Europrivacy

May 24th, 2016 update

As planned in June 2016 we have created the Europrivacy.info blog. Follow this link to reach it.

In view of the coming issuance of an European Regulation for the protection of personal data and their free circulation within the European Union, an heterogeneous team of professionals coming from law firms, IT departments of big Italian companies and consulting firms, has undertaken a critical analysis of the text that has been approved by the European Parliament in March 2014 and of the recommendations that were approved by the European Council in December 2014.

Internet banking, e-commerce and online payments, app-stores, cloud services, Big Data: the new digital services resulting from technological evolution increasingly require customer and company trust.

The security of personal data and the governance of related risks is therefore crucial to build social and economic relationships, and the new legislation, which is undergoing approval, answers the current need for a regulation that accounts for the risks that threat data in the current technological landscape, as it already occurs in specific business sectors.

Authors' aim

May 24th, 2016 update

As planned in June 2016 we have created the Europrivacy.info blog. Follow this link to reach it.

Analysis and extracts published on this website have been produced by a technology oriented community of professionals from a variety of IT companies with different profiles and size and from other contributors coming from Law firms and IT departments of large Italian companies.

The purpose of the document is not to be exhaustive or complete but to analyze the points that, from our perspective, appear to be the most relevant ones in terms of cultural change and organizational impact for the customers which we, as professionals, are used to deal with or are working for.

Based on the fact that the legislation for personal data protection is currently going through the approval process, the standard approach of this community has changed and a complete document will be published after proposed Regulation will be approved. Looking forward to the approval of proposed regulation, this community will establish a permanent observatory to proactively look at what is possibly coming from Brussels with great attention and provide food for thought to professional approaching this topic. In some sections an extract of performed analysis will be available to download.

Each of the considered points is analyzed in a specific section. All the sections share the same assumptions described in this introduction and try to link the approach of the new proposed regulation with the mainstream of management standards, industry standards and other regulations and laws.

This analysis is based on the currently available text, as it was approved, by the European Parliament, in March 2014, considering also the recommendations approved by the European Council in December 2014.

Permanent Observatory

The new EU regulation on personal data protection has not beeen approved yet. For this reason, this work is only partial, as it is allowed by the status of the art on March 2015. Our goal is to focus on those aspects of the current version of the regulation that we believe are key not only for private data protection but also for other classes of information which are absolutely relevant for the enterprises and are, or are moving fast, to the web.

The next months will be very crucial for the approval of the regulation and we would like to follow the approval process step by step, to understand what's going on and which are the relevant topics in order to open a discussion with enterprises and other economic subjects, thus contributing to the creation of a better culture of data protection and of a deeper knowledge of the risks associated to the digital transformation.

For these reasons AUSED, Clusit and the Oracle Community for security decided to start up a a permanent observatory on the EU regulation with the goal of following the approval process and of trying to interact with the involved institutional subjects as it is happening here in Milan with the Italian privacy Commissioner, On. Soro.

The observatory we are thinking of will be an open forum where everyone can contribute and a place where information can be found for a better understanding of the new rules.

Today we announce the project. If you are interested in conytributing or partecipating, pleae let us know by writing an email to c4s@clusit.it to join this initiative. Remember to give your consent for the processing of your personal data for the purposes of the observatory management.

The observatory will be formally started during the Rome edition of the Security Sumit 2015.

May 24th, 2016 update

As planned in June 2016 we have created the Europrivacy.info blog. Follow this link to reach it.

Corporate roles related to personal data protection

By the draft of Regulations it is clear that the role of companies is much more proactive than expected, ie simplifications for enterprises, especially SMEs (such as the recognition of greater flexibility in choosing the procedures for achieving the goal of a high level of protection for personal data). European legislation introduces instead organizational costs, constraints and procedures that complicate the role of Data Controller and the privacy management.

The Data Controller matches the role of "Titolare" identified by current Italian regulation (it is the public or private entity, natural or legal person, who decides about the purposes, conditions and means for personal data processing). The range of obligations provided for Data Controller by the proposal of regulation widely depends on company category (public or private entity, big, small or medium enterprise, professional, church or religious association…). In the presence of two or more Data Controllers (Joint Controllers) for the same processing of personal data, the draft of Regulation provides that the perimeter of the respective privacy liability is contractually agreed.

Carrying out activities related to personal data processing, the Controller could engage one or more Data Processors, identified as a public or private entity (natural or legal person) who processes personal data in accordance with the instructions of the Data Controller. The controller choose a processor providing sufficient guarantees to implement appropriate technical and organizational measures and procedures in such a way that the processing will meet the requirements of the Regulation and ensure the guarantee of interested person's rights.

The same subject could be at the same time Controller and Processor for different processing or part of them, or Controller's representative on the behalf of a Controller settled outside European Union and perform additional data processing as joint controller.

Differently from current Italian legislation, the role of "incaricato" is not considered in the proposal of European Regulation.

Attribution of responsibilities changes. The draft of Regulation also provides for an independent liability of the Data Processor that disregards the instructions received from the Data Controller or breaches applicable law: the Processor, in such cases, will be personally liable of the infringements committed (as Controller or Joint Controller).

Moreover the possibility of committing to a sub processor is regulated, in case a processor rely on different providers. In such case the processor should be authorized in advance by the controller, unless different agreements are in place.

Data Protection Officer

In specific cases defined in the draft of Regulation, Data Controller is required to appoint a Data Protection Officer (DPO), basing on professional skills, on the deep knowledge of data protection law and practices, and according to the type of operations carried out and the protection required for processed personal data.

Data Protection Officer is a key role in the pyramid of data protection actors. He is properly and promptly involved in all issues relating to the protection of personal data and his mission consist in being a point of reference towards data subjects, external supervisory authority, internal operational and controlling functions, being able to provide governance, addressing, setting up and monitoring activities raised to assure compliance to mandatory requirements out of Data Protection Law and to other matters related to data governance.

DPO essentially is an internal governance function which shall understand either the company-wide operational ability in fulfilling Data Protection requirements by issuing internal rules and verifying the results or the reactive ability in case risks or deficiencies are detected.

Therefore DPO will be mainly responsible for setting up an organized personal data processing system, overseeing it, checking it and making its rules observed.

Data Protection Officer shall not be liable to result in a conflict of interests between his/her duty as DPO and any other official duties. Assignment duration is different when it comes to an employee (4 years) or to an external service contractor (2 years), and DPO may be reappointed for further terms if he/she continues to fulfill all conditions required for the execution of his/her duties.

Privacy Impact Assessment, risk management and security measures

As defined by the PIAF Consortium, we can define a privacy impact assessment as a methodology for assessing the impacts on privacy of a project, policy, program, service, product or other initiative and, in consultation with stakeholders, for taking remedial actions as necessary in order to avoid or minimize negative impacts.

A PIA is more than a tool: it is a process which should begin at the earliest possible stages, when there are still opportunities to influence the outcome of a project. It is a process that should continue until and even after the project has been deployed.

The draft of Regulation states PIA is the first step of company's security strategy, that consequentially enhance the analysis of risks related to personal data processing and security measures adopted to protect information.

More than setting specific security measures, the regulation requires Data Controller to implement organizational and technical processes to identify, reduce and mitigate risks threaten personal information, including organizational and technical actions appropriate for the specific processing activity and assessed considering also costs of implementation.

Personal data breach

Personal data breach is a particular security event that threaten personal information of interested subjects.

The draft of regulations requires the Controller, without undue delay, notify the personal data breach to the supervisory authority and when the personal data breach is likely to adversely affect the protection of the personal data, the privacy, the rights or the legitimate interests of the data subject, to communicate the personal data breach to the data subject.

Same obligation is extended to any Data Controller, who is required to alert and inform the controller, without undue delay.

Therefore, to manage risks properly, technical and organizational initiatives must be implemented to improve the ability of the organization to realize that an attack is going on, or has happened, in the shortest time possible and to react properly.

The articles and the recitals the legislator dedicates to personal data breach force controllers and processors to pay attention to the fact that a security violation may result in damages for the data subjects and that they may be liable for such damages.

So, when a data controller estimates the costs of a potential data breach, it is not just a matter of possible fines and penalties: the consequences of damages suffered by consumers and employees in case of data breach must be considered also and can result much more relevant. The size of the such damages depends widely on the delay among the point in time when the violation occurs, when it is detected and, finally, when the appropriate countermeasures are put in place.

The potential damage of the data subject is, therefore, the key factor to be considered either when defining private data management procedures or the preventive security measures related to the personal data processing.

The same factor must drive the reaction when a data breach is discovered, particularly in relation to the time spent before communicating the incident to the supervisory authority and to the data subject.

Privacy by design & Privacy by default

Today personal data are the new "oil", they are among the most interesting source of income both for organizations and criminal activities, then, it is very important and necessary to protect them. In this context, the concept of privacy by design and privacy by default, has to be considered a mandatory solution.

The "privacy by design and privacy by default" is one of main new principles introduced by the EU Commission in the proposal of the new legal framework for the protection of personal data.

These principles represent the conceptual evolution of privacy since they explicate the inclusion of privacy into the design of the business processes and IT applications support, in order to include all the necessary security requirements at the initial implementation stages of such developments (privacy by design), or rather put in place mechanisms to ensure that only personal information needed for each specific purpose are processed "by default" (privacy by default).

To summarize, Privacy must be approached through proactive measures, and not just in reaction to breaches or other faults and a good way to do this is to think about privacy issues from the very beginning of a service/product lifecycle, in the design phase. This makes the solutions to those issues much easier to implement and welcomed by the user.

So far a series of technical and/or procedural controls have been applied on services ex-post, in order to ensure compliance with the protection of personal data regulations. These measures have a limited scope compared to the protection of information during its entire life cycle. With the introduction of the concept of "privacy by design" we have a switching from a control-based approach to a risk- and process-based approach.

Approach towards new regulation

How should corporate IT professionals look at the long lasting effort of the European Institutions to review the legislation for personal data protection? Does it make sense to think of it, even if it has not been approved yet and nobody can bet on this happening in the near future?

The answer widely depends on the approach corporates have towards the digital transformation that's going on year after year at a faster pace.

If your company acts in a defensive mood the most suitable approach is "wait and see" and, in the meantime, postpone whatever you can. Vice versa, if your company is trying to get the greatest benefit possible from the new technological frontiers, then you better move on and look at what is possibly coming from Brussels with great attention.

We believe that understanding what is going to become a relevant piece of the business game, is key to make the right investment on time, optimizing the efforts to comply to existing regulations which are already going on and to give the organization and the people enough time to learn and apply the required changes.

It is not just a matter of avoiding relevant fines or reducing the number of lawsuits from consumers and employees: it's a matter of staying inside the new business world that is resulting from the current digital transformation. Sure the impact of expected fines, up to 5% of company global sales volume, do not allow companies to undertake privacy related issues.


Authors


Giulio Spreafico AIEA Consulente e Auditor di Sistemi Informativi
Francesca Gatti AUSED Coordinatrice del GdL Osservatorio Sicurezza e Compliance
Giancarlo Butti Banco Popolare Internal Auditor
Alessandro Cosenza bticino Head of IT Planning Quality Security Office (CISO)
Stefano Arduini Cedacri Responsabile Area Internal Auditing, Certificazioni
Mariangela Fagnani CLUSIT Direttivo Clusit; Security Advisor
Andrea Longhi ConsAL Consulente Direzionale
Andrea Castello CSQA Certificazioni Responsabile tecnico ISO 27001
Attilio Rampazzo CSQA Certificazioni IS Consultant & Auditor
Claudia Feleppa DB Consorzio Associate | Business Solutions Italy
Enrico Toso DB Consorzio IT Regulatory Risk Specialist
Vittorio Torre Deloitte Senior Security Consultant & GRC architect
Riccardo Abeti EXP Legal Founding Partner, specializzato in “Privacy e diritto delle nuove tecnologie
Enrico Ciabattini EY Senior IT Risk & Assurance Services
Antonello Cicchese EY Manager IT Risk & Assurance
Stephane Speich Gruppo bancario italiano IT Governance, Sicurezza e Livelli di Servizio
Domenico Cuoccio InnovaPuglia Responsabile Ufficio Qualità e Sicurezza dei Sistemi Informativi
Valerio Ghislandi KPMG Advisory Senior Consultant
Maurizio Pastore Liguria Digitale Security Officer
Wilmana Malatesta M&M Asset Security Consultant
Alessandro Vallega Oracle Security BDM; CD Clusit; Coordinatore Community for Security
Andrea Reghelin Partners4Innovation Senior Compliance Manager
Giampaolo Filiani Praecipua Avvocato
Luigi Pecorario Praecipua Avvocato
Michele Petronzi Praecipua Avvocato
Francesco Severi Present Security Consultant
Enrico Ferretti Protiviti Director
Carmela Piccirillo Protiviti Senior Consultant
Davide Giordano Reply - Spike Reply Roma Senior Security Consultant
Agostino Oliveri SICURDATA Data Protection Officer - Privacy Consultant & Auditor Certificated
Dominick Jerome Leiweke SILEDO GLOBAL Consultant & Junior Project Manager
Giovanni Battista Gallus Studio legale Array Avvocato, ISO 27001 Lead Auditor
Guglielmo Troiano Studio legale Array Avvocato
Franco Vigliano THE INNOVATION GROUP Associate Consultant
Mauro Alovisio Università di Torino Avvocato
Sergio Fumagalli Zeropiu Vice President
Orlando Arena Consulente
Biagio Lammoglia Privacy & IT Compliance Officer

Per dimostrare il vostro apprezzamento, per darci un consiglio e/o per richiedere eventuali aggiornamenti dei nostri lavori potete contattarci scrivendo a c4s@clusit.it

Il documento, le appendici e gli allegati sono concessi in licenza Creative Commons 4.0 Italia, Attribuzione - Condividi allo stesso modo.

La licenza utilizzata permette a chiunque di usare il nostro prodotto anche per crearne una sua evoluzione a condizione che citi gli autori originali e utilizzi a sua volta lo stesso tipo di licenza. Autorizziamo la pubblicazione anche parziale di testo e immagini non già protette da altri copyright riportando la nostra url http://c4s.clusit.it.


Torna al sito c4s