MARKET | Apr 10, 2018

GDPR: how do companies and the Public Administration change?

The regulations on privacy change and to adopt them requires an organizational change.

Horace Mann said that “habit is a cable: we weave a thread of it each day and at last we cannot break it”. And our daily work life is clogged with habits: for example, all of you raise a virtual hand who continue to notice the “authorizations to process personal data” – located in those microscopic clauses at the bottom of the page and not on the back of forms where we insert our data – in accordance with Law no. 675/96.

I see you, I see the forest of hands.

So, let’s start with the good news: in just a few days “Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016, comes into effect, regarding the protection of individuals relative to the processing of personal data, as well as the free circulation of that data which repeals Directive 95/46/CE”, better known by the acronym GDPR (General Data Protection Regulation).

Good news because, after years of fighting for uniformity and harmonization within the European Economic Area, a first important step in that direction was in fact made with the approval, about two years ago, of the regulation on “privacy”.

Obviously, as good Italians we have also done something else: we have launched a flurry of training courses, some valid some less valid, establishing sudden certifications and managing the legislative innovation like an enormous consulting basin. On the other hand, we have also independently decided that to adapt not much was needed after all, so that almost everything was postponed to 2018, practically to the last moment, if we consider that the first GDPR draft dates back to the first half of 2012.

We have been doing this for years, it is the confession that the system does not work”, to quote Edwards. But now, whether we want to or not, we are on the edge (abyss?) of a radical change, which we can passively decide to undergo – the umpteenth fulfilment of our daily activity – or we can take it as an opportunity to make a real change in our activities.

It has taken us about 15 years to (not) understand how important the protection of our confidentiality is, and now we must discuss it all again?

Protection of personal data today

I am not sure if the regulation arrived late or, on the contrary, early.

Late if we look at the scandals and security incidents that by now involve almost on a daily basis more or less large companies, when not directly affecting the OTT: this is what is happening with Facebook, which we are constantly concerned about as users because of the nonchalant use of our data, as often reported by the press.

It is not by chance that, after the Cambridge Analytica case, the Italian – Privacy, Communications, Antitrust – moved almost at the same time to review the affair, each according to  their specific responsibility.

As I recall, this had never happened before: another clue to understanding how multi-faceted the problems connected to data processing are, which can no longer be relegated to areas defined a priori.

The proof is that our security is deceptive, and often utopian: while it is true that “100% security” is a concept that does not exist either in nature or in technology – it is said that only a PC disconnected from the network can be said to be sure, and even that is not true….- we are learning to combine security and confidentiality, in private, as well as in public: among the Three-year plans for Data Processing and Security Plans, even the Public Administration is slowly but inexorably adapting.

Antonio Samaritani, General Manager of AgID, has never stopped emphasizing how cyber security and privacy are connected, but not in the ways that sometimes we imagine: as generally felt, greater security often corresponds to less confidentiality, reality provides, instead, diametrically opposite proof.

Sure rules, defined processes, predetermined roles: only in this way is it possible for the data to be really secure and accessible only for specific purposes and to given subjects.

For their part, both Giovanni Buttarelli (EDPS) and Antonello Soro have emphasized several times the risks connected to the use of technologies – risks to democracy and the rights of citizens – making it obvious how the institutions that they are part of pay attention to the subject: and here we must refer to paragraph 2 of the GDPR to close the virtual circle, where it states that “the principles and rules protecting individuals with regard to the processing of the personal data should respect their fundamental rights and freedoms”.

Fundamental rights and freedoms that are absolutely not negotiable. 

That ugly word that we call “accountability”.

The first stumbling block was the disappearance of the “comfort words”, the words which we are so used to hearing: now the new terms of accountability, data breach, data processor, data protection officer, assessement will be the new definitions that we have to deal with.

For some of them, the Italian translation – even in the official texts – loses meaning, and makes the application even more confusing: I am thinking of the translation of the “data processor” and “data controller” positions, which we have reproduced as “manager” and “employee”, and which risk not only not doing justice to the differences attributed by the GDPR relative to the previous legislation but also, probably, taking us away from an actual legislative standardization which has to also be semantic. 

Have you prepared the registers?  On compliance, assessment, processing, subjects

About one month from the application of the GDPR, there is little point in talking about stages: during these past two years we have quickly and constantly worked on the application of the GDPR, so….You say no? You say that still many, too many of us, need to provide some explanation?

Fine, then let’s try to reconstruct, extremely briefly, what we need to do not to find ourselves totally unprepared on 25 May.

I am taking it for granted that the first (self) analysis on the compliance of one’s organization with the GDPR has been done.

Obviously, compliance is a process, that can be perfected, certainly not static, that focuses on achieving accountability: self-analysis makes it possible to check at what point this process is, and choose the most suitable solutions and instruments.

Registers are no longer enough, and this is a given: without the “impact assessment” on certain specific processes, the principle of accountability risks excessively making the manager responsible for a data breach, with possible assessment of “inadequacy” of the measures adopted.

Rather, it is better to carry out, in the cases anticipated – this is also a self-assessment – a PIA (Privacy Impact Assessment) in order to evaluate the risks connected to those processes that come under the requirement of art. 9 paragraph 2, in other words processing of “special categories of personal data”, for which it is necessary to be in the conditions listed in letters a) to j).

The identification of these processes (and the implementation of the PIA on them) could turn out to be fundamental given that, in the case of a data breach, the basic reversal of the burden of proof would entail the mandatory demonstration that the data controller has adopted all measures suitable for preventing the violation of personal data, even more so if it is data of that kind: the register – and the individual registers – will thus become the principal instrument – not the only one – available, also to the Data Protection Authority, for the audit of the processing and adequate safety measures.

Also, because the approach to data protection has also basically changed: the minimum measures have disappeared – those which guarantee/guaranteed, a priori, the conformity of the data controller’s work – now it will be the individual processing that will guide the level of protection to avoid processing in violation of the regulation. Security, therefore, will be “adequate” if supported by a suitable assessment of the risk, beyond and in addition to the specific measures implemented, such as encryption.

The identification of the individuals involved in the various processes will be, likewise, fundamental: if the data controller is only one, the managers are/can be many – internal and external, depending on the “contract or legal document” anticipated by art. 28 of the GDPR, distinguishing between “controller”, the owner and “processor”, in other words the person performing the processing. Lastly, a new position is that of the Data Protection Officer, expert on the subject who will serve as consultant to the controller and processor and, at the same time, as connection between them and the supervisory authorities. 

In the meantime, in Europe (and in Italy)

The European Data Protection Authorities  are trying to help their citizens be compliant with the Regulation: the French Data Protection Authority, for example, has made available the Beta version of a software to perform the PIA; the Spanish authority a webtool per la compliance aziendale; the Belgian authority a calculation sheet for filling out the registers of the processes.

In our country, the President of the Italian Data Protection Authority Soro, fully aware of the bumpy ground on which the GDPR is resting, launched, starting in 2017, an important dissemination activity  through theme stages from North to South, and the preparation of a series of educational tools: a guide to the application of the regulation – updated in February 2018 – explanatory infographs on the main points, material on the working group Art. 29 and so forth.

Missing is – because it is still missing – the Legislative Decree implementing the Delegated Law no. 163 of 25.10.2017, aimed at adapting the national legislation to the provisions of the regulation. In reality the draft exists – it was approved during the Council of Ministers meeting last 21 March – but immediately attracted the (correct) criticism of the analysts, since it delegates excessively: in fact, it repeals the entire “code” provided by Italian Legislative Decree no. 196/2003, instead of the individual provisions that it is not compatible with, as provided by the delegation.

The absurdity is that with appropriate but small modifications, the old code was already basically in compliance with the new legislation: a choice which, more than others, has certainly had/is having repercussions on the procedures and on the internal activities of the organization called to make the adjustment and only “justifiable” because of the too little time available for an in-depth review which, obviously, even in this case has been postponed to the last moment. 

A new organization, internal and external

The GDPR, therefore, is certainly the opportunity  to rethink the internal organization of large companies and the Public Administration, as well as relations with the outside but, let us remember, anyone can decide, beyond the scope and the processes developed, to pursue greater and better accountability. The opportunity to study the path of the data from inside to outside one’s own organization, for example, in order to understand how we have done it, and if we like what we have done or not.

A change of mind, a revision, a renewal which can only lead to great benefits.

Certainly, the regulation will not be the panacea: but new rules, shared, and a broader review of the processes – with the awareness that it is actually being done and the “sensitivity” of the data being processed – can be an excellent beginning for a push towards greater security and a better understanding and awareness of the world around us.

You may have noticed that I have not talked about sanctions, and will not talk about them: because it is not fear that must lead to  adaptation, but the choice to govern one’s processes to try to understand their logics.

Awareness, always, above everything else.

Morena Ragone