A substantial difference between the GDPR and the current 196/03 legislation regards the obligations for the Data Controller and Data Processor to guarantee continuous access to data.
The current privacy legislation takes care of the issue mainly in Appendix B, where the minimum measure number 23 reads (cites):
23. Appropriate measures are taken to ensure the restoration of access to data in case of data loss or damage to the electronic tools, within clear time limits that are compatible with the rights of the parties and not exceeding seven days.
The maximum time allowed for recovery of data and systems is seven days. A lapse of considerable time, which in itself is not compatible with the needs of most production and business activities, that can’t survive so long a stop of its information systems.
Therefore, the requests to respect privacy rules, at least from this point of view, are very limited and certainly fulfilled in most cases with simple backup copies and appropriate maintenance and assistance contracts. Quite different is the content and tone of Article 30 of GDPR, which reads:
Article 30 Security of processing
1. Taking into account the state of the art and the costs of implementation, the nature, scope, context and purposes of the processing as well as the risk of varying likelihood and severity of the rights and freedoms of individuals, the controller and the processor shall implement appropriate technical and organisational measures, to ensure a level of security appropriate to the risk, including inter alia, as appropriate:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services processing personal data;
(c) the ability to restore the availability and access to data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
Beyond the initial premise, paragraph c) in particular, little room is left for assessments of proportionality among security measures, costs, protection of stakeholders and interests of the person processing the data. We can discuss what is meant by PROMPTLY, a term that the norm recalls on other occasions, such as notification of the personal data breach. Surely we are far from the concept of “seven days” proposed by the current 196/03 legislation.
Added to this the requirement that systems and services be resilient and available, in technical language terms that can be translated as a compromise between high reliability and disaster recovery
If high reliability and availability ensure the resiliency in the event of limited incidents, the request of paragraph c) presupposes that this is insufficient as defined by the regulations, which require an early access in case of physical or technical incidents . This last clarification leads to consider that the interest of the legislator does not extend to other scenarios, such as for example, those hypothesized by the Bank of Italy, which lead to a general obligation for business continuity solutions. Beyond evaluating whether the request is excessive or not, there is no doubt that a literal reading of the provision will entail a considerable commitment for all those who process personal data who will also be obliged, along with the implementation of the security measures requested, to prove that these are in line with regulatory requirements.
ottima analisi. forse non tutti stiamo mettendo abbastanza attenzione su questo aspetto. oltre al comma c) terrei in considerazione anche la forza del comma d): se fossi un audit andrei proprio a chiedere l’esistenza di tale “procedura per testare, verificare e valutare regolarmente l’efficacia delle misure” e soprattutto andrei a vedere se la procedura stessa è applicata correttamente e regolarmente, quali sono i risultati emersi e le azioni correttive ad eventuali criticità emerse.
PS: mi permetto solo di segnalare che la versione definitiva del GDPR ha rinominato diversi articoli, per cui quello sulla sicurezza è ora il 32.
Questa introduzione lascia spazio alle più svariate interpretazioni…
“…. garantire un livello di sicurezza adeguato al rischio, che comprendono tra l’altro, se del caso: …”
Proprio sulla valutazione del rischio si gioca la partita … molti dichiareranno basso il rischio e nulla l’esigenza di ripristinare l’accesso dei dati in modo tempestivo. Almeno con l’allegato B vi era l’obbligo di definire “i tempi certi”. Cosa che oggi viene certificata presentando un piano di backup …. mentre la richiesta è una procedura di ripristino che dovrebbe tenere presente le varie tipologie di disaster e come si intende ripartire….
Sistemi, network, applicazioni e dati: ogni componente o tutti potrebbe essere soggetti ad un evento disastroso. Nel caso più grave avendo un backup off site … è relativamente facile riaccendere le macchine su un nuovo sistema. Questo però non vuol dire aver definito “che cosa fare se”, nei modi nei tempi e nei costi.
Se io fossi un auditor andrei proprio a chiedere questo !!! E torniamo alla premessa “Tenuto conto dello stato dell’arte e dei costi di attuazione” … bisogna chiudere il cerchio con modi tempi e costi.
Altrimenti il rischio è che se sono libero di non pagare l’assicurazione dell’auto intanto lo faccio pensando che il costo non è giustificato. Noi in questo come italiani siamo i campioni del mondo!!