2024 saw noxious cyber attacks on companies, public bodies, and professionals. It is worth mentioning, for example, the latest Anonymous data breach on December 24th. Victims of hackers, in this case, were the archives of some Italian health agencies.

In early 2023, a directory was downloaded without authorization. It contained data on about 30,000 civil servants in Victoria, Australia. In Italy, Cyber Security hit the municipalities of Carovigno (Brindisi) and Aprilia (Latina).

These are the latest cases in a long series of attacks. Forecasts say they will continue in 2023. Institutions and companies must acknowledge the increased vulnerability of their information.

Thus, a key goal for compliance this year is to improve Cyber Security. We must strengthen protection systems and our ability to respond to threats. The GDPR 2016/679 and Legislative Decree 101/2018 focus on IT security. The latter aligned national law (Legislative Decree 196/2003) with the EU regulation.

Accountability and Adequate Security Measures

 

The GDPR requires owners and managers to protect their computer systems and data. This is the “accountability principle.” It assumes you must install measures that match your organization’s risk. This applies since you are its owner or manager.

GDPR Article 24 says the owner and controller must ensure compliance with data processing principles. They must put in place technical and organizational measures to do so.

To do this, the legislator has the right to take into account many elements, such as:

• Nature
• Context
• Purpose of the processing
• Risks related to the freedoms and rights of those concerned

 

Accountability does not mean just “accountability.” It requires that the owner and manager be able, at any time, to:

Establish the most appropriate security measures.

Prove that you have protected data in a manner consistent with the provisions of the European regulation.

Unlike in the past, the EU now requires a large-scale approach to data protection. It must be more than formal. A cultural change is needed in the whole structure, including IT, companies, and firms.

What is GDPR?

The General Data Protection Regulation is a standard on data protection in the European Union aimed at protecting customers’s information. It grants EU data subjects control over their data processing, storage, and transmission. The law affects companies worldwide, including those serving EU residents. It sets the global standard for data privacy. Key GDPR security controls are essential for organizations to comply.

 

1. Identity and Access Management (IDAM)

IDAM controls restrict access to personal data. Only authorized employees can access it. This is due to a separation of duties and least privilege. GDPR mandates access only to those who need it. It requires privacy training and data collection for a specific purpose.

 

2. Data Loss Prevention (DLP)

GDPR security controls, including DLP, prevent data loss. They block sharing outside the network. DLP tools work behind the scenes. They ensure compliance with security policies. They notify the data protection team of potential threats.

 

3. Encryption & Pseudonymization

Pseudonymization is processing personal data. It prevents linking it to a person without more info. It usually removes identifiable information, which reduces data loss in a breach. GDPR advises pseudonymization, but investigators check for compliance in security breaches.

Computer security, privacy, and risks of treatment

The approach assumes that companies and professionals will protect their IT systems and data.

The EU requires, for security, that the Data Controller and the Data Processor protect data from unauthorized access, loss, destruction, and damage (Article 5, paragraph 1 of the GDPR).

All organizations that process data must test “IT risk.” This is the risk of damage from using technology. New tech has expanded its boundaries to include external users.

To avoid data loss, the Data Controller and Data Processor must assess the risks of losing, destroying, or stealing data from data subjects. This presupposes that, in the remote evaluation, pursuant to art. 32 GDPR, it requires considering the state of the art and costs. Also, the nature, object, context, and purpose of the data processing. Not possible to remove the adverb.

For each risk, correspond to specific security measures. As required by the GDPR, these may include, among others:

• Encryption of personal data.
• The ability to ensure forever the confidentiality, integrity, availability, and resilience of systems and services.
• The ability to quickly restore access to personal data after an incident.
• A procedure to test, verify, and evaluate the effectiveness of measures to ensure the safety of the treatment.

 

It is therefore evident that it is necessary to carry out an actual and specific analysis of one’s organization in order to know the risks to which one is exposed.

 

Preventing Cyber Security Threats

Awareness of IT risks is vital. So is preparation for data loss or theft. This is more than avoiding the GDPR’s heavy penalties. It is about protecting your business, customers, and market reputation.

In fact, managers and professionals must not only know the provisions of the GDPR. Now, a much better approach is required. It must put in place countermeasures to limit risks, from data loss to Cyber Security.

The risk assessment and remedy identification are now a dynamic, updated process. The biggest challenge for companies is to expect critical situations. They must find solutions that ensure data security and full compliance.