Data protection and CYBERSECURITY, the importance of the DPO

Already previously the editorial staff of C.I.LP. Italia has dealt with the topic of Data Business and data protection, a highly profitable as well as illegal business, generated by the theft of sensitive personal and corporate data lying on IT platforms (Cloud, websites, social media, etc.). billionaire business, of which we are all aware (and perhaps someone even a little resigned), but to protect which few decide to take appropriate security measures.

Let’s start from some numerical data.The GDPR officially enters into force on 25 May 2018, from this date every company that does not adapt the internal procedures to the legislation dictated by the Guarantor, is hit by a very high economic value fine. Yet, at one year since the enactment of the GDPR, just over 23% of Italian companies were in compliance with its regulatory provisions.


Currently, the situation seems certainly improved and much more reassuring: more recent percentage analyzes of the survey in this regard have shown that most Italian companies today are more aware of the importance of protecting privacy and of the need for concrete adaptation to regulatory requirements. of the GDPR. Many have also prepared a dedicated budget for the costs of adapting company systems and procedures. But why is the GDPR so important? Why should we not underestimate the need to adapt to this legislation and why should it belong to common sense to adapt to it?


Cybrspace, or cybernetic space, is nothing but virtual space, the abstract and imperceptible one created by computers, telematic networks and any other electronic and computer technology. It is the world of virtual reality, imperceptible and abstract precisely, but certainly not imaginary. It is a concrete reality to the point that international legislation has prepared itself for its regulation. The reason is simple: what makes everything that happens within cyberspace extremely relevant is the fact that this is made up of an infinite complex of information and data (personal and otherwise) coming from the IT and telematic devices that create it. These data circulate continuously in the virtual space in a system of continuous connections and interactions which, enriching themselves with additional data traced from time to time, come to define detailed profiles of people, things, companies, places, needs and any other element that, in fact , moves the global market.



Identity. The identity of each person is now perfectly traced and defined in Cyberspace. This is determined by every form of daily cybernetic interaction performed by any human being. Think of the most common situations: sending Curriculum Vitae online, the customer database of a supermarket created through loyalty cards, the historical data of the patients of a medical office cataloged within medical records in special Clouds. Furthermore, the IT database of the Inland Revenue or entities such as INPS, AUSL, recruitment agencies.


Lots of sensitive data databases. The data contained in these databases are always at risk.We think of the practical examples made a moment ago on the data contained in the Curriculum Vitae, in the medical records, in the online accounts (betting games, airlines, streaming services, etc.). From these data it is possible to extrapolate names, addresses of residence and domicile, places of work, daily habits, shopping and interests, friendships, places frequented, trips made or in anticipation of reservations. It is possible to trace a perfect profile of a person, placing him in a specific place at a certain precise moment. Well, this system of global control of every person, whether natural or legal, however useful in the fight against organized crime is, at the same time, able to provide it with the perfect tools to proliferate. Think of the hypothesis of hacking against any company database, even a small or medium-sized company. In the event of a successful successful cyber attack, the hacker would have the contractual data of employees, collaborators, customers, available and allocated budgets, budgets and expenses available. Pretty much everything. Protecting a company’s data is very important. These data, in fact, contain personal and financial news, but also intellectual and industrial news. The theft of everything related to patents, business processes and the like, entrusted in the wrong hands, would lead to a significant alteration of the corporate industrial property right, negatively affecting the competitiveness and market positioning of the unfortunate company. the reputation of a company that lets itself be depleted of its customers’ sensitive data. The inevitable loss of confidence of existing customers (and potential new ones) would result in a collapse in sales as well as a drop in business partners.


It is true that crimes against privacy, like all crimes, are punished by the legal system with a special sanctioning system, but it is also true that operating a procedure for compensation for damages, as well as providing very long times for a concrete realization and costs eager to deal with, does not envisage a return to the past, to the status quo before the violation. Having always in mind the principle that “prevention is better than cure”, we specify, below, what are the means of preventing the crimes affecting the privacy.Regulatory framework of reference: The protection of privacy – Legislative Decree 196/2003; Lgs 101 Guarantor of Privacy; EU Regulation 2016/679 – known as GDPR, General Data Protection Regulation. Data protection pursuant to GDPR, of which the C.ILP editorial staff. Italy has already dealt with compliance in the article “GDPR Compliance – The data business” is notoriously a complex regulation and often difficult to understand for non-operators of the law. The erroneous interpretation of such legislation, as widely explained, can subject the user to serious consequences in terms of the injury of privacy, as well as, do not forget, to really expensive fines by the Guarantor.With the entry into force of the GDPR, on May 25, 2018, the Legislative Decree 196/2003 (Personal Data Processing Code) but only some of the provisions contained therein have been modified, integrated and, in any case, made compliant with the regulatory framework outlined by the GDPR.


The European regulation provides for two sanctioning levels (Art. 83 GDPR) for cases of violation of the mandatory provisions contained therein: The first level includes penalties for so-called minor financial pecuniary ministries: up to € 10,000,000 and for businesses, up to 2% of the total annual global turnover of the previous year. The violations specifically concern the obligations imposed on the following subjects: the owner and the controller (articles 8, 11, from 25 to 39, 42 and 43 GDPR ); the certification body, Accredia; the code of conduct control body (art.41 GDPR). The second level of administrative fines, heavier in consideration of the greater seriousness of the cases to which they refer, includes penalties up to € 20,000,000 or, for companies, up to 4% of the global annual turnover of the previous year, if higher. The violations specifically concern the following violations: basic types of processing, including conditions relating to consent, pursuant to articles 5, 6, 7 and 9; of the rights of data subjects pursuant to articles 12 to 22; transfers of personal data to a recipient in a third country or an international organization pursuant to Articles 44 to 49; any obligation under the laws of the Member States adopted pursuant to Chapter IX; failure to comply with an order, a temporary or definitive limitation of treatment or an order for suspension of the data flows of the supervisory authority (i.e. the Privacy Guarantor) pursuant to article 58, paragraph 2, or denied access in violation of article 58, paragraph 1 GDPR.


With regard to criminal sanctions, if on the one hand the GDPR does not directly provide for them, on the other hand the right for Member States to establish provisions relating to criminal sanctions for violations of the GDPR, as well as violations of national rules adopted pursuant to and within the limits of the Regulation (Recital 148). Also in this case the Decree intervened, modifying the criminal cases relevant already foreseen by the Privacy Code and integrating them with further violations. The cases for which criminal sanctions will be applicable are, therefore, pursuant to the reformed Privacy Code: 167 (Illegal data processing) 167-bis (Illicit communication and dissemination of personal data subject to large-scale processing); 167-ter (Fraudulent acquisition of personal data subject to large-scale processing); 168 (False statements to the Guarantor and interruption of the execution of the tasks or the exercise of the powers of the Guarantor); 170 (Inosse rvanza of the provisions of the Guarantor);




The figure of the DPO, for when not legally framed within a specific professional register, according to the GDPR, must identify with a subject of high professional depth; therefore, he can be an employee. of the data controller or of the data processor, or, it can fulfill its duties under a service contract and also be a freelancer. The DPO must enjoy wide autonomy and does not receive any instructions regarding the performance of its tasks. The Regulation specifies (art.38) that the data protection officer is not removed or penalized by the data controller or by the data processor for the fulfillment of his duties, but reports directly to the highest hierarchical superiors of the data controller or of the data controller This subject must be promptly and adequately involved in all matters concerning the protection of personal data, both by the data controller and by the data controller. Interested parties can contact the DPO for questions relating to the processing of their personal data and the exercise of their rights deriving from the Regulation. Art. 39 of the Regulation identifies the tasks of the DPO. He has important consultative functions in favor of the owner and manager of the treatment on all privacy issues with particular attention paid to the DPIA (Data Protection Impact Assessment) and to the Register of treatment activities. Also relevant is its function as a liaison with the Guarantor Authority and to check compliance with the Regulation within the company or reference body.We strongly recommend that you hire a person as your data protection officer. qualified to fill this delicate role. If you opt for a person inside the company, you are invited to guarantee privacy protection and constant regulatory and procedural updates to the future DPO.


C.I.LP. Italy, created to interactively support the economic development of Italian companies, encourages the reader to get in touch with the Association through the CONTACTS page of the website. We have ad hoc professional figures and specific services for every business need.


Leave a comment