2. Cybersecurity Gap Analysis Art. 32 GDPR (first analysis and periodic update analysis)

It is universally recognized that security is not a product but a continuous process: security and confidentiality are two fundamental elements of company systems and to guarantee them both resources and periodic revisions, re-evaluations, and consequent re-implementation, are necessary, making the process quite complex.

With this awareness, the recent regulatory framework has evolved considerably following the approval of “Regulation (Eu) 2016/679 Of The European Parliament And Of The Council” of 27 April 2016, better known as the General Data Protection Regulation (GDPR), which entered into force on 25 May 2018. Article 5(2) GDPR defines the principle of accountability for the data controller. The principle states that the data controller is responsible for complying with paragraph 1 of the same article, which prescribes, among others, the principle of “integrity and confidentiality”, i.e. that the data is processed “in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
Article 32(1)(a) details further security measures to be taken into consideration, such as the ‘pseudonymisation and encryption of personal data’ and Art. 31(1)(d) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

It is, therefore, necessary to interpret what qualifies as “adequate” security or “effective” measure: the GDPR provides for significant penalties in case of non-compliance, and it is consequently extremely important that organizations provide for technical alignment with the relevant legislation.

Our methodology for conducting Cybersecurity Gap Analyses from a GDPR perspective commences with the definition of the company perimeter and is developed through the verification of the presence of technical and organizational security measures and contextual analysis of security risk (security risk assessment).

The activity will result in a punctual report that does not lend itself exclusively to the “mere” alignment of the company perimeter with Art. 32 GDPR, but remains a reference document in case of inspections, future audits, and a solid starting point to undertake corporate IT security certification processes, also by way of the evidence collected and the information contained therein.