Same Old Stories?

By | Monday October 26th, 2015

Do you remember the old fashioned DPS (Documento Programmatico per la Sicurezza)?

When it was removed from the minim​um​ required measures, the Italian Regulator didn’t mean that companies could abandon the analysis over ​the ​different kinds of data processing, the definition of the inherent risks and the measures to mitigate them. ​Actually, companies ​merely aiming to formally ​satisfy requirements made the equation that the abolition of a document would mean, for them, to possibly abandon the inherent underlying activities.

​Do you remember the planned inclusion of privacy crimes among those ruled ​by the 231/2001 decree (Regulations regarding administrative responsibilities of corporate bodies of Companies)?

The privacy crimes were planned ​to be included into the catalog of​ the​ 231 law’s crimes, ​and in particular those related to the illegal processing of data, to the mendacious declarations​​ to the Data Protection Authority and to the non-compliance to​ the​ Regulator’s Provisions. ​Although stated​,​ this was ​never converted into law.

The same seems to be occurring to the DPO appointment requirement (art. 35) in the discussion for the approval of the new European Data Protection Regulation. Moreover a lot of statements detail the role, which competencies are needed for being appointed and the tasks to be accomplished, all of these in such a detailed way that the statement where the “shall” ​is ​substituted with ”may” appears paradoxical if all previous words spent to describe the requirements could be reduced simply to nothing. Moreover the minimal size for companies claimed to accomplish it, even after the amendment from “employing 250 persons” to “processing to more than 5000 data subjects”, seems culpably neglected.

​This continuous restructuring and rethinking of the approaches, both at ​the ​local and at ​the ​European level, ​seems to aim at reducing responsibilities and the entity of requirements for companies processing personal data in terms of organizational and governance requirements. ​Is this really all there is to it?

Category: Data Protection Officer Tags: , , ,

About Enrico Toso

IT Regulatory, Risk and Control Specialist As Information security and risk expert I have been heading analysis and management projects aiming to achieve compliance to recent Data Protection Authority Provision (also called “Provvedimento Garante II”) and to Bank of Italy Provision “Disposizioni di Vigilianza” (upd.15 - enforced under Circular 263/06) mainly to assure an appropriate Data Governance level and an integration between the ICT and the Operational Risk approach.. Also active member in analysis and research interbank groups on data protection, data leakage, risk prevention, information frauds countermeasures and ICT regulatory compliance for the financial industry.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.