By Gaia Magrini, Data Protection Officer of Kirey Group
We had discussed it a lot in the months before its implementation and the companies have arrived at that appointment mostly ready, at least formally.
In a few days we will have to take stock of this first year of GDPR; certainly a positive year for all: the Guarantor has seen itself increasingly being given flexible tools to ensure applicability, data protection has become a central issue and, finally, data security has finally been unified at European level. However, consistent shadows remain in front of a constantly evolving Regulation and a level of awareness of data protection by users, which, despite the continuous reports of data breach and sanctions also for the Big digital economy, struggles to grow with the same step.
Many of the companies that called themselves ready for the GDPR realized after a few months that some aspects had been underestimated: the main one, in my opinion, is that what was built needed to be constantly maintained and updated.
An example, in this sense, is the Treatments Register, essential to keep track of the operations carried out by the organization on the personal data of the interested parties and to be able to assess the applicable regulatory obligations. This register (of the Owner and the Manager, if requested) is certainly one of the first evidences required in the event of an inspection. Many companies had already adopted it before, and were formally ready, but they soon realized that this was not enough because the register must be constantly updated, and it is only a starting point.
A second example concerns the designation of the external manager; many companies believed that it was in itself sufficient, that it was enough to designate all the companies that processed the data by sending them letters of designation to be compliant. This is definitely not the case, because guaranteeing compliance with the GDPR involves activating checks and promoting constant audits, an aspect that has exposed companies that also act as external auditors and audits by data holders.
It is now clear that compliance with the GDPR requires special training and expert assistance in terms of technology combined with a rigorous approach, with the support of the Legal and IT departments and consulting firms, to conduct in-depth assessments and analysis of the legislation , as well as business processes. This is because the legislation, often difficult to interpret in itself, undergoes continual changes that make the path of knowledge and adjustment challenging and uninterrupted. Furthermore, a careful evaluation cannot be separated from the analysis of the different regulations applicable from time to time to the single situations.
In this sense the GDPR is a starting tool, not an arrival tool, it foresees a dynamic approach oriented both to the principle of Accountability, one of the pillars of the GDPR, which provides for the definition of technical and organizational measures suitable to guarantee, and be able to to demonstrate that the processing of personal data is carried out in compliance with both the continuous improvement of a privacy management system within the company. A path that I, personally, as DPO of the Kirey Group, find myself facing every day to ensure that Kirey is compliant, and with great attention also to the outside, because the Group operates as Head of data processing diversified, complex scenarios, in which to manage relationships with customers for whom we provide services. The Group also holds the role of external DPO for companies that are very different from each other, in the media world, up to the asset management companies.
Since its entry into force, the relationship between the GDPR and the new digital revolution has emerged, in which personal data is at the center and innovation is transformed into innovative services by exploiting the enormous amount of data new technologies allow us to collect , analyze, trace, share and cross.
A sign of the growing attention to digital technologies comes from the fact that today the inspections will be conducted by the Special Unit for the Protection of Privacy and Technological Frauds, a special nucleus which therefore can boast specific competences not only in terms of privacy, but also technological and IT security in particular .
If it is true that cyber security is intrinsically linked to the GDPR from the beginning, it is equally true that the dialogue between information security and legislation is also profound evolving mind. Already in the legislative decree 18 May 2018, n. 65 had been implemented to the Directive (EU) 2016/1148 c.d. on cyber security, a decree that applies, among others, to entities that provide essential services such as banks and insurance companies. Today privacy and cybersecurity move in parallel and the collaboration between DPO and CISO – Chief Information Security Officer (where appointed) becomes an essential aspect.
This is a continuous path that constitutes a fundamental part of the new strategy for cyber security in Europe and which, in line with Article 5 of the GDPR, should guarantee a qualitative leap for that “privacy by design” already inherent in the same concept as GDPR.
However, I believe it is essential to bring the attention of the Data Holders to the fact that the growing attention to technological aspects should not be misleading and make their efforts lean only towards the technological side, forgetting the organizational component. I believe, in fact, that there is no way to comply with the GDPR unless we invest in the organization as a whole.
Privacy is not and cannot be a subject of IT; involves the legal department, marketing and human resources management and in general all the business divisions. A coherent model, but above all effective, starts from the bottom by raising awareness of the various subjects involved. IT certainly plays a central role in data processing, especially in terms of privacy by design, but we must not forget the overall context.
If data masking and deletion, for example, are important technical aspects, the Owner is responsible for verifying and demonstrating that the organization, based on the analysis of its business model, is compliant, what the real risks are and which measures (physical, logical and organizational) need to be implemented.
For this reason, the DPO as a professional figure with particular skills in IT and law, but also in risk assessment and process analysis, also plays a fundamental role as a promoter of skills and training with respect to company management and to the figures of reference. Furthermore, it is essential that this figure has an in-depth knowledge of the processes and of the business of reference, because only in this way will he be able to help the Owner design an effective and guaranteed model.
In my daily life I have noticed how the Data Holders are increasingly aware of the legislation and require an ever-increasing comparison and in-depth verification of how the various requests should be regulated, in particular from the point of view of the principle of Accountability to always be in able to demonstrate that the processing of personal data is carried out in accordance with the Regulation.
For this reason I believe that the choice of the Data Protection Officer and its consulting capacity, in constantly assisting the Owner, with continuous checks on the privacy of contracts, for example, or the verification that all the documentation produced, even when they are started new projects, will prove to be a fundamental aspect not only from the point of view of respect for privacy, but also of the ability to exploit new business opportunities and to avoid that the tightening of sanctions and the loss of trust deriving from any data breach hinder the company in its growth and digital transformation. A compliant privacy system today must be seen by companies not only as a way to protect themselves from possible sanctions, but also to be a reliable player on the market and to be able to guarantee a quality service.