The General Data Protection Regulation is certainly innovative and in line with the current requirements for data security. It is structured in such a way as to ensure consistency, balance and control of the powers of the stakeholders involved. It aims to achieve, in the short and medium term, some “hard” goals. Most public and private companies, to date, does not have the features and resources to adapt, and many issues still remain unresolved after the entry into force of the Directive 95/46/EC.
Few subjects, over the years, have invested in a strategy designed to achieve data security objectives, because privacy and information security is still considered a computer problem. Privacy issues are taken into account only if occurs a damage.
The recent incidents related to the mass surveillance of citizens, by the leading nations in information technology, have revealed how the population is “spied” by illegal and offensive means: the freedom of natural persons was harmed. The public trust in institutions is decreasing, as well as the perception of security in information technology.
It is disconcerting that awareness by operators and suppliers is not consequently increased. The application of privacy policies into business processes is often considered a bureaucratic activity that slows down and does not provides added value. For this reason, they do not have business continuity and disaster recovery plans, and staff dedicated to IT security.
GDPR provides that business and data protection run in parallel, hand in hand, and imposes onerous penalties for those who do not adapt. Nevertheless, the organizational structures of many public and private entities are verticalized in silos that do not interface with each other. Information sharing and multi-disciplinary approach, components required for the correct application of an information security governance, clashe with this “old school” of thought.
Iconic One Theme | Powered by Wordpress