The evolution in legislation is linked to:
- An increased awareness and maturity (the directive is 20 years old)
- The need for greater rules flexibility, being able to adapt them to the cultural and technological context and evolution
- The need to consider the size and type of organizations and the personal data processing related risk
The new regulation requires that :
The controller shall adopt appropriate policies and implement appropriate and demonstrable technical and organisational measures to ensure and be able to demonstrate in a transparent manner that the processing of personal data is performed in compliance with this Regulation, having regard to the state of the art, the nature of personal data processing, the context, scope and purposes of the processing, the risks for the rights and freedoms of the data subjects and the type of the organization, both at the time of the determination of the means for processing and at the time of the processing itself.
….. having regard to the state of the art and the costs of their implementation
… The controller shall be able to demonstrate the adequacy and effectiveness of the measures referred to in paragraphs 1 and 2.
Any regular general reports of the activities of the controller, such as the obligatory reports by publicly traded companies, shall contain a summary description of the policies and measures referred to in paragraph 1
in addition :
…Having regard to the state of the art, current technical knowledge, international best practices and the risks represented by the data processing, the controller and the processor, if any, shall, both at the time of the determination of the purposes and means for processing and at the time of the processing itself, implement appropriate and proportionate technical and organisational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject …. .
Data protection by design shall have particular regard to the entire lifecycle management of personal data from collection to processing to deletion, systematically focusing on comprehensive procedural safeguards regarding the accuracy, confidentiality, integrity, physical security and deletion of personal data. Where the controller has carried out a data protection impact assessment pursuant to Article 33, the results shall be taken into account when developing those measures and procedures.
…The controller shall ensure that, by default, only those personal data are processed which are necessary for each specific purpose of the processing and are especially not collected, retained or disseminated beyond the minimum necessary for those purposes, both in terms of the amount of the data and the time of their storage. In particular, those mechanisms shall ensure that by default personal data are not made accessible to an indefinite number of individuals and that data subjects are able to control the distribution of their personal data
… Where required pursuant … the controller … shall carry out an assessment of the impact of the envisaged processing operations on the rights and freedoms of the data subjects, especially their right to protection of personal data . . .
A new perspective for the legislator :
- Former Directive (Focus on «what to do» to be compliant)
- Legislator defines the «activities» (Baseline Security)
- You act and report
- New Regulation (Focus on «what to achieve» to be compliant)
- Legislator defines the «outcomes» (Security Process Capability)
- You define the security measures, act and report
Are there any qualified and recognized tool /framework that enables the data controller to comply with the statutory requirements and enabling him to prove his compliance ?
The shift of the data controller’s responsibility to prove to the authorities, both in respect of the parties concerned, to have identified and implemented appropriate security measures requires the use of instruments and standards that are:
- universally recognized
- adaptable to different realities, both in terms of size and type of treatment
In addition to specific standards, which you can use for specific implementations, it is useful to have available and use a mature governance framework that enables us to establish tasks, responsibilities, tools, targets and timing of implementation, using a pre-established template and flexible processes that govern a company.
We believe that today the ISACA Framework COBIT5 can provide, if handled properly, a valid response to the new requirements. In this regard, at the Conference Perspectives in Enterprise Risk Management held recently in Milan with ISACA’s colleagues Albert Piamonte and Fabrizio Bulgarelli we gave a presentation entitled “Risk Analysis and Management in the evolving Data Protection and european Legislation” whose details are available at the address: ftp://email@example.com\Volume_1\PERM\PERM0617.pptx