Once the corporate improvement points have been identified through activities such as Gap Analysis, it is still necessary to create processes for the implementation of technical measures, for the evaluation of suppliers who have already entered into agreements and those in the process of entering into agreements, as well as to the drafting of internal policies and procedures to regulate business processes and the correct processing of personal data. It is therefore appropriate to proceed methodically, by listing and ordering mitigation actions, which are based, for instance, on the complexity of execution, and on creating a return programme.
Our methodology for cybersecurity alignment with Art. 32 GDPR thus contemplates various consultancy activities for the correct implementation of the mitigation measures offered in the Gap Analysis or recommended by other companies. In particular, the following activities are foreseen, by way of example:
a. Review of the lists of system administrators, making them compatible with the Data Protection Authority’s Decision of the November 27th 2008’s and subsequent amendments (www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/1577499);
b. Review of the procedures for the checking of system administrators´ activities, in compliance with the aforementioned Decision, or execution of the same activity, which is also recorded;
c. Review of the procedures for the management of security incidents and any possible notification of data breaches, pursuant to Art. 33 and 34 GDPR;
d. Review of the IT Tools Policy or other documentation regarding the acceptable use of corporate equipment;
e. Setting up and editing any other documentation relating to cybersecurity;
f. Assistance with arranging technologies and procedures in order to facilitate the rights of the data subject (e.g. in the case of the right to portability pursuant to Art. 20.1 GDPR and the right to be forgotten under Article 17.2 GDPR);
g. Assistance with implementing and introducing appropriate procedures with respect to the principle of Data Protection by Design/Default in the planning of new processes, products and services, pursuant to Art. 25 GDPR.
All procedures, templates, and policies written or revised will then be submitted to a review activity with the customer, so that they will be as customised as possible depending on the security measures that are in place, on the systems in use and on the existing corporate policies. The presence of such documents not only contributes to company accountability but also makes the company/entity capable of reactively responding to events such as data breaches or the exercise of the data subjects’ right of request.