GDPR and Cyber Security: how to manage IT risks
2018 was characterized by noxious cyber attacks suffered by companies, public bodies, institutions and professionals . It is worth mentioning, for example, the umpteenth data breach by Anonymous dated December 24th. Victims of hackers, in this case, were the archives of some Italian health agencies.
Furthermore, in the early days of 2019, data of approximately 30,000 civil servants in the State of Victoria (Australia) were stolen following unauthorized downloading of a directory. In Italy, on the other hand, cyberattacks have been reported to the municipalities of Carovigno (Brindisi) and Aprilia (Latina).
These are the most recent cases of a long series of attacks which, according to the forecasts, will continue in 2019. Therefore, it is essential to understand how the information managed by institutions, companies and professional studios are increasingly vulnerable.
Therefore, one of the main compliance objectives to be achieved in this new year should be not only the consolidation of protection systems, but also the capacity to react to cyber threats . In this regard, with the European Regulations 2016/679 (GDPR) and with the Legislative Decree. 101/2018, which adjusted the national legislation (Legislative Decree 196/2003) to the EU Regulation, particular attention was paid to the concept of IT security.
Accountability and adequate security measures
The GDPR has introduced important innovations, requiring owners and managers to take appropriate measures to protect their computer system and data in their possession. This is the so-called “accountability principle” , which implies the assumption of responsibility in implementing measures appropriate to the specific risk of the organization in which you are the owner or manager.
In this regard, the art. 24 of the GDPR, provides that the owner and the controller must be able to put in place technical and organizational measures aimed at both guaranteeing and verifying compliance with the principles applicable to the processing of personal data.
To do this, the legislator has the right to take into account a number of elements, such as:
- purpose of the processing;
- risks related to the freedoms and rights of those concerned.
Accountability, however, does not result in mere “accountability”, but requires that the owner and the manager must be able, at any time, to:
establish the most appropriate security measures
demonstrate that you have protected data in a manner consistent with the provisions of the European regulation.
Unlike in the past, the European legislator requires, in the management of data protection, to adopt a “not only” formal but “substantial” approach . An approach that therefore requires an organizational and cultural change of the entire structure, including IT, companies and professional firms.
Computer security, privacy and risks of treatment
Notwithstanding the foregoing, the substantive approach presupposes that companies and professionals are activated to protect their IT systems in practice, and therefore the data they process.
The EU legislator requires that, in order to guarantee network and information security, the Data Controller and the Data Processor must adopt appropriate technical and organizational measures to guarantee the security of information from unauthorized or unlawful processing, from loss or from destruction or accidental damage (integrity and confidentiality – v- Article 5, paragraph 1 of the GDPR).
All the subjects that process data, both companies and professional firms, must therefore evaluate the so-called IT risk, that is the risk of direct and indirect damages that may derive from the use of technologies within the organization (whose boundaries, thanks to new technologies, they are also extended to external interlocutors).
It follows that data loss can be avoided only if the Data Controller and the Data Processor have assessed the risks associated with any loss, accidental destruction or theft of the data entrusted by the data subjects. This presupposes that, in the aforementioned evaluation, pursuant to art. 32 GDPR, it is necessary to take into account the state of the art and implementation costs, the nature, object, context and purpose of data processing, as well as the likelihood and seriousness of any violations against the rights and freedoms of users.
For each risk then correspond specific security measures that, as required by the same GDPR, may include among others:
- Encryption of personal data;
- the ability to ensure on a permanent basis the confidentiality, integrity, availability, resilience of processing systems and services;
- the ability to promptly restore the availability and access of personal data in the event of a physical or technical incident;
- a procedure for testing, verifying and regularly evaluating the effectiveness of technical and organizational measures in order to guarantee the safety of the treatment.
It is therefore evident that it is necessary to carry out an actual and specific analysis of one’s organization in order to know the risks to which one is exposed .
Preventing cyber threats
Being aware of the IT risks, and prepared for any loss or, worse, data theft, is something that goes far beyond avoiding the heavy penalties provided by the GDPR. Rather, it is about protecting your business, your customers and your reputation on the market.
In fact, managers and professionals must not only know the provisions of the GDPR. Compared to the past, it is required to adopt a “substantial” approach with the implementation of effective “countermeasures” to limit specific risks, from accidental loss of data to cybercrime .
The risk assessment, and the identification of remedies, has therefore become a dynamic and constantly updated process. The biggest challenge for companies and professional firms is to anticipate the occurrence of critical situations and, consequently, find concrete solutions that can guarantee data security and full regulatory compliance.