The New Regulation, through the art. 30 and 33, implicitly stresses the concept of “process for security management”, imposing an holistic and risk-based approach to the protection of personal data that takes into account important technological and behavioral changes happened in the last few years (Cloud, Big Data, Social Networks, right to oblivion, right to data portability, etc.).
The risk-based approach recalled in the regulation certainly will demand a cultural leap to the business, but it will anyway allow to arrange a framework for the privacy management sustainable thanks to more careful resources allocation focused on the risk appetite and security posture base.
To be compliant to the regulation, the organizations will have to put in place, if they have not done it yet, a continuous process, structured in phases and activities, able to fulfill the requirements of art. 33 and aimed, according to article 30.3, to protecting personal data against the risks concerning confidentiality, authenticity, integrity and availability inherent in their treatment.
It will be necessary to define and set up a framework, coherent with the culture and the organizational structure of the company, capable of:
- Mapping the personal data, starting from the business processes. It’s the most critical phase of the whole framework: wrong perimeter = unprotected personal data = nonconformity
- To identify the criticality level of a process, by identifying the nature of processed personal data and by evaluating the impact that the loss of Confidentiality, Authenticity, Integrity and Availability of the personal data would cause to the rights and the liberty of the data subject in terms of (non-exhaustive examples):
- Discrimination
- Damages to reputation
- Identity theft
- Frauds
- Financial losses
- To carry out the risk analysis to evaluate the level of exposure to risk of Confidentiality, Authenticity, Integrity and Availability of personal data processed by a business process. The risk analysis results will allow to identify the areas where actions must be concentrated, optimizing the resources usage
- To define a “balanced” action plan through a risk treatment process, which is essential to mitigate the identified risks with a sustainable effort and an acceptable residual risk
The framework must be properly documented and monitored to make sure that the investments have produced or are producing the desired effects. Monitoring, through clear and measurable control objectives and performance indicators, must allow the evaluation of:
- The actual state of implementation of security measures
- The effectiveness of the implemented measures
- The effective and proper application of the framework
- The compliance with the requirements of the Regulation in order to assess their effectiveness over time.
Finally, the framework shall be periodically applied and it must be activated or reviewed when specific events occur, for instance:
- the definition of a new process/treatment, modification/deletion of an existing process/treatment
- Adoption of new technologies to support the processes/treatments in place
- Regulatory changes
- Findings of Internal Auditing, Audits, Monitoring