A substantial difference between the GDPR and the current 196/03 legislation regards the obligations for the Data Controller and Data Processor to guarantee continuous access to data.
The current privacy legislation takes care of the issue mainly in Appendix B, where the minimum measure number 23 reads (cites):
23. Appropriate measures are taken to ensure the restoration of access to data in case of data loss or damage to the electronic tools, within clear time limits that are compatible with the rights of the parties and not exceeding seven days.
The maximum time allowed for recovery of data and systems is seven days. A lapse of considerable time, which in itself is not compatible with the needs of most production and business activities, that can’t survive so long a stop of its information systems.
Therefore, the requests to respect privacy rules, at least from this point of view, are very limited and certainly fulfilled in most cases with simple backup copies and appropriate maintenance and assistance contracts. Quite different is the content and tone of Article 30 of GDPR, which reads:
Article 30 Security of processing
1. Taking into account the state of the art and the costs of implementation, the nature, scope, context and purposes of the processing as well as the risk of varying likelihood and severity of the rights and freedoms of individuals, the controller and the processor shall implement appropriate technical and organisational measures, to ensure a level of security appropriate to the risk, including inter alia, as appropriate:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services processing personal data;
(c) the ability to restore the availability and access to data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
Beyond the initial premise, paragraph c) in particular, little room is left for assessments of proportionality among security measures, costs, protection of stakeholders and interests of the person processing the data. We can discuss what is meant by PROMPTLY, a term that the norm recalls on other occasions, such as notification of the personal data breach. Surely we are far from the concept of “seven days” proposed by the current 196/03 legislation.
Added to this the requirement that systems and services be resilient and available, in technical language terms that can be translated as a compromise between high reliability and disaster recovery
If high reliability and availability ensure the resiliency in the event of limited incidents, the request of paragraph c) presupposes that this is insufficient as defined by the regulations, which require an early access in case of physical or technical incidents . This last clarification leads to consider that the interest of the legislator does not extend to other scenarios, such as for example, those hypothesized by the Bank of Italy, which lead to a general obligation for business continuity solutions. Beyond evaluating whether the request is excessive or not, there is no doubt that a literal reading of the provision will entail a considerable commitment for all those who process personal data who will also be obliged, along with the implementation of the security measures requested, to prove that these are in line with regulatory requirements.