Changing the DNA of the companies
The new privacy rules force the companies to change organization, processes and mindset. They provides not only technical implementations, but organizational changes by the use of a proactive and predictive approach. Despite the degree of perception on privacy issues has increased over the years, the old organizational model has not changed. In the absence of effective actions by companies, it is consolidated a bureaucratic “one time” approach and a privacy “on paper” culture.
The Data Protection Officer can not be a time consultant, because it must play a stable role within the organizational structure to prevent the countless critical issues. For instance, the incident management in case of data breach must be an ongoing activity. Not all the subjects are able to detect a data breach, but if this happens, the reporting activity could result in reputational damages and consequent economic losses due, in addition to possible sanctions by the supervisory authority, to a concrete loss of turnover. It is not easy to make or delegate such decisions in a few time.
Fostering greater people involvement
Some of the biggest problems are the involvement and the updating of stakeholders, often locked in dangerous currents of thought that consider privacy and information security as a superfluous “fashion”. The overall work context, however, has gaps: first contracts and corporate codes of conduct should be adjusted by the inclusion of data protection in the rules of behaviour, as recalled by Article 88 – Processing in the context of employment.
The impact that third parties have on privacy and data security is remarkable and, unfortunately, it is little considered. Many cases of data breach was caused by repetitive and erroneus behavior of third parties, such as: lack of password management, failures to apply security patches to systems, applying software updates without preventive security tests, lack of minimum security measures. Some software companies, indeed, develop their products compliance with data protections requirements only if specifically requested and paid by the customers, although this is required by law. There are software in the market that do not comply with privacy law. Every their adjustement, in terms of security and compliance, must be paid. This results in outlays for companies, that could be forced to fall back on cheap and unsecure solutions.
Resources and responsibilities
From the data protection perspective, GDPR aims to align all the countries of the European Community. The application of this legislation entails very high costs, unsustainable for many companies, and imposes heavy penalties on those who do not carry out the directives. It is also obvious how, even from a purely economic point of view, that EU countries are experiencing a period of great change which places them on different levels. It is evident that the uniform application of Regulations, at the current state, is very complicated. For this reason, emerges the need to provide incentives for the disadvantaged communities, to avoid an inconsistent and unbalanced system: “Carrot and stick”.
New tasks can change the contractual terms. GDPR lays down that the Processor is directly responsible in front of the law for his damages. This is a good point for the responsibility perspective, because the supplier is encouraged to keep a more suitable behavior, but it is disadvantageous from the economic point of view.
Nowadays, IT suppliers are classified as external Processors: when will be they ready to take on the responsibility and the possible sanctions for free? As already suggested by authoritative experts of this forum, the supply contracts must all be revised and the chain of responsibility should be reviewed, adding additional costs to each personal data processing.
Some possible solutions
The right application of GDPR is possible only through the help of the supervisory authorities. Most likely, they will produce the guidelines for each application context. To ensure a proper relationship between the citizen and public and private companies, it would be appropriate that EU Member States would promote an intense and widespread awareness
raising activities in both directions. As for the public and private companies, they should immediately provide a high-level internal structure capable of governing information
security and privacy, in order to define strategies, policies, security awareness and training. Security experts should be involved in all key business processes. The establishment of corporate security awareness campaigns would also prevent people to perceive privacy as an obstacle to the activities. Third parties should be managed by an effective IT change management process, to ensure compliance and reduce the risk of data breach.
Anyway, to better manage this complex system, reducing costs and lowering the risk area, it would be good to follow an old but still effective principle: “Simplify!”.