Pianificare oggi per essere pronti fra 24 mesi

Sergio Fumagalli, Clusit - ZEROPIUMilano, 29 GENNAIO 2016

#READY4EUDATAP

#READY4EUDATAP

2016 2017 2018

Mar Apr Mag Giu Lug Ago Set Ott Nov Dic Gen Feb Mar Apr Mag Giu Lug Ago Set Ott Nov Dic Gen Feb

Budget 2017 Budget 2018

Article 91

Entry into force and application

1. This Regulation shall enter into force on the twentieth day following that of its publication in

the Official Journal of the European Union.

2. It shall apply from [two years from the date referred to in paragraph 1]. ** OJ: insert the date

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Analyse, evaluate, test, decide Design, develop, train Implement

Why care now?

#READY4EUDATAP

Months

Org

aniz

atio

n

Pro

cess

es

Tech

no

logy

Trai

nin

g

Co

ntr

ol

Security measures & Risk Management

Data Protection Officer

Data Breach

Privacy by Design

Data Controller/Processor

Profilazione

It takes time

#READY4EUDATAP

Prevent

• Review: policies, security measures, technologies, awareness

• Design: new policies/measures

• Implement: technologies, training

• Keep informed: trends, technologies, malware

Detect

• The sooner the better: less damages, less responsibilities

• Monitoring: processes, responsibilities

• Document: what, when, why, where

• Keep informed: trends, technologies, malware

React

• Countermeasures: stop breach, minimize damages

• Evaluate: personal data, which ones, how many people, how long

• Comply: which laws/regulations/policies

• Communicate: Management, Supervisor, Data subject, Market

One example: data breach

#READY4EUDATAP

Article 32Communication of a personal data breach to the data subject

1. … the controller shall communicate the personal data breach to the data subject without undue delay

2. …

3. The communication to the data subject … shall not be required if:

(a) the controller has implemented appropriate technical and organisational protection

measures, … the data unintelligible to any person who is not authorised to access it, such as encryption; or

…

2016 2017 2018

Mar Apr Mag Giu Lug Ago Set Ott Nov Dic Gen Feb Mar Apr Mag Giu Lug Ago Set Ott Nov Dic Gen Feb

Budget 2017 Budget 2018

One example: data breach

#READY4EUDATAP

Article 77

Right to compensation and liability

1. Any person who has suffered material or

immaterial damage as a result of an infringement of the

Regulation shall have the right to receive compensation

from the controller or processor for the damage suffered.

2. Any controller involved in the processing shall be liable

for the damage caused by the processing which is not in

compliance with this Regulation. …

3. A controller or processor shall be exempted from

liability in accordance with paragraph 2 if it proves that it is not

in any way responsible for the event giving rise to the damage.

4. …, each controller or processor shall be held liable

for the entire damage, in order to ensure effective

compensation of the data subject.

The cost of not complying

Not only Fines

Full liability

Cost of provingexemption

#READY4EUDATAP

Article 79

General conditions for imposing administrative fines…

2a. … When deciding whether to impose … and deciding on the

amount of the administrative fine … due regard shall be given to the

following:

(a) the nature, gravity and …

…

(e) the degree of responsibility … having regard to technical and

organisational measures implemented by them pursuant to

Articles 23 and 30;

3(new). Infringments of the following provisions shall … be subject to

administrative fines up to 10 000 000 EUR, or … up to 2% of

the total worlwide annual turnover … whichever is higher:

(a) the obligations … pursuant to Articles 8, 10, 23, 24, 25, 26, 27, 28, 29,

30, 31, 32, 33, 34, 35, 36, 37, 39 and 39a;

3a(new). Infringments of the following provisions shall… be subject to

administrative fines up to 20 000 000 EUR, … up to 4% of the

total worlwide annual turnover …, whichever is higher:

(a) the basic principles for processing, including conditions for consent,

pursuant to Articles 5, 6, 7 and 9;

(b) the data subjects’ rights pursuant to Articles 12-20;

(ba) the transfers of personal data to a recipient in a third country

or an international organisation pursuant to Articles 40-44

Fines and liabilitiescan impact on the

bottom line

The cost of not complying

Article 23

Data protection by design

and by default

Article 30

Security of processing

#READY4EUDATAP

The benefit of complying

Cobit

ISO 2700x

GDPR PCIdss

285 (263)

SOX

…

Personal data ore just one of the assets to protect

Standards, methodologies, best practices, lawsand regulations converge

Each asset protection benefits from eachcompliance

Compliance siloes reduce benefits

#READY4EUDATAP

Cobit

ISO 2700x

GDPR PCIdss

285 (263)

SOX

…

Contratti

Brevetti

Digital transform

ationStrategie

Organigrammi

Business continuity

Data protection

Can your boss afford posponing?

#READY4EUDATAP

Facci una domanda sul Blog

Contattaci su Twitter