Aula Magna packed and great audience interest on 17/1 for the conference dedicated to GDPR by the Information Security & Privacy Observatory of Politecnico University in Milan. In his introduction Alessandro Piva (Observatory Director) has anticipated some results of the Research that will be presented on 2/2, which shows the breadth and diversity of threats, some of which have taken the headlines in 2016: Hackers (yahoo violation and US elections), IOT and ransomware. Top vulnerabilities always stem from human factor (78% unawareness and 56% distraction), put under stress by the technological environment tangle (47% Mobile and 33% BYOD). How are companies reacting? Only 9% has a structured project in place, while 46% have at least started the requirements analysis. An acceleration in awareness can however be seen: if 50% of the companies does not have a dedicated budget, another 35% will have it within 6 months; and if a 45% does not forsee organizational changes, another 34% is planning them within 6 months. Among the actions planned the assessment is leading (42%) while only 22% intend to deeply review the information security and 12% will define new processes.
Gabriele Faggioli (CLUSIT President and Scientific Director of the Observatory) has acted as the chairman, introducing and interviewing the speakers. In his speech he retraced the Privacy evolution in Italy, from an initial too homogeneous application (in all sectors or size of companies), which created repulsion, through the step forward with the present legislation (which introduced the sectoral vision) until the post-2011 period that saw two contrasting trends: a general simplification and a worsening in some sectors (banks, telco, healthcare). GDPR forces a switch to a systemic vision, in a way that will lead to Certifications. Waiting to see how will act the national legislator (which can introduce exemptions and simplifications, eg. For SMEs), it is important to remember that DPA measures, international agreements and the EU Commission Decisions will not decay. Among the innovations introduced by GDPR (Record of processing activities, DPIA, appropriate security measures, level of penalties, DPO, accountability) particularly relevant are Certifications (which will be a strong lever for suppliers of IT and Cloud services) and joint liability between Controller and Processor (which will result in a change in outsourcing contracts). It should be understood that the Cloud attitude changes the perspective of security: in traditional outsourcing it was the client who called the security level, higher at will (an pay); in the Cloud environment it is the provider that defines the standard security level for all customers; the contracts will have to adapt.
Focused on Information Security the intervention of Alessandro Vallega (Coordinator of Europrivacy), which has been tracking it from Articles 5, 24, 25 and 28 (which see it as an obligation) to 34 and 83 (which present it as an opportunity), but especially in 32, which has been dissected and thoroughly analyzed. Stated that “adequate” measures means appropriate to the risks and technological developments, taking into account the costs of implementation, for the nostalgics of technical regulations there is a list of measures “among other, if appropriate” (ie by way of example) of which only one (the encryption) is a technology, while the other three (ability to ensure… ability to restore … and procedure for testing …) are organizational measures. But if the GDPR does not prescribe specific technological measures, leaving the Controller to identify and adopt appropriate ones, what can we expect to be asked for, during DPA inspections? Maybe the inspectors will ask compliance with the best practices of security (eg. 27000); how authentication, granular authorization and segregation of duty are managed; If principles such as Need to know, Least Privilege, Accountability are respected; if they encryption and log management are provided. For example, they could verify that login credentials on cloud systems are aligned with the identity management system on premise, and in particular that credentials of ceased subjects (or of those who have lost data access requirements) are deleted from the cloud. How to do for showing the actual application of the provided measures? Technical provability by the IT personnel will not be enough: a verification process, managed by the Internal Audit, will be required and should produce documentary evidence. Finally, if it is true that IT Security Professionals know that there is wide opportunity for improvement, where could start from? Well, at least trying to counter the well known bad practices (see “most common mistakes” in CLUSIT Report)!
Eagerly awaited the intervention of the representative of the italian DPA, Antonio Caselli, who highlighted that the GDPR represents an opportunity, requiring more proactive approach, realized into Accountability and a risk-based approach: in this way Privacy will finally become part of a process and will cease to be a mere adjunct. Great benefit will derive from the europeanization not only of rules but also of processes (eg. One-stop-shop). The most important innovation will be the DPO (interface to the outside world and planning guarantee element within), Certifications (yet to be determined) and the new vision of the Legitimate Interest as a processing foundation (assessment left in charge to the Controller, not anymore to a third party). What is missing for GDPR to be fully applied? Essentially the legislative integration of national subjects (eg. about Certification, but also on biometrics, genetic and healthcare). This step must be the responsibility of the legislator; the DPA will monitor this process and will mantain some existing values (eg. deontological codes, sectoral Regulations and General Authorizations like the one on Sensitive Data), to “avoid shocks to the operators.” In the crucial transition from mandatory criteria (such as preventive Permissions) to the Guidelines, the Italian DPA is generally opposed to national initiatives, and will promote the adoption of the LG issued by the WP29. Caselli also answered some questions from the audience: GDPR bears no explicit references for SMEs and leaves the initiative to the member states (exemptions and simplifications are awaited, as well as national guidelines within the year on Codes of Conduct and Certifications); DPA will help teh Public Sector in terms of training / information to alleviate the heavy burden of the mandatory DPO. A punchline was paid to Oblivion right, which is considered almost “just a slogan” or a way to strengthen the right to cancellation.
At the end of the morning Donatella Sciuto (Professor and Vice Rector of the Polytechnic )brought her greeting, recognizing the importance of Privacy and Security for both areas of university activities: teaching and research (especially in healthcare). An assessment on the possibility of making “learning analytics” by examining the behavior of the students on the educational systems (in order to develop a personalized educational offering) is ongoing, but caution on the possible privacy implications of this opportunity is huge. The Polimi is launching a degree course in Cyber Security, a discipline that offers for sure job opportunities for the next twenty years.
Raoul Brenna (CEFRIEL) received the difficult task of countering the postprandial torpor with an uneasy topic: risk assessment methodologies. In order to identify “Likely high” risks (entailing additional costs such as DPIA) and distinguish them from those “unlikely” schemes like those already developed in specific areas (such as RFID biometrics or Smart Grid) can be used. The templates for the risk assessment of these disciplines can be used as models to draw inspiration but may prove to be too sophisticated and complex. To simplify, it is advisable to reduce threats to three categories (integrity, confidentiality and availability) and the use of the ISO 27001 security controls: it is easier to use lists of security measures to verify than finding consolidated lists of vulnerabilities, so you can start from presence / absence of measures to identify vulnerabilities (absence of a security measure = a vulnerability).
On the speech of Sergio Fumagalli (Coordinator of Europrivacy) dedicated to the quest of a “sustainable and effective” Data Protection for SMEs (through the adoption of codes of conduct and shared DPO) I will be referring aside, so huge having been the interest I found in the subject and its presentation.
The final report of Fabio Guasconi (CLUSIT) was bright and interesting as usual, but as usual I do not agree on almost nothing of what he said… In particular on the first theme, the Certification of Privacy Professionals, for the definition of which a UNINFO commission has been working for a long time. Four e-CF profiles on Data Protection re going to be made public (and subjected to public inquiry before publication). Of course the most anticipated will be the one concerning the DPO, who will be a apical role “precisely aligned with the characteristics and skills required by GDPR “, which is accompanied by the “Privacy Manager”, role with operational tasks. So far so well, but now comes the fun part: “since the GDPR provides the ability to assign to the DPO, in addition to the prescribed minimum tasks, even other functions, it will be possible to add the roles of DPOs and Privacy Manager in a mixed figure” … in my humble opinion this is a generous attempt to exit the overrun problem “but the DPO coincides with the Privacy Officer or not ?!” answering both “no” and “yes”, but is doomed to fail because it conflicts with a precise limitation explicitly posed by GDPR: the DPO may add to other business figures, unless they have operational roles, otherwise the conflict of interest is triggered. I fear that on this issue we will continue to confront until the GDPR entry into force and maybe even after. In each case the scheme is completed by the two roles of “Privacy Specialist” (subjected to the Privacy Manager) and “Privacy Audit” (obviously independent). The hope of UNI is that this national “unified” scheme can take the place of proprietary schemes already on the market.
More sharable his vision on Certification of Organizations, that under GDPR will allow companies and organizations to demonstrate their compliance. Already today several brands or seals for privacy (eg. The “Label CNIL” Guarantor of the French) are on the market but the numbers of certified companies are laughable; brands have no appeal as they are fragmented and not recognized. The hope that the situation will improve is poor due to the lack of a European agency in charge of managing these certificates and for the confusion on the accreditation function, assigned both to the DPA and the accreditation bodies (Accredia in Italy). The proliferation of national/propietary marks is therefore possible, as well as the attempt to impose a single European scheme or even the adoption of an international standard (ISO is working on 27552 but they will still need a couple of years).
Next meeting at Bovisa again on the 2/2 for the presentation of the 2016 Observatory Research.