GDPR: A practical handbook

By | Sunday August 7th, 2016

First advice: the regulations should be read; it is not enough merely to consult a few articles or to follow one or two conferences to understand what is necessary to do. The authors and the relaters bring their own interpretations, often very debatable. Simply by reading the regulatory text you can actually understand what is required. Generally, a European Regulation should be read from cover to cover, including the various “CONSIDERING” that precede the ARTICLES. Often it is there that can be found the detailed declinations and solutions to your questions.

Second advice: today in Europe the GDPR imposes a series of rules that in other parts of the world are in force for years. So various documents, frameworks, models and methodologies are already available that can be acquired, studied, adapted and applied; all at a cost next to zero.

Third advice: the GDPR is a high level document that requires for its own application a substantial series of guidelines, that in many cases will be emanated by 2016, as Isabelle Falque Pierrotin (President of the CNIL and the G29) has already declared in March this year.

Among the guidelines those on DPO or on Certifications of Controller and Processor …

… we believe the DPO is key levy of this compliance scheme; he/she is the “chef d’orchestre” of the tool box. The WP29 wants to support this function and will deliver guidelines in 2016…

…Last but not least, certification, because there is a high expectation on that from the data controllers.

But if these guidelines are not yet applicable, how is it that already today there are miraculous tools for the adaptation of GDPR and rules to define what is a DPO?

Everyone should evaluate with appropriate circumspection and rigor such solutions.

Fourth advice: stay informed, carefully follow the work of the European Committee for data protection (which among its own tasks has one to issue several guidelines), other European organizations, our Authority for the protection of personal data as well as of the legislator . The next 2 years will be rich in novelties; adjustments and reviewing with current legislation will be required, so you will need a continuous monitoring of  what obligations are really required in order to be compliant.

Finally exploit this opportunity to make safe important parts of your company by activating synergies with other obligations.

Category: Codes of conduct and certification Data Protection Officer Legal framework

About Giancarlo Butti

Deals with ICT, organization and legislation since the early 80s covering different roles: security manager, project manager, auditor at banking groups, consultant in security and privacy to companies of different sectors and sizes. Performs regular activity of dissemination through articles (over 700), books (21 between books and white papers also used as university texts, 11 collective works within the ABI LAB, Oracle Community for Security and CLUSIT), technical manuals, courses, seminars, conferences… participates in working groups to ABI LAB on Business Continuity, Risk and GDPR, ISACA-AIEA on GDPR and 263, Oracle Community for Security, UNINFO, ASSOGESTIONI and the Committee of experts for the innovation of OMAT360. He is a member of the faculty of ABI Training. He is a partner and proboviro of ISACA-AIEA Member of CLUSIT and BCI. He is certified (LA BS7799), (LA ISO IEC 27001:2013), CRISC, ISM, DPO, CBCI, AMBCI.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.