(by Andrea Puligheddu) The new European legislation relating to the protection of personal data is upon us, and with it the entire privacy system currently in force in European countries is being innovated. Although more or less authoritative interventions have been taking place for some time now regarding the interpretation to be accorded to some innovations introduced (Register of treatments, Evaluation of the impact on the protection of personal data, Data Protection Officer, etc.) part - completely unprepared even on basic documentary and organizational obligations already in force - under the Privacy Code - for twenty years now. This is confirmed by the results of a research conducted by Senzing, a Californian IT company, entitled "Finding The Missing Link in GDPR Compliance", according to which half (43%) of the companies in Italy out of a sample of thousands of companies she declares herself "alarmed", while several others demonstrate a simple and disturbing lack of knowledge about the obligations and penalties resulting from non-compliance with the GDPR. What is, among many, the profile that emerges as the most critical and underestimated in these circumstances? Of course, the answer is simple: that of the security of the personal data processed.
It is not enough to read the chronic news of the breach to the public and para-public critical infrastructures (telephony, hospitals, transport, energy, etc.) to give evidence of an existing risk. The national business fabric risks dispersing, once again, the value generated by personal data processed only and solely for lack of awareness and lack of accountability. To lose, without designing science-fiction apocalypses, are likely to be ultimately concerned (the people to whom the personal data refer) who faced with a lack of security could be the unconscious object of the compression of their rights and their liberties. In this sense, with reference to the security side, the GDPR (this is the acronym of General Data Protection Regulation) proposes in art. 32 a complete change of mentality, a real cultural switch. It is specified that: Taking into account the state of the art and the costs of implementation, as well as the nature, object, context and purpose of the treatment, as well as the risk of varying probability and seriousness for the rights and freedoms of natural persons, the controller and the controller shall put in place appropriate technical and organizational measures to ensure a level of security appropriate to the risk, which include, inter alia, where appropriate:
a) pseudonymisation and encryption of personal data;
b) the ability to ensure on a permanent basis the confidentiality, integrity, availability and resilience of the processing systems and services;
c) the ability to promptly restore the availability and access of personal data in the event of a physical or technical incident;
d) a procedure for testing, verifying and regularly assessing the effectiveness of technical and organizational measures in order to guarantee the security of the treatment.
The Regulation then identifies the approach to security as a real moment of ownership of the owner (consistent with the principle of accountability under Article 25) and intends to give a real sponge to the simplistic method repeatedly adopted by companies (also of a certain strategic importance) that with regard to risk prevention refer to mere standard check or only the minimum measures present in the ALL. B of Legislative Decree n. 196 / 2003, the previous Privacy Code.
With this act, the GDPR certainly does not intend to communicate that the security measures identified up to now by regulatory and para-regulatory acts (such as those sanctioned by the AGID Guidelines for Public Administrations) must disappear: on the contrary, the purpose of the Regulation is to generate a proactivity of the Owner, who considers himself rewarding according to the mechanism dictated by the aforementioned principle of accountability. In this sense, the Regulation proposes four criteria to be taken as an example and adopted only if necessary. In particular, it is suggested to consider the adoption of pseudonymisation techniques with respect to the personal data processed (process that ensures that the data is stored in a format that does not directly identify a specific individual without the use of additional information), the confidentiality, integrity, availability and resilience of the treatment systems and services, adopt disaster recovery systems and hypothesize periodic test procedures to verify the efficiency of the security measures adopted. In this way, the GDPR designs a real security process, capable of guaranteeing a reasonable security focus for the owner. Moreover, the standard goes on to specify that "in assessing the adequate level of security, special account is taken of the risks presented by the processing that derive in particular from the destruction, loss, modification, unauthorized disclosure or access, in particular accidental or illegal way, to personal data transmitted, stored or otherwise processed. Adherence to an approved code of conduct referred to in Article 40 or an approved certification mechanism referred to in Article 42 may be used as an element to demonstrate compliance with the requirements referred to in paragraph 1 of this Article ".
Therefore, assessments on specific risks are necessary, parameterized on synergies with other provisions covered by the GDPR such as data breach, codes of conduct, unlawful processing of personal data and certification mechanisms. Lastly, the width of the front to be defined is specified - although it was intuitive: "The data controller and the data processor ensure that anyone acting under their authority and has access to personal data does not process such data if it is not instructed to do so by the data controller, unless required by the law of the Union or of the Member States ". The deus ex machina of the entire cycle is naturally the owner and in this sense, pending new developments dictated by the practices and interpretations that will follow one another, this provision is once again consistent with the principle of accountability and aims to prevent a part of the supply chain is vulnerable in terms of security.
Many open questions remain: what are the appropriate security measures? What standards do each holder need to redo to ensure compliance in the security sector? What best practices?
A few days before the applicability of the Regulation, these remain open questions that question both the strategic sectors for the productivity of the country and the SMEs.