Docsity
Docsity

Prepara i tuoi esami
Prepara i tuoi esami

Studia grazie alle numerose risorse presenti su Docsity


Ottieni i punti per scaricare
Ottieni i punti per scaricare

Guadagna punti aiutando altri studenti oppure acquistali con un piano Premium


Guide e consigli
Guide e consigli


Il GDPR e le misure minime di AGID per la protezione dei dati: sicurezza e obblighi legali, Slide di Elementi di Informatica

Panoramica GDPR e misure sicurezza ICT per PA stabilite da AGID. GDPR regola trattamento dati personali residenti EU. Misure sicurezza ICT obbligatorie per PA per garantire sicurezza dati e rispettare diritti persone interessate. Principi base GDPR, sanzioni violazioni e diritti persone interessate. Misure sicurezza ICT per PA: inventario dispositivi e software, protezione configurazioni, valutazione vulnerabilità, privilegi amministratore e difesa malware.

Tipologia: Slide

2019/2020

Caricato il 27/10/2020

Chiara_Rippa
Chiara_Rippa 🇮🇹

3

(1)

10 documenti

1 / 31

Toggle sidebar

Questa pagina non è visibile nell’anteprima

Non perderti parti importanti!

bg1
IL GDPR E LE MISURE MINIME
DI SICUREZZA AGID
Franco Sivilli
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f

Anteprima parziale del testo

Scarica Il GDPR e le misure minime di AGID per la protezione dei dati: sicurezza e obblighi legali e più Slide in PDF di Elementi di Informatica solo su Docsity!

IL GDPR E LE MISURE MINIME

DI SICUREZZA AGID

Franco Sivilli

[email protected]

IL GDPR

Where? Wherever. EU based organizations and it extends the scope of the EU data protection law to all foreign companies processing data of EU residents. Who? [..] Activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not and [..] data subjects who are in the Union by a controller or processor not established in the Union and: offering of goods or services or the monitoring takes place within the Union. Changes? This is not a directive, this is a regulation. It does not require any enabling legislation to be passed by national governments.

EU GDPR FAQ

GDPR FAQ

How? Companies need to do everything they can to securely process data (data protection by design and by default). The controller shall implement appropriate technical and organisational measures. Personal Data? Personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address. EU

Sanctions

(Article 83 Par. 4) Up to 10,000,000 EUR or up to 2% of the annual worldwide

turnover of the preceding financial year in case of an enterprise

(Article 83 Par. 5,6) Up to 20,000,000 EUR or up to 4% of the annual worldwide

turnover of the preceding financial year in case of an enterprise

Rights of the data subject

Art. 12 - Informed Consent Criteria The controller shall take appropriate measures to provide any information relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. [..] The controller shall provide information on action taken on a request within one month of receipt of the request. Art. 15 - Right of Access the right to obtain from the controller confirmation as to whether or not personal data and access to the personal data Art. 16 - Right to rectification the right to obtain from the controller without undue delay the rectification of inaccurate personal data LAW

Accountability and

Data Protection

Art. 24 – Responsibility of the controller the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary. Art. 25 - Data Protection by Design and By Default The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons

Data Protection Officer (DPO Art. 37)

Mandatory appointment:

  • Core business activities involve regular and systematic monitoring of data subjects or processing of sensitive personal data on a large scale.
  • Applies to both controllers and processors.
  • EU Member States may introduce broader DPO requirements.
  • DPO is formally tasked with ensuring that an organization is aware of, and complies with, its data protection responsibilities.
  • DPO enjoys significant independence in performing tasks (no instructions, no dismissal or other disciplinary action).

Breach Notification

Art. 33 - Notification of a personal data breach to the supervisory authority In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority Art. 34 - Communication of a personal data breach to the data subject When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.

State-of-the-art Dictionary: The latest and most sophisticated or advanced stage of a technology , art, or science. Cambridge dictionary: Very modern and using the most recent ideas and methods. A state-of-the-art computer The control panel uses all the newest technology and is considered state-of-the-art. Dizionari Corriere: Di altissimo livello, di punta, modernissimo, avanzato. Wikipedia:

La locuzione stato dell'arte deriva dall'espressione anglosassone state

of the art, ma ha un significato diverso rispetto all'originale. In italiano

esisteva già in precedenza, nella contrattualistica privata, il concetto di regola dell'arte, o regola d'arte. I I

Pseudonymization versus

Anonymization

Pseudonymized Data Record Les Clyde Marco Anonymized Data Record Les Clyde Marco " Pseudonymization is a method to substitute identifiable data with a reversible, consistent value. Anonymization is the destruction of the identifiable data.” EU

AGID – MISURE MINIME DI

SICUREZZA

Logica dei requisiti minimi

Il livello minimo è quello al quale ogni pubblica

amministrazione, indipendentemente dalla sua natura e

dimensione, deve necessariamente essere o rendersi

conforme. I livelli successivi rappresentano situazioni

evolutive in grado di fornire livelli di protezione più

completi, e dovrebbero essere adottati fin da subito dalle

organizzazioni maggiormente esposte a rischi (ad

esempio per la criticità delle informazioni trattate o dei

servizi erogati), ma anche visti come obiettivi di

miglioramento da parte di tutte le altre organizzazioni.

Otto temi con molteplici requisiti

per ogni tema

Ogni singolo requisito è classificato: La prima, « Minimo », specifica il livello sotto il quale nessuna amministrazione può scendere: i controlli in essa indicati debbono riguardarsi come obbligatori. La seconda, « Standard », può essere assunta come base di riferimento nella maggior parte dei casi, Mentre la terza, « Alto », può riguardarsi come un obiettivo a cui tendere.