GDPR 2018 Piergiorgio Venuti

GDPR: what’s new and what’s old

GDPR 2018: what’s new and what’s old.

In my work as a privacy professional I have dealt with companies and public administrations that – those with more effort and effort, those with less – have tried to adapt to the so-called “privacy” regulations that have taken place over the last twenty years. But when I happened to meet these companies after a while, I discovered that all those efforts – big or small they were – had no following: a magnificent castle was built but no maintenance was done , and that castle fell to pieces, in some cases it no longer exists and many do not know if it ever existed.

So when I think of the GDPR and all those who are concerned with the changes that this introduces and the investments that will need to be made to adapt, in short, when my clients ask me how much this new castle will cost them, I would rather say than think what will be needed to invest in building the castle (new software, new technologies) will be more important to think about later, how to organize and maintain their processes, how to keep their people up to date, how to verify, monitor that data are treated in the respect for the principles, that the effectiveness of the security measures is always adequate in relation to the evolution of the threats and the new treatments that the companies put in place.

Yes, because in the GDPR there is little new as to prescriptions (the GDPR has not so much prescriptive character), there is instead a lot of new in terms of principles and responsibilities.

One of the key principles of the GDPR 2018 is in fact that of accountability, of accountability.

In fact, the Owner is responsible for any decision on the appropriate measures to be prepared, and the measures are established on the basis of the results of the risk analysis (and this is not new, remember the DPSS whose compulsory had been canceled in our legal system?). And the risk analysis must be done on the treatments, it is necessary to draw up a Register of Treatments (The DPSS foresaw a census of the treatments, even here nothing new …).

But security measures, treatment processes, are not something static. Moreover it may happen that not all organization is constant in applying principles and measures in daily practice.

Here then the GDPR requires that the effectiveness of the measures is monitored, that the application of the principles is verified: this has only one name, which in the Italian version of the GDPR has been translated in an abrupt manner in three different ways. This name is AUDIT: here’s what you have to keep doing.

And much attention must also be done when designing new measures, new treatments: it will be necessary to respect the key principles of privacy by design and privacy by default.

And for the most risky treatments (those that are operated on data that are risky for the freedom and dignity of the data subjects, health data, biometric data, genetic data …), an Impact Assessment must be carried out before starting the treatment. The current legislation provides for a notification to the Guarantor, an act that is usually only bureaucratic: the GDPR asks for something more complicated, which goes to intersect with the principle of accountability: it is always the owner who is responsible for carrying out an evaluation impact and decide on the measures.

In conclusion, in GDPR 2018 there is a lot of old, already present in the current legislation, although in some cases a bit ‘hidden between the lines, but often less hidden in the measures of the Guarantor. The real news, as we have seen, lies in the responsibility, in the need – even in the obligation – to do maintenance, and it is precisely there that also go to fit the new (those yes!) And much heavier penalties.

Paolo Raimondi, Privacy Officer and Privacy Consultant

GDPR 2018

 

[btnsx id=”2931″]

Useful links:

Almost ready for the GDPR

Cyber Risk Insurance

Introducing a set of new GDPR tools

New European regulation (GDPR)

Privacy

Stay in control of your fast-moving, quick-shifting data

 

Share


RSS

More Articles…

Categories …

Tags

RSS darkreading

RSS Full Disclosure

  • Microsoft leak of PlayReady developer / Warbird libs June 21, 2024
    Posted by Security Explorations on Jun 21Hello All, On Jun 11, 2024 Microsoft engineer posted on a public forum information about a crash experienced with Apple TV service on a Surface Pro 9 device [1]. The post had an attachment - a 771MB file (4GB unpacked), which leaked internal code (260+ files [2]) pertaining to […]
  • Business Logic Flaw and Username Enumeration in spa-cartcmsv1.9.0.6 June 16, 2024
    Posted by Andrey Stoykov on Jun 15# Exploit Title: Business Logic Flaw and Username Enumeration in spa-cartcmsv1.9.0.6 # Date: 6/2024 # Exploit Author: Andrey Stoykov # Version: 1.9.0.6 # Tested on: Ubuntu 22.04 # Blog: https://msecureltd.blogspot.com/2024/04/friday-fun-pentest-series-5-spa.html Description - It was found that the application suffers from business logic flaw - Additionally the application is vulnerable […]
  • APPLE-SA-06-10-2024-1 visionOS 1.2 June 12, 2024
    Posted by Apple Product Security via Fulldisclosure on Jun 11APPLE-SA-06-10-2024-1 visionOS 1.2 visionOS 1.2 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT214108. Apple maintains a Security Releases page at https://support.apple.com/HT201222 which lists recent software updates with security advisories. CoreMedia Available for: Apple Vision Pro Impact: An app may be […]
  • CyberDanube Security Research 20240604-0 | Multiple Vulnerabilities in utnserver Pro/ProMAX/INU-100 June 9, 2024
    Posted by Thomas Weber via Fulldisclosure on Jun 09CyberDanube Security Research 20240604-0 ------------------------------------------------------------------------------- title| Multiple Vulnerabilities product| SEH utnserver Pro/ProMAX / INU-100 vulnerable version| 20.1.22 fixed version| 20.1.28 CVE number| CVE-2024-5420, CVE-2024-5421, CVE-2024-5422 impact| High homepage| https://www.seh-technology.com/...
  • SEC Consult SA-20240606-0 :: Multiple critical vulnerabilities in Kiuwan SAST on-premise (KOP) & cloud/SaaS & Kiuwan Local Analyzer (KLA) June 9, 2024
    Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Jun 09SEC Consult Vulnerability Lab Security Advisory < 20240606-0 > ======================================================================= title: Multiple critical vulnerabilities product: Kiuwan SAST on-premise (KOP) & cloud/SaaS Kiuwan Local Analyzer (KLA) vulnerable version: Kiuwan SAST
  • Blind SQL Injection - fengofficev3.11.1.2 June 9, 2024
    Posted by Andrey Stoykov on Jun 09# Exploit Title: FengOffice - Blind SQL Injection # Date: 06/2024 # Exploit Author: Andrey Stoykov # Version: 3.11.1.2 # Tested on: Ubuntu 22.04 # Blog: https://msecureltd.blogspot.com/2024/05/friday-fun-pentest-series-6.html Steps to Reproduce: 1. Login to application 2. Click on "Workspaces" 3. Copy full URL 4. Paste the HTTP GET request into […]
  • Trojan.Win32.DarkGateLoader (multi variants) / Arbitrary Code Execution June 9, 2024
    Posted by malvuln on Jun 09Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024 Original source: https://malvuln.com/advisory/afe012ed0d96abfe869b9e26ea375824.txt Contact: malvuln13 () gmail com Media: x.com/malvuln Threat: Trojan.Win32.DarkGateLoader (multi variants) Vulnerability: Arbitrary Code Execution Description: Multiple variants of this malware look for and execute x32-bit "urlmon.dll" PE file in its current directory. Therefore, we can...
  • SQL Injection Vulnerability in Boelter Blue System Management (version 1.3) June 9, 2024
    Posted by InfoSec-DB via Fulldisclosure on Jun 09Exploit Title: SQL Injection Vulnerability in Boelter Blue System Management (version 1.3) Google Dork: inurl:"Powered by Boelter Blue" Date: 2024-06-04 Exploit Author: CBKB (DeadlyData, R4d1x) Vendor Homepage: https://www.boelterblue.com Software Link: https://play.google.com/store/apps/details?id=com.anchor5digital.anchor5adminapp&hl=en_US Version: 1.3 Tested on: Linux Debian 9 (stretch), Apache 2.4.25, MySQL >= 5.0.12 CVE:...
  • CyberDanube Security Research 20240528-0 | Multiple Vulnerabilities in ORing IAP-420 May 30, 2024
    Posted by Thomas Weber via Fulldisclosure on May 29CyberDanube Security Research 20240528-0 ------------------------------------------------------------------------------- title| Multiple Vulnerabilities product| ORing IAP-420 vulnerable version| 2.01e fixed version| - CVE number| CVE-2024-5410, CVE-2024-5411 impact| High homepage| https://oringnet.com/ found| 2024-01-19 by| T. Weber...
  • HNS-2024-06 - HN Security Advisory - Multiple vulnerabilities in Eclipse ThreadX May 30, 2024
    Posted by Marco Ivaldi on May 29Hi, Please find attached a security advisory that describes multiple vulnerabilities we discovered in Eclipse ThreadX (aka Azure RTOS). * Title: Multiple vulnerabilities in Eclipse ThreadX * OS: Eclipse ThreadX < 6.4.0 * Author: Marco Ivaldi * Date: 2024-05-28 * CVE IDs and severity: * CVE-2024-2214 - High - […]

Customers

Newsletter

{subscription_form_1}