One of the possible future consequences of the entry into force of the GDPR will be the likely disappearance of minimum measures, a well-defined list of security measures that surely had the merit of spreading the knowledge of basic security concepts.
The concept of minimum measures was properly introduced to avoid that with a simple self-assessment, under Article 31, the owners wouldn’t be sufficiently motivated to activate proper security measures.
Therefore, also the criminal defense for failing to follow these 29 rules, including the much-discussed DPS (that had the great merit of forcing in some way the ownwrs to carry out a mapping of their data processing and to perform a risk analysis), that subsequently was “decriminalized” by being eliminated from the list.
In these years the envisaged obligations were subject to many interpretations, or the total omission of some, such as the mm 25:
Measures of protection and guarantee 25.
The holder adopting the minimum security measures making use of external parties to its structure, to provide for execution by the installer receives a written description of intervention performed to verify compliance with the provisions of this technical discipline.
Which I’ve seen respected in a really limited number of cases in recent years.
A few days ago I was still asked if an application that does not require a password for access is or isn’t compliant to the regulatory requirements.
I answered as I always do in these cases: 95% of applications, in particular those of individual productivity, have no password but no one ever thought about not using word or open office for this reason nor do they consider them non-compliant.
The current policy provides for the assignment of one or more authentication credentials to each appointee to access A SINGLE OR A SET OF TREATMENTS.
So it is reasonable to assume that credentials that allow access to a specific are enough to allow the use of all the data and applications on the workstation without the need for additional application authentication. This clearly indicates how much there is still to be done to bridge the gap between theory and practice, and how often, in the application of rules, we rely on what has been aseptically learned in some book or conference, instead of the actual regulatory text.
Adopting the GDPR will require increasing responsibility on the part of Controller and Data Processors, who will have to account for the implemented measures.