gdpr... parliament. . .

[GiGa]

"(re)parliamentary" because, strangely, I did not find any other discussions that talk about it but maybe I was not able to find it.. .

The European legislation concerning the protection of personal data has been in force since May of this year. .
If you want to avoid the "sciacalli", which when there are these necessary fulfillments are proposed as resolvers of all problems obviously at disproportionate prices, the main source of information remains the web (applying the necessary filters)... but you can not say it is an easy topic, at least in the correct practical implementation.

Most of the information found is related to companies or self-employed/professionals with very sensitive confidential data (medical, lawyers, accountants, etc.) or who work with private individuals. very little is found for those who only have to manage some email addresses and some phone numbers of other companies or some vendors. . .

I tried to adapt myself, putting in place everything I felt most correct, but "the mistake in good faith" is always around the corner and to me, self-employed worker with p.iva, there are many doubts perhaps trivial but, given the possible sanctions, not to underestimate.
for example:

- working from home, my pc is in use "promiscuous" homework. this means that, for example in the column, in addition to the data of the (pochissimi) customers I have the collection of 25 and spends years of private personal contacts... What do I do with these? from that I understood, in theory I should request the release for the processing of personal data to many of these. Maybe even people I haven't heard in 20 years? Okay, I could erase them, but it wouldn't be enough to solve this.

- smartphone issue: There's more and more in there the life of each of us... more than encrypt it, access with pins and biometric data, what else?

- I'm lucky to work with very few clients I have direct personal contacts with employees... Should I ask for release to the individual employee? the day when an employee gives me the mail of a colleague I don't know (usually in the form nome.cognome@ditta.it, so it becomes "sensitive given" as attributable to the person), should I ask him for liberation?

I try to keep the computer system at home in the highest security conditions, compatible with a soho reality... but it is also known that, by principle, all networks and all pcs are vulnerable... but if the backup (for example of the outlook .pst) that I have in the cloud (onedrive type or google drive or dropbox) is compromised, would I be responsible?
the simple solution would be to support "certified" systems for gdpr, but the costs would begin to be unsustainable for individual realities so "simple". .

any of you, did you "face" my perplexities? How do you behave with the gpdr?

 

[Utente cancellato 70856]

you could add an automatic response every time you receive an emailaccept the processing of personal data etc....and when you send it to the signature
do not forget that others also have your personal data

 

[cacciatorino]

I repeat this argument, because a consultant called me to propose his solution to put me in order, which was limited to selling me a physical firewall between the modem and the network (1300 euros + VAT) and monitor it remotely for 350 euros/year.

some info accessories are also in this other discussion:

GDPR e software free

E' vero che per essere in regola col GDPR non e' possibile usare software di protezione (antivirus, firewall, etc) gratuiti, ma vanno obbligatoriamente presi quelli a pagamento? Il consulente la mette su questo piano, ossia che gli unici prodotti ammessi sono quelli a pagamento, ma a me sembra...

www.cad3d.it

I also did some research on the internet but I understood only two things:

1) 99% of the explanatory links found are computer consulting companies that have the main interest in selling products and services and not clarifying the question

2) to be in order with the gdpr it seems to me that you have to write (and follow) a document in which you describe how it is the data.

question:
I see my modem tim (fibra) already has an integrated firewall. Will it be enough to be in order, at least in this respect? Clearly here we're not just treating health data, but limiting some emails and telephone numbers.

Every contribution that deepens the topic is welcome anyway.

 

[stevie]

I repeat this argument, because a consultant called me to propose his solution to put me in order, which was limited to selling me a physical firewall between the modem and the network (1300 euros + VAT) and monitor it remotely for 350 euros/year.

some info accessories are also in this other discussion:

GDPR e software free

E' vero che per essere in regola col GDPR non e' possibile usare software di protezione (antivirus, firewall, etc) gratuiti, ma vanno obbligatoriamente presi quelli a pagamento? Il consulente la mette su questo piano, ossia che gli unici prodotti ammessi sono quelli a pagamento, ma a me sembra...

www.cad3d.it

I also did some research on the internet but I understood only two things:

1) 99% of the explanatory links found are computer consulting companies that have the main interest in selling products and services and not clarifying the question

2) to be in order with the gdpr it seems to me that you have to write (and follow) a document in which you describe how it is the data.

question:
I see my modem tim (fibra) already has an integrated firewall. Will it be enough to be in order, at least in this respect? Clearly here we're not just treating health data, but limiting some emails and telephone numbers.

Every contribution that deepens the topic is welcome anyway.

the problem according to me is that it is not enough a simple "adaptation" to the gdpr, but it would be desirable also an insurance cover that responds in case of violation of the personal data possessed on the company computers, because as far as you can use firewalls, antivirus, antimalware, etc whatever system is at risk.
I know that some companies buy the complete package adjustment, secured computer network and insurance, the costs I don't know but I don't think they are nuts, and then you enter the usual round of annual subscriptions that go to burden on the costs.

with regard to the promiscuous use of personal computers + professional I recommend to dedicate to the professional activity a computer dedicated as free as possible from personal data of people not strictly related to the occupation carried out.

 

[TETRASTORE]

is it true that in order to be in order with the gdpr it is not possible to use protection software (antiviruses, firewalls, etc.) free, but must be taken the paid ones?

not true; this is what it says who wants to sell their product, just think that to facebook, which surely has state-of-the-art protection systems, recently data of 533 million users of which 37 million are only in Italy. This means that any system can present vulnerabilities, the possibility of a violation depends, in my opinion, on what value a hacker can attribute to your data archive, of course as in the case of facebook mentioned above, who will try to hack millions of accounts to profit, will have skills of much greater than those who want to try to block your computer or stole your cell phone with few no names, for which as deterrent can be sufficient a simple antivirus or other available software.

It is also necessary to point out that according to the requirements of the gdpr, those who must adapt cannot be limited to certain “formal” compliance (which are also foreseen) but must concretely and effectively take security measures to protect the processing of personal data. the problem is that these are not indicated but their identification is left to the obliged subjects, according to the principle of self-responsibility.It is useless to seek what to do in practice in gdpr, since the regulation merely compels companies to self-responsibility.in the light of the gdpr what must be done to set itself in order (i.e. gdpr compliant) depends on the type of processing that the company intends to carry out with the personal data: the regulation requires the adoption of security measures must be “suited” to the processing of personal data. according to the gdpr what to do in practice is left to the self-assessment of each individual company (for example, the safety measures and systems of a hospital must be much more sophisticated than those of a small or micro enterprise without employees who must manage a few hundred names with a low risk level, for which the adoption of a simple antivirus may be sufficient).

However, the fundamental points to be taken into consideration are:
- identify the amount and type of data processed, procedures and those who can access it
- make a risk assessment and draw up a specific document (see example)
- define, draft and disclose the procedure for the management of a breach (see example)
- make the impact assessment on the protection of dpia data (only if necessary).The two examples I have mentioned above refer to different realities that manage many sensitive data, but they are documents that can be useful from the point of view of the approach to take stock and adapt them to their situation. I do not dilute further, but I recommend reading gdpr for small (and very small) enterprises drafted by a lawyer with a practical sense that responds in a simple way and to many questions about it.