GDPR 2018 Piergiorgio Venuti

GDPR: what’s new and what’s old

GDPR 2018: what’s new and what’s old.

In my work as a privacy professional I have dealt with companies and public administrations that – those with more effort and effort, those with less – have tried to adapt to the so-called “privacy” regulations that have taken place over the last twenty years. But when I happened to meet these companies after a while, I discovered that all those efforts – big or small they were – had no following: a magnificent castle was built but no maintenance was done , and that castle fell to pieces, in some cases it no longer exists and many do not know if it ever existed.

So when I think of the GDPR and all those who are concerned with the changes that this introduces and the investments that will need to be made to adapt, in short, when my clients ask me how much this new castle will cost them, I would rather say than think what will be needed to invest in building the castle (new software, new technologies) will be more important to think about later, how to organize and maintain their processes, how to keep their people up to date, how to verify, monitor that data are treated in the respect for the principles, that the effectiveness of the security measures is always adequate in relation to the evolution of the threats and the new treatments that the companies put in place.

Yes, because in the GDPR there is little new as to prescriptions (the GDPR has not so much prescriptive character), there is instead a lot of new in terms of principles and responsibilities.

One of the key principles of the GDPR 2018 is in fact that of accountability, of accountability.

In fact, the Owner is responsible for any decision on the appropriate measures to be prepared, and the measures are established on the basis of the results of the risk analysis (and this is not new, remember the DPSS whose compulsory had been canceled in our legal system?). And the risk analysis must be done on the treatments, it is necessary to draw up a Register of Treatments (The DPSS foresaw a census of the treatments, even here nothing new …).

But security measures, treatment processes, are not something static. Moreover it may happen that not all organization is constant in applying principles and measures in daily practice.

Here then the GDPR requires that the effectiveness of the measures is monitored, that the application of the principles is verified: this has only one name, which in the Italian version of the GDPR has been translated in an abrupt manner in three different ways. This name is AUDIT: here’s what you have to keep doing.

And much attention must also be done when designing new measures, new treatments: it will be necessary to respect the key principles of privacy by design and privacy by default.

And for the most risky treatments (those that are operated on data that are risky for the freedom and dignity of the data subjects, health data, biometric data, genetic data …), an Impact Assessment must be carried out before starting the treatment. The current legislation provides for a notification to the Guarantor, an act that is usually only bureaucratic: the GDPR asks for something more complicated, which goes to intersect with the principle of accountability: it is always the owner who is responsible for carrying out an evaluation impact and decide on the measures.

In conclusion, in GDPR 2018 there is a lot of old, already present in the current legislation, although in some cases a bit ‘hidden between the lines, but often less hidden in the measures of the Guarantor. The real news, as we have seen, lies in the responsibility, in the need – even in the obligation – to do maintenance, and it is precisely there that also go to fit the new (those yes!) And much heavier penalties.

Paolo Raimondi, Privacy Officer and Privacy Consultant

GDPR 2018

 

[btnsx id=”2931″]

Useful links:

Almost ready for the GDPR

Cyber Risk Insurance

Introducing a set of new GDPR tools

New European regulation (GDPR)

Privacy

Stay in control of your fast-moving, quick-shifting data

 

Share


RSS

More Articles…

Categories …

Tags

RSS Dark Reading:

RSS Full Disclosure

  • Backdoor.Win32.DarkKomet.irv / Insecure Permissions February 23, 2021
    Posted by malvuln on Feb 23Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/a229acff4e0605ad24eaf3d9c44fdb1b.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Backdoor.Win32.DarkKomet.irv Vulnerability: Insecure Permissions Description: DarkKomet.irv creates an insecure dir named "Windupdt" under c:\ drive, granting change (C) permissions to authenticated user group. Standard users can rename...
  • Trojan.Win32.Pluder.o / Insecure Permissions February 23, 2021
    Posted by malvuln on Feb 23Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/ee22eea131c0e00162e4ba370f396a00.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Trojan.Win32.Pluder.o Vulnerability: Insecure Permissions Description: Creates an insecure dir named "z_Drivers" under c:\ drive, granting change (C) permissions to authenticated user group. Pluder.o also creates several registry key...
  • Trojan.Win32.Pincav.cmfl / Insecure Permissions February 23, 2021
    Posted by malvuln on Feb 23Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/9d296ebd6b4f79457fcc61e38dcce61e.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Trojan.Win32.Pincav.cmfl Vulnerability: Insecure Permissions Description: The trojan creates an insecure dir named "Windupdt" under c:\ drive, granting change (C) permissions to authenticated users group. Standard users can rename the...
  • Trojan-Proxy.Win32.Daemonize.i / Remote Denial of Service February 23, 2021
    Posted by malvuln on Feb 23Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/61bec9f22a5955e076e0d5ddf6232f3f.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Trojan-Proxy.Win32.Daemonize.i Vulnerability: Remote Denial of Service Description: Daemonize.i listens on TCP port 5823, sending some junk packets to the trojan results in invalid pointer read leading to an access violation and […]
  • Backdoor.Win32.Ketch.h / Remote Stack Buffer Overflow (SEH) February 23, 2021
    Posted by malvuln on Feb 23Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/63c55ad21e0771c7f9ca71ec3bfcea0f.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Backdoor.Win32.Ketch.h Vulnerability: Remote Stack Buffer Overflow (SEH) Description: Ketch makes HTTP request to port 80 for a file named script.dat, after process the server response of 1,612 bytes or more it […]
  • Backdoor.Win32.Inject.tyq / Insecure Permissions February 23, 2021
    Posted by malvuln on Feb 23Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/833868d3092bea833839a6b8ec196046.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Backdoor.Win32.Inject.tyq Vulnerability: Insecure Permissions Description: The backdoor creates an dir named "hotfix" under c:\ drive granting change (C) permissions to the authenticated user group. Type: PE32 MD5:...
  • IBM(R) Db2(R) Windows client DLL Hijacking Vulnerability(0day) February 23, 2021
    Posted by houjingyi on Feb 23A few months ago I disclosed Cisco Webex Teams Client for Windows DLL Hijacking Vulnerability I found : https://seclists.org/fulldisclosure/2020/Oct/16 In that post I mentioned "I will add more details 90 days after my report or a security bulletin available". Here it comes. NOTICE : This vulnerability seems did not get […]
  • CIRA Canadian Shield iOS Application - MITM SSL Certificate Vulnerability (CVE-2021-27189) February 23, 2021
    Posted by David Coomber on Feb 23CIRA Canadian Shield iOS Application - MITM SSL Certificate Vulnerability (CVE-2021-27189)
  • [KIS-2021-02] docsify <= 4.11.6 DOM-based Cross-Site Scripting Vulnerability February 20, 2021
    Posted by research on Feb 19-------------------------------------------------------------- docsify
  • Backdoor.Win32.Bionet.10 / Anonymous Logon February 19, 2021
    Posted by malvuln on Feb 19Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/be559307f5cd055f123a637b1135c8d3.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Backdoor.Win32.Bionet.10 Vulnerability: Anonymous Logon Description: The backdoor listens on TCP port 12348 and allows anonymous logon credentials to be used to access an infected host. Type: PE32 MD5: be559307f5cd055f123a637b1135c8d3 Vuln ID:...

Customers

Newsletter