New EU Regulation requires a more structured approach to personal data security

By | Tuesday June 9th, 2015

The New Regulation, through the art. 30 and 33, implicitly stresses the concept of “process for security management”, imposing an holistic and risk-based approach to the protection of personal data that takes into account important technological and behavioral changes happened in the last few years (Cloud, Big Data, Social Networks, right to oblivion, right to data portability, etc.).

The risk-based approach recalled in the regulation certainly will demand a cultural leap to the business, but it will anyway allow to arrange a framework for the privacy management sustainable thanks to more careful resources allocation focused on the risk appetite and security posture base.

To be compliant to the regulation, the organizations will have to put in place, if they have not done it yet, a continuous process, structured in phases and activities, able to fulfill the requirements of art. 33 and aimed, according to article 30.3, to protecting personal data against the risks concerning confidentiality, authenticity, integrity and availability inherent in their treatment.

It will be necessary to define and set up a framework, coherent with the culture and the organizational structure of the company, capable of:

  • Mapping the personal data, starting from the business processes. It’s the most critical phase of the whole framework: wrong perimeter = unprotected personal data = nonconformity
  • To identify the criticality level of a process, by identifying the nature of processed personal data and by evaluating the impact that the loss of Confidentiality, Authenticity, Integrity and Availability of the personal data would cause to the rights and the liberty of the data subject in terms of (non-exhaustive examples):
    • Discrimination
    • Damages to reputation
    • Identity theft
    • Frauds
    • Financial losses
  • To carry out the risk analysis to evaluate the level of exposure to risk of Confidentiality, Authenticity, Integrity and Availability of personal data processed by a business process. The risk analysis results will allow to identify the areas where actions must be concentrated, optimizing the resources usage
  • To define a “balanced” action plan through a risk treatment process, which is essential to mitigate the identified risks with a sustainable effort and an acceptable residual risk

The framework must be properly documented and monitored to make sure that the investments have produced or are producing the desired effects. Monitoring, through clear and measurable control objectives and performance indicators, must allow the evaluation of:

  • The actual state of implementation of security measures
  • The effectiveness of the implemented measures
  • The effective and proper application of the framework
  • The compliance with the requirements of the Regulation in order to assess their effectiveness over time.

Finally, the framework shall be periodically applied and it must be activated or reviewed when specific events occur, for instance:

  • the definition of a new process/treatment, modification/deletion of an existing process/treatment
  • Adoption of new technologies to support the processes/treatments in place
  • Regulatory changes
  • Findings of Internal Auditing, Audits, Monitoring
Category: Impact, Risk and Measures Tags: , , , , ,

About Andrea Longhi

Over 25 years of experience in consultancy, full dedicated within Finance, Entertainment, Transportation and Energy & Utilities industries, plus initial 5 years in an industrial automation and supervision firm. Along my professional career the experience in leading consulting firms such as Deloitte, Arthur Andersen and Capgemini has allowed me to acquire a consolidated and strong experience in the field of Security & Compliance services and to develop strong core skills: leadership, management, business development, sales and delivery. Many years of collaboration with Clusit, CSA and Enisa on topics related to enterprise security & compliance. Moderator of roundtables on security and speaker at conferences. Collaborating with the Oracle Community for Security to the planning, preparation and presentation of researches and projects on security and privacy, during the Security Summit. Founder of ConsAL, company specialized on Security and Business Discovery services, I collaborate with leading consulting firms as a business developer and management consultant in the field of ICT/ICS Security, Fraud, Compliance and Quality Management and Business Discovery.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.