Riskmanagement: how Banca IFIS is interpreting the GDPR in the digital era

Laura Quaroni, Head ofPrivacy & Security, DPO, Business Continuity Manager - Banca IFIS Group

The European “General Data Protection Regulation” (GDPR), which has now been in force for almost two years, has introduced important changes that require significant operational enhancements for companies in the handling of personal data, even to the extent of having to update the entire company data system management. This is a process that is neither immediate nor without difficulties, and which is putting various organisations to the test. However, Banca IFIS has already made risk management and the need for the protection of personal data an integral part of its company culture. The more business becomes digital - and this is the trend seen not only in the financial sector -the more it will be necessary to prevent risks.

The changes introduced by the GDPR move in this very direction and promote the accountability of the data controller, called on to adopt proactive behaviour to demonstrate the concrete rather than solely formal protection of personal data, for example via the adoption of an internal documentation system, organisational structures and supervisory systems that are suited to ensuring compliance. In fact the GDPR introduces a new way to manage privacy in companies through a number of characteristic elements, such as the new concepts of privacy by design and privacy by default, in other words through the adoption of technical and organisational measures suited to guaranteeing the principles of data protection right from the outset of the design and implementation of processing systems. This is a change in direction compared to the traditional way of interpreting in-company privacy. The request is, in fact, for each new project to immediately take on the principles regarding the protection of personal data.

This change in direction imposed by the new regulation requires data controllers to analyse the risks to the rights and freedom of the data subjects deriving from new forms of processing before these are carried out, thus subjecting all of the activities susceptible to high risk levels (in terms of the rights and freedom of the data subjects to detailed data protection impact assessment). Last but not least, notifications in the event of a data breach: these notifications are to be made to the Data Protection Authority within 72 hours if a risk to the rights and freedom of the data subjects is identified, with notification to the subjects themselves in the event that the identified risks are high; the company must, therefore, plan and implement a structured process for the analysis and management of incidents concerning personal data.

As is the case with other companies, Banca IFIS has also set out and is currently implementing the process for the transition to a digital business model, however, projects that are strongly characterised by digitalisation require a larger quantity of data and information to be memorised and managed, thus requiring an approach to security and data protection that differs from traditional forms and that is increasingly oriented to risk mitigation. In Banca IFIS, in fact, cybersecurity and data protection specialists are increasingly involved in the various planning initiatives, above all those of a digital nature. The return on investments in cybersecurity initiatives is not easy to quantify and generally does not emerge immediately following the implementation of new security systems and solutions.

Unfortunately, information security tends to become visible in companies only once a problem arises but in the case of Banca IFIS there is a full awareness not only that information security and data protection are the cornerstones of digitalisation but also that the relative return on investments will take place over the medium- to long-term. The changes introduced by the European Data Protection Regulation, and in particular the introduction of provisions that have an impact on the development of projects (privacy by design and therefore security by design, to name but a few) favour this business culture, allowing the company, above all Banca IFIS, to offer its clients with services and products that are ever-increasingly secure and transparent.

“The more business becomes digital - and this is the trend seen not only in the financial sector - the more it will be necessary to prevent risks”

The key takeaway from the implementation of the above-mentioned enhancements and approach is that we can now consider data protection from the planning stage. This approach therefore offers the opportunity to anticipate the emergence of problems, creating a direct link between the ever-increasingly digital business and the data protection strategy and tactics.

Read Also

An Alternative Approach to Cyber-Security Structure is the need of the hour

An Alternative Approach to Cyber-Security Structure is the need of...

Michael Somers, Head of Cyber Security, CVS Group
Embracing the Next Generation of Asset Security with AI and IoT

Embracing the Next Generation of Asset Security with AI and IoT

Matthieu Le Taillandier, General Manager for Western Europe at STANLEY Security, now part of Securitas
What Exactly is Non-Financial Risk?

What Exactly is Non-Financial Risk?

Gus Ortega, Head of Operational Risk Management at Voya Financial
#Keeping It REAL With Your Security Vendors#

#Keeping It REAL With Your Security Vendors#

Robert Pace, VP/CISO, Invitation Homes
Security For IT/OT Convergence

Security For IT/OT Convergence

Christopher Nichols, Director OT/ IT Resiliency & Support, Stanley Black & Decker
Security Architecture In Theory And In Practice: Why Security Should Be Considered Among The Main Pillars Of The Organization's Enterprise Architectur

Security Architecture In Theory And In Practice: Why Security...

Marco Morana, Head of Security Architecture,JPMorgan Chase & Co.