On last 15 March, during the three-days Clusit Security Summit, has been held in a full room of Atahotel Expo Fiera Rho-Pero, a meeting entitled “Practically GDPR” presented and moderated by Dr. Vallega in the formula of the “round table” with speakers – in addition to the president of Clusit – from companies representative of the Italian economic environment
This post is not intended to recap the event so I will just say that the meeting was structured on a general presentation of the EU Reg. 2016/679, followed by testimonies of the implementation of GDPR in specific companies, with a question time dedicated to the participants. Among them, one in particular has struck me: “the ethical aspect of GDPR, i.e. what you do / you could do, to emphasize – following the correct adjustment privacy – even the ethical values linked to world of privacy “.
The matter would be, therefore, not only to implement the legislation but also to give a view that allows to emphasize and highlight attention detailed aspect of values underlying to the same
The first thing I would say is that the norm in most parts pays attention to the ethics, but we are generally more concerned by operations. And omit both the inspiring motives that led to the issue of certain rules (like the “considering”) and a more careful reading of the clauses of law, not only focused on the “how / what to do” but also tp the deep meaning of the rule. To illustrate the above example is sufficient to read the article. 45 EU Reg 679/2016 on data transfer to non-EU territory based on an adequacy decision which reads: “A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation. 2. When assessing the adequacy of the level of protection, the Commission shall, in particular, take account of the following elements: (a) the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of personal data to another third country or international organisation which are complied with in that country or international organisation, case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred”
So, it is the legislation itself to place primarily attention to the respect of human rights and fundamental freedoms, and to emphasize the contents of the clause above, it is directly demanded to the EU Commission to consider and then adopt the implementing deeds (see Article 45, paragraph 3, reg. 2016/679)
A first solution, therefore, to underline the ethical aspect in companies’ privacy compliance frame may be to highlight in the relevant documentation not only the procedures but also the inspirational basis of the same.
But not only
In fact, to really give an ethical perspective to privacy management system of a single entity, it could be advisable to compare the regulations and international standards present in the company and related to the issue, in order to create a single integrated system
To this aim it would be interesting to compare privacy legislation, compliance programs pursuant to Legislative Decree no. 231/2001 (with particular reference to crimes like those against the human personality), and, in my opinion, the SA 8000 international standard, listing the requirements for ethical behavior of companies and the production chain
From the results of this activity – obviously also integrated with all the remaining items required by GDPR – you could have not only a good tracking and a good mapping of data èrcessing (also useful for the preparation of the RPA former Article 30 Reg. 2016/679) but also a program serving a greater emphasis on ethics and moral duties… and the way to give evidence to third parties is short … so, in my opinion, also the company committed in an operation of this kind would benefit and would be able to stand out on the market.