Il regolamento privacy europeo (GDPR) richiede di adottare un nuovo approccio in materia di cyber security a causa del rischio di sanzioni e gli obblighi regolatori applicabili
Come cambia la cybersecurity con il regolamento privacy europeo
1. 1
#PrivacyMatters
e come il regolamento europeo sui dati personali
dovrà cambiare l’approccio alla cyber security
Giulio Coraggio
Partner - DLA Piper Studio Legale
Head of Technology Sector and Global Internet of Things Group
giulio.coraggio@dlapiper.com
@GiulioCoraggio
16. Privacy
by design e
by default
Security
by
design
Privacy
impact
assessment
Policy interne
privacy e
cyber risk
Data protection
officer
Polizza
assicurativa
cyber risk
ci sono gli strumenti per proteggersi
19. 2. Valutazione
Report
section
Department / team Issue Inherent
risk score
Action
1.04 Entire business Data sharing takes place
around the Group but there is
no evidence that this is
undertaken on particular terms
or that related information is
logged or recorded in any way.
20 Ensure all data sharing is clearly tracked through a central
privacy clearing team, and regulated under an intra-group
data transfer agreement which sets out clear rules and
restrictions for onward use and secure processing. If there are
processes or agreements in place, refresh these to ensure that all
entities, locations, systems and data types are covered.
1.05 Entire business Data sharing with third parties
routinely occurs, but
disclosures do not appear to be
logged or recorded.
20 Develop a data sharing protocol to regulate transfer / receipt of
data with third parties. This should be supported by guidance on
the contractual safeguards that you expect to be in place to
provide assurance that third parties receiving data will only use it
for limited purposes prescribed, with the information returned or
destroyed at the end of the engagement or when it is no longer
needed (whichever is the sooner) and that they understand the3.03 E-commerce Insurance information is stored
on separate servers that
appear to be more widely
accessible by wider business
teams.
12 Ensure means of transfer are secure when transferring data
within the business or to a third party and that the data is then
handled appropriately once received.
Gap Analisys report
Action plan
A. Employee data:
recruitment and selection
of staff
No. Issue What you should be doing
to meet baseline GDPR
position
What you are doing /
recommended actions
Risk / Impact
A1 Fair processing notice You should limit the personal
data you collect from
application forms etc to the
fields necessary to allow you
to select staff, carry out any
necessary vetting (see
below), populating initial
e m p l o y m e n t r e c o r d s ,
registering with relevant tax
authorities and checking
their immigration status
where necessary (or holding
this on record for checks to
[ Yo u r o u t i n e l y c o l l e c t
personal data from potential
recruits to support the
selection process but you do
not present recruits with a
standard form privacy policy
in the application process]
ACTION :
[e.g. Prepare standard
privacy policy for new
r e c r u i t s . I n c o r p o r a t e
reference to the policy into
Impact - significant
Likelihood - likely
21. Privacy
by design e
by default
Security
by
design
Privacy
impact
assessment
Policy interne
privacy e
cyber risk
Data protection
officer
Polizza
assicurativa
cyber risk
4.Attuazione