Pianificare oggi per essere pronti fra 24 mesi Sergio Fumagalli, Clusit - ZEROPIU Milano, 29 GENNAIO 2016 #READY4EUDATAP
Pianificare oggi per essere pronti fra 24 mesi
Sergio Fumagalli, Clusit - ZEROPIUMilano, 29 GENNAIO 2016
#READY4EUDATAP
#READY4EUDATAP
2016 2017 2018
Mar Apr Mag Giu Lug Ago Set Ott Nov Dic Gen Feb Mar Apr Mag Giu Lug Ago Set Ott Nov Dic Gen Feb
Budget 2017 Budget 2018
Article 91
Entry into force and application
1. This Regulation shall enter into force on the twentieth day following that of its publication in
the Official Journal of the European Union.
2. It shall apply from [two years from the date referred to in paragraph 1]. ** OJ: insert the date
This Regulation shall be binding in its entirety and directly applicable in all Member States.
Analyse, evaluate, test, decide Design, develop, train Implement
Why care now?
#READY4EUDATAP
Months
Org
aniz
atio
n
Pro
cess
es
Tech
no
logy
Trai
nin
g
Co
ntr
ol
Security measures & Risk Management
Data Protection Officer
Data Breach
Privacy by Design
Data Controller/Processor
Profilazione
It takes time
#READY4EUDATAP
Prevent
• Review: policies, security measures, technologies, awareness
• Design: new policies/measures
• Implement: technologies, training
• Keep informed: trends, technologies, malware
Detect
• The sooner the better: less damages, less responsibilities
• Monitoring: processes, responsibilities
• Document: what, when, why, where
• Keep informed: trends, technologies, malware
React
• Countermeasures: stop breach, minimize damages
• Evaluate: personal data, which ones, how many people, how long
• Comply: which laws/regulations/policies
• Communicate: Management, Supervisor, Data subject, Market
One example: data breach
#READY4EUDATAP
Article 32Communication of a personal data breach to the data subject
1. … the controller shall communicate the personal data breach to the data subject without undue delay
2. …
3. The communication to the data subject … shall not be required if:
(a) the controller has implemented appropriate technical and organisational protection
measures, … the data unintelligible to any person who is not authorised to access it, such as encryption; or
…
2016 2017 2018
Mar Apr Mag Giu Lug Ago Set Ott Nov Dic Gen Feb Mar Apr Mag Giu Lug Ago Set Ott Nov Dic Gen Feb
Budget 2017 Budget 2018
One example: data breach
#READY4EUDATAP
Article 77
Right to compensation and liability
1. Any person who has suffered material or
immaterial damage as a result of an infringement of the
Regulation shall have the right to receive compensation
from the controller or processor for the damage suffered.
2. Any controller involved in the processing shall be liable
for the damage caused by the processing which is not in
compliance with this Regulation. …
3. A controller or processor shall be exempted from
liability in accordance with paragraph 2 if it proves that it is not
in any way responsible for the event giving rise to the damage.
4. …, each controller or processor shall be held liable
for the entire damage, in order to ensure effective
compensation of the data subject.
The cost of not complying
Not only Fines
Full liability
Cost of provingexemption
#READY4EUDATAP
Article 79
General conditions for imposing administrative fines…
2a. … When deciding whether to impose … and deciding on the
amount of the administrative fine … due regard shall be given to the
following:
(a) the nature, gravity and …
…
(e) the degree of responsibility … having regard to technical and
organisational measures implemented by them pursuant to
Articles 23 and 30;
3(new). Infringments of the following provisions shall … be subject to
administrative fines up to 10 000 000 EUR, or … up to 2% of
the total worlwide annual turnover … whichever is higher:
(a) the obligations … pursuant to Articles 8, 10, 23, 24, 25, 26, 27, 28, 29,
30, 31, 32, 33, 34, 35, 36, 37, 39 and 39a;
3a(new). Infringments of the following provisions shall… be subject to
administrative fines up to 20 000 000 EUR, … up to 4% of the
total worlwide annual turnover …, whichever is higher:
(a) the basic principles for processing, including conditions for consent,
pursuant to Articles 5, 6, 7 and 9;
(b) the data subjects’ rights pursuant to Articles 12-20;
(ba) the transfers of personal data to a recipient in a third country
or an international organisation pursuant to Articles 40-44
Fines and liabilitiescan impact on the
bottom line
The cost of not complying
Article 23
Data protection by design
and by default
Article 30
Security of processing
#READY4EUDATAP
The benefit of complying
Cobit
ISO 2700x
GDPR PCIdss
285 (263)
SOX
…
Personal data ore just one of the assets to protect
Standards, methodologies, best practices, lawsand regulations converge
Each asset protection benefits from eachcompliance
Compliance siloes reduce benefits
#READY4EUDATAP
Cobit
ISO 2700x
GDPR PCIdss
285 (263)
SOX
…
Contratti
Brevetti
Digital transform
ationStrategie
Organigrammi
Business continuity
Data protection
Can your boss afford posponing?
#READY4EUDATAP
Facci una domanda sul Blog
Contattaci su Twitter