Everybody is talking about GDPR in every session at Security Summit this year, whatever the topic, but in practice what companies are doing to get prepared? Alessandro Vallega started from here to introduce the conference dedicated by Europrivacy to the new European Regulation, on the second day of the Summit organized by Clusit in Milan. Sophisticated analysis will be necessary to better understand the Regulation, but some things to do are clear already: data encryption, for one thing. It’s true that GDPR does not state specifically which are the security measures to be taken, but it can be a good excuse to do some things that should be done anyway; the Regulation asks essentially “do them well” and be able to prove.
Gabriele Faggioli (Clusit President) proposed some thoughts that emerge from the recent Survey held by the Information Security and Privacy Observatory of Milan Politecnico University: SMEs are not ready, it will be necessary to adopt the Codes of Conduct for putting them into compliance; we should provide changes in the privacy organization (possible DPO but also the disappearance of internal Processors); the choice of an internal DPO will be more suitable at least for complex organizations, due to its closer proximity to business and projects. The issue of liability of service providers becomes crucial: it will no longer sufficient for external Processors declaring that they adopted minimal security measures, but they will need to demonstrate the proper application of art.32.
Alberto Canadè (Spike Reply Manager) launched several suggestions for those who are facing GDPR compliance road map: first, we should not think in terms of “project”, but a of a program of activities that will lead to a Privacy Management System, bearing in mind that the new issue is real data protection and not bureaucracy. Fixing five priorities: be conscious of your role as Data Controller (or Processor); reconsider organization (is a DPO needed?); act in accountability perspective (the “demonstrable” privacy); get ready to handle requests from data subjects and data breaches; analyze any cross-border data flow. To be successful you must know how to combine different internal points of view (Privacy Officer, Compliance Manager, CIO, CSO, CISO etc.) with external ones (DPA and customers). Among the mistakes to avoid: delay the awareness of the board, start separate tasks without global vision, aim for levels of exasperated detail, focus on the formal aspects postponing the IT security, neglecting the analysis of activities that involve the public, underestimate the importance of a skilled multidisciplinary team. The applications portfolio assessment has to be done as soon as possible: whether it will be necessary to implement privacy by design, you will need time enough to do it. We must also think as of now to phase 2, which will start from May 2018, when the importance of internal demands and regulations will stay but we will begin to face outcoming requests.
The round table allowed to know several real business experiences. Elena Agresti (Global Cyber Security Center) presented the results of a survey on the maturity of companies towards GDPR: for the role of the DPO (that 50% of enterprises say to have already, formally or informally) legal, risk analysis and srcurity measures competencies will be required; 80% judges that certification and years of experience are important; 50% of the sample prefers it within the organization, the other 50% sees it better outsourced.
Filomena Polito (APIHM) exposed the visual of the “GDPR in Healthcare” Observatory activated with the University of Pisa: the results will follow in the second half of the year but is already emerging a lack of awareness (as indeed can also be read in the section of Clusit Report concerning Healthcare). Part of the problem stems from the regionalization of the healthcare system, which is slowing down the adoption of the national Electronic Health Folder and dispersing precious energies. In the public sector the driver for compliance comes from ministerial directives: for the present Privacy legislation there was one and it was effective, now we are waiting for one concerning GDPR.
In private sector instead spending leverage is the fear of sanctions and / or economic loss, as recalled by Fabio Gianotti (UBI Banca). The company’s committment is high; driver is the business, supported by the compliance team. The topic on the agenda is not the purchase of a product but the review of internal processes; it is not even needed to start from data discovery: banks already know very well wich data they process and how. The project also calls for external experts but the team is mostly internal, as will also be the DPO.
For Claudio Brisa (CREVAL) as well it is the fear of high fines that moves the budget allocation. The working group that has been activated is analyzing the processes, with the objective of integrating previously acquired tasks (data quality, data governance) by putting them together with other compliance branches within a common framework.
Combining privacy with other compliance threads is also the goal for Alessandro Crepaldi (BP Sondrio). The working group (led by compliance professionals) started from the Records of processing activities, aiming to have an automatic tool. It’s important to define personal data retention time, with the possible secondary (but not negligible) benefit to recover resources from the termination of unnecessary conservations.
The panorama was completed by Alessandro Cosenza (BTicino): his team started acting in a project mood, but is conscious of having started a management that will become continuous. The focus is on new home automation products, and data collected through products-related APPs, used by end users.
A last round table presented the final recommendations:
- Canadè: records of processing activities, privacy by design, DPIA; CMDB; data deletion.
- Brisa: the data breach is the heart of GDPR.
- Cosenza: importance of relationships with cloud providers.
- Gianotti: engage the board.
- Politi: pay attention to the permanence of the existing sectoral legislation (eg. Healthcare).
- Crepaldi: Management System, portability, vendor relationships.
- Agresti: evaluate not only sanctions but also the cost of communications to customers in the event of a data breach and the potential loss of customers.
- Faggioli: suppliers certification, qualifying the entire supply chain, would bring a great benefit for both the private sector and the PA.