Once the improvement points of the organization have been identified through activities such as a Gap Analysis, it is necessary to create processes for the implementation of technical measures, for the evaluation of suppliers already contracted and those to be contracted, as well as for the drafting of internal policies and procedures to regulate business processes and the correct processing of personal data. It is, therefore, appropriate to proceed methodically, listing and ordering mitigation actions, for example, according to the complexity of execution, and creating a mitigation plan.
Our methodology for cybersecurity alignment to Art. 32 GDPR, therefore, includes various consulting activities for the correct implementation of the mitigation measures proposed after a Gap Analysis.
In particular, the following activities are envisaged as examples:
a. Revision of the lists of system administrators, making them compatible with the provision of the Italian Data Protection Authority of 27 November 2008 and subsequent amendments (www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/1577499);
b. Drafting of the procedures for assessing the work of the system administrators, in accordance with the above measure, or execution of the same activity, which is also recorded in the minutes;
c. Drafting of procedures for the management of security incidents and the possible notification of data breaches, pursuant to Articles 33 and 34 GDPR;
d. Review of the Policy for IT Tools or other documentation regarding the acceptable use of company equipment;
e. Setting up and drafting any other documentation related to cybersecurity;
f. Assistance in the configuration of technologies and procedures to facilitate the rights of the interested party (e.g. in the case of the right to data portability pursuant to Art. 20(1) GDPR and the right to erasure [right to be forgotten] pursuant to Art. 17(2) GDPR);
g. Assistance in the application and development of procedures according to the principle of Data Protection by Design/Default in the design of new processes, products, and services, according to Art. 25 GDPR.
All procedures, templates, and policies drawn up or revised will subsequently be reviewed together with you so that the security measures in place are as personalised as possible according to the systems in use and the organization’s existing policies. The presence of such documents not only contributes to corporate accountability but also prepares the organization for reactively responding to events such as data breaches or requests for the exercise of data subject rights.