by Emanuele GRECO and Maurizio RUBINI
THE REFERENCE SCENARIO
The evolution of technology, and in particular the new techniques based on big data, machine learning and artificial intelligence, have created a cultural revolution in which information represents a lever for obtaining extremely useful and effective operational tools.
The power of this "weapon" meets the vulnerability of the subjects who, sometimes unconsciously, provide "ammunition" of information every time they subscribe to services; the protection of people therefore becomes a primary need today, which must be guaranteed, demonstrated and considered as a fundamental element in the creation of products and services.
The EU Regulation 2016/679, better known as GDPR (General Data Protection Regulation), entered into force for over a year; the new legislation has brought a series of innovations not only for the individual citizen but also for companies, public bodies, freelancers and associations thus making data protection no longer a topic of interest only for "technicians" but also for the general of people.
The legislature first wanted to introduce clearer rules with regard to the information and consent by establishing specific limits to the automated processing of data, to the relative violation and to the exchange of the same outside the European Community. We then wanted to make the standard more transparent, with a single vision across the European Union, making clear and simple the management of their data for each citizen through consents and evident revocations.
In view of what has been said, consent to a certain treatment, which until yesterday could also have been tacit, has become mandatory explicit and the citizen can verify at any time how this is applied and possibly revoke it in a simple way.
The vision given to direct marketing processes therefore changes, but the methods of registration and use of the many internet services also change and the vision related to user profiling also changes.
From a more managerial and organizational point of view, the general vision that passes from a mere census of the treatments carried out relating to the privacy to a real risk system where, with the same methodologies put in place for the treatment, for example of financial or operational risks, the elements of the privacy risk elements for which careful measurements must be made, risk reduction policies put in place and the costs that will impact the company's income statement according to the principle of accountability enshrined in the law.
Despite the considerable lapse of time and the clarification interventions by the Guarantor Authority, several companies have proved to be still unprepared for its correct application as the legislation is perceived as complex, unclear and many companies have the impression of not have complete control of compliance.
According to a recent report by the Observatory of the Politecnico di Milano it emerges that in adapting to the GDPR the main problems encountered by companies, of any size, are:
- low awareness of company employees on the subject Data Protection;
- collection and mapping of data in a way that is not appropriate to the law;
- difficult rules to understand;
- budget for the privacy poor or non-existent;
- adoption of ineffective technical and organizational solutions.
By virtue of this scenario, some reflections are appropriate to highlight the points of greatest attention for professionals and to increase the awareness of companies in protecting such a precious asset that it is increasingly becoming a competitive factor.
INTEGRATED APPROACH AND POSSIBLE SOLUTIONS
The path to respond effectively to compliance expressed by the Regulations, it can provide different solutions, with different levels of complexity, which adapt to the characteristics of the context in which it operates. Who, like us, takes care of GRC and its applications (1), knows well what the needs of those who carry out governance are, and that these needs extend over different areas, which we are going to describe.
The first requirement, of course, is the functional coverage: the creation of an organizational model for the management of the privacy, requires to centralize in a single point information on the register of treatments, on the DPIA carried out, on the adaptive interventions in progress, on the data breach, on requests from interested parties and so on. This coverage must necessarily be accompanied by theregulatory adjustment because, although the regulation is very recent, we are faced with a new and evolving theme, in which guidelines and updates flourish which should be adhered to.
Another fundamental aspect is theintegration: to operate on privacy effectively, all information relating to the reference context must always be available. We speak therefore of the taxonomy of the Processes, of the functional tree, of the asset, of third parties. The collection of this information for the updating of the Treatment Register often represents an important effort, with the risk of obtaining not always complete and correct data. The predisposition of information flows coming from owner of this information, and in this case we talk about Organization, IT and Procurement, in addition to correctly separating the skills, it guarantees maximum precision in operations privacy, in addition to facilitating the update for subsequent iterations.
Another key node is represented by the reporting; represent with different granularity and according to different aggregation criteria the evidence produced in the design and protection activities of the privacy and information security, it is not only the first fulfillment required in communication with the Guarantor Authority and in the relationship with the board of the activities conducted; the reporting it represents a fundamental tool to have a proactive attitude towards the context in which it operates, to promptly identify any flaws or inadequacies in the management of information.
Finally, we emphasize the effectiveness of a gradual approach; the availability of limited resources and the need to reconcile the obligations privacy with other business goals and priorities require a flexible project and concrete, capable of producing gods quick wins which represent tangible and effective results obtained without excessive efforts. For example, a simple portal for requests from interested parties can facilitate data management and improve company communication.
The policy of small steps, however, must go hand in hand with forward-looking planning, capable of allowing adaptation to the new needs that will gradually emerge, in a decisive and coordinated way, according to a clear and coherent project.
In conclusion, it can be said that the toolbox and the best practice it is no longer sufficient in itself for a correct one compliance GDPR regulation: in addition to the responsibility of the insiders, a integrated approach with the help of effective and efficient technical solutions.
(1) The application solution GO GDPR di Opentech it is used by diversified and complex entities, such as banks, financial intermediaries, insurance companies, gaming and university concessionaires, airport companies.
Emanuele GRECO, Product Manager of Opentech (*) – Area Business Continuity, IT Governance, Privacy, Safety
Maurizio RUBINI, Expert Compliance and Governance Lawyer and member of numerous 231 Supervisory Bodies
(*) Opentech is a leading company in the GRC software solutions, in which it has been operating for over 10 years. The company has been recognized by CIO Applications tra and Top Ten Solutions Provider byIntegrated Risk Management in Europe for 2019.