Is a retrofitting enough to make current solutions compliant?

By | Sunday February 28th, 2016

We are often tempted to reuse a significant portion of existing solutions and processes when information systems are forced to adhere to new regulatory requirements. This is usually not prevented and indeed advisable in many cases; nevertheless in the case of the new GDPR any simple and hasty approach would seem unsuitable and misleading. This especially because the GDPR brings a specific fulfillment which helps to address adequacy and an opportunity for evaluation of solutions. This is the case of the PIA which, practically, is a guidance for evaluating in advance impacts, or damages, that would be envisaged by a process, and therefore by a company, if data protection measures were violated. It is only through this phase and its relevant outputs that solutions can be demonstrated as adequate, both for the existing and for planned ones, and residual or effective risk can be estimated. According to new prescriptions, for those who never managed it, must the PIA be readily performed and extended to the whole processes, including existing solutions and operations, and forever maintained?

It should be mentioned that the PIA process entails the opportunity of a pre-assessment phase to evaluate the need for deeper or slighter following evaluation phases. However some considerations seem appropriate at a general level: some of the activities on which the PIA process is based should be retained despite the DPS document was no longer required since Feb 2012 (among these: data and processing mapping, planning and deployment of technical and organizational data protection measures, an overall estimation of the risk reduction etc.).

Since it would be unfeasible to fully review all the internal services and processes treating personal data and, at the same time, to carry out PIAs on all these processes, it seems appropriate to suggest the following:

– to start a PIA process since the initial phases of new projects,

– to keep into account the projects and the deployment plans for enhancements on existing products or services to combine them to advanced impact analysis,

– to monitor processes or operative phases known as most exposed to data protection risks,

– to apply PIAs to existing processes in case new technical solutions are made available, new vulnerabilities are made known or deficiencies are discovered at industry level,

– to constantly maintain over time a relevance and suitability verification over the performed evaluations and their assumptions.

Category: Impact, Risk and Measures Tags: , , ,

About Enrico Toso

IT Regulatory, Risk and Control Specialist As Information security and risk expert I have been heading analysis and management projects aiming to achieve compliance to recent Data Protection Authority Provision (also called “Provvedimento Garante II”) and to Bank of Italy Provision “Disposizioni di Vigilianza” (upd.15 - enforced under Circular 263/06) mainly to assure an appropriate Data Governance level and an integration between the ICT and the Operational Risk approach.. Also active member in analysis and research interbank groups on data protection, data leakage, risk prevention, information frauds countermeasures and ICT regulatory compliance for the financial industry.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.