“Friends call it GDPR” was the title of the conference held by Europrivacy last week within Security Summit, organized by Clusit this year as well. After the introduction of Alessandro Vallega the speaker were Jonathan Brera (KPMG), Andrea Gaglietto (Protiviti) and Andrea Reghellin (P4I). The panel that followed the presentations was also attended by Stefano Tagliabue (Telecom), Giancarlo Butti (Banco Popolare) and Angelo Bosis (Oracle).
Brera illustrated one of the main innovations of GDPR: the management of DATA BREACH . Although in articles 31-32 of GDPR the emphasis is on communications to be given if the event occurs, we must not only gear up to react to any event but also put in place preventive actions. The adoption of appropriate measures based on risk analysis, such as encryption, can also relieve the Data Controller from communication to the parties concerned.
Gaglietto analyzed instead the concept of DATA PROTECTION BY DESIGN, signaling that not only technological but also organizational measures must be taken into account, such as: privacy organizational model (policies and procedures); careful drafting of contracts, information and appointments; training and awareness of employees. Within the technological measures he also recalled the importance of Identity & Access management.
I am referring with greater detail about Reghellin lecture, given that the “Roles and Liabilities” theme is of great interest for me. I appreciated his clear and clean stance on the nature of the DPO and its positioning in the organization chart: the speaker unequivocally stated that it is a “warranty figure”, quite separate from those operational figures (not listed in GDPR but anyway existing de facto) that we use to call “Privacy Officer” and who are responsible on the field for implementation of procedures required by regulations. The DPO must instead “inform, advise, monitor and provide advice on the PIA … if required”. As I have noted in my previous posting (“Role of the DPO”), I think exactly the same way; it is not unknown to me anyway that about this subject there are different opinions, oriented to consider the two figures as coincident (even if this would lead to the questionable position of a supervisor who monitors his own work), and that probably few companies will like to have to duplicate the positions in the organization chart.
I also found it very sharp the analysis of the figure of DATA PROCESSOR. In the event that it is a legal person (i.e. an outsourcer), unfortunately the letter of appointment is currently often rejected by the provider (especially if its size and bargaining power are superior to those of the customer). With the GDPR the letter will be replaced by a contract: thanks to this document, certainly more binding than a simple appointment, it will also be possible to extend the chain of liability (and penalties) to the whole chain of treatment.
Even when the PROCESSOR is an individual, but with apical placement within the company (something comparable with the current “responsabile interno”) the document upon which the relationship with the Controller is established will be a proxy form or another legal document, which again will allow you to share the liaibilities and penalties, provided that the instructions given to the processor are sufficiently detailed and that they are unfulfilled by the same.
But what happens in the case when the PROCESSOR is a person with purely operational role? This figure, which I analyzed in another paper (“Data Handler, the hidden role”) was totally ignored by the Reghellin speech.
It is clear that the proxy form is not applicable to these figures, but then how do you act towards them? To this question, which I placed in the debate, Reghellin gave a clear, but in my humble opinion also somewhat surprising, answer: the current appointment as “incaricato” for the operational level figures simply disappears and is not replaced by anything; however, such an appointment would already be essentially useless …
Well: it is true that the GDPR not even cites these figures except indirectly, nor much less provides for them an equivalent of the old appointment as “incaricato”; it is also true, as the speaker has sought to emphasize, that it is good to stick to the text of the rules, so if the appointment is not provided, then it does not exist. However, to make himself sure that the data treatment is conducted under the existing rules, the Controller will even provide the operational level workers with the appropriate instructions: and in what capacity these instructions would be issued, if not preceded by a framing of the employee in the privacy organization chart? To argue that the role of the “data handler” does not exist, as it’s not formally stated, and therefore no appointment is necessary, would be acting like those companies that have ceased the preparation of the DPS when the decree of simplification has taken it away from the mandatory safety measures: the literal legislation application certainly appears an impeccable behaviour, but maybe we should sometimes consider more pragmatic views. I believe that the issue needs some further consideration in view of the definition of operational best practices.