was born, namely that of becoming a globally shared standard. Numerous third countries compared to those of the Union, even to try to increase the level of their regulatory policies against the stra-power of the United States and China in terms of the market linked to the world of technology and the web, have undertaken regulatory approaches inspired by the GDPR or in some cases fully parameterized on it.
Even among the OTT, the "over the top", There are those who have decided - probably also for reasons related to business strategy - to publicly invoke a" federal "GDPR for the USA, reaffirming confidentiality as a fundamental human right (a factor that too often tends to be forgotten ) and not as yet another element of the person to be monetized.
There are other aspects, which for technical and site reasons, it is not possible or useful to deal with this small reflection: awareness, dialogue on the topic of information security, training and reorganization of business processes are just some of the aspects for which GDPR has provided inspiration at national and European level. Compared to the last twenty years - partial or in some cases total immobility - the scenario is actually changing.
It is worthwhile, however, to spend a few words now under the second profile, that is, in other words: what is missing?
The bad news is indeed that what we have just seen is far from enough. Something is missing, and indeed - especially in Italy - far more than something.
Without turning too much around the problem and resuming the ideas shared with other experts in the field, for six months a very precise situation has remained unchanged: the total lack of a serious culture of security both at a political and managerial level.
The last emblematic case of this absence - in some ways discomforting and disconcerting at the same time - was the one that occurred a few days ago (read article), when the violation of 500 thousand certified e-mail accounts was disclosed, some of which (about 9 thousand) belonging to magistrates and many others (about 98 thousand) connected to the Interministerial Committee for the security of the Republic. The news was followed by a brief uproar, some actions that I would define prehistoric and customary ("change password") and some answers (some, decidedly out of place, merely ironic) and then gradually returning to the oblivion to which the news and historically are destined facts - even serious ones - on the issues of confidentiality of information and its security.
Without going into the merits and obviously leaving to those who owe the important investigations that will hopefully achieve this fact, many other words are not needed to describe the state of serious uncertainty in Italy: those dealing with the security issue often have "Hands tied" by years of omissions and shortcomings, and this is certainly not the time of recriminations, provided they can be said to be legitimate.
Here, however, that what is missing (despite a strong tool under the hierarchical-regulatory profile such as the GDPR), what we have not seen in these six months and what we do not stop hoping will happen for the good of the whole country and of the its social, public and entrepreneurial fabric, is that the competent Authorities on the subject support and adequately train the operators of the sector, and ensure that the standards (really minimal, given the critical situation in which we find ourselves) of accountability and approach to the risks set by the law are fully respected, interacting and imposing - where appropriate - the sanctions and the decided responses that the Regulation itself recognizes.
There is a large-scale operation to be carried out in this country in the field of training and safety culture, and continuing to postpone its launch due to lack of understanding of the issue will lead to an ever-increasing gap between reality and the perception of the issue in Italy , until - in spite of ourselves - this gap becomes so wide as to constitute the rule, also and above all with respect to the rest of Europe. Lastly, it is worth remembering that the total absence of concrete and guided investments in safety in relation to an industrial fabric that mostly finds itself having to handle - without adequate funds - contributes to worsening the whole picture. of high value and strong vulnerability in a completely arbitrary and improvised way.
A few words: we need to start to change, and also urgently.
(photo: web / US Air Force)
