Security and Data Protection

T.net is an experienced partner in the field of Data Security, both in technological and procedural terms and regulations, ready to guarantee you the utmost peace of mind in addressing the path of adoption of all the necessary and substantial elements of regulatory compliance. Moreover T.net helps your business to find risks and limits of your IT System.

Our consultancy includes risk analysis, documentation writing, infrastructures adjustment and staff training. And then it includes also designation an internal staff person as DPO or Head of IT Security.

Steps to adopt GDPR procedures are: 1) Risk Analysis; 2)  Appoint the persons responsible (as DPO); 3) Certificate and update adopted procedures; 4) Adjust Infrastructures; 5) Staff training; 6) Inform Authorities, in case of data breach.

GDPR Compliance – Phase One

1

Preliminar

Preliminar meeting with
Management and Stakeholders;

Detecting of critical areas,
according to targets.

2

Analysis and Mapping

Data Mapping;

Risk Analysis;

Impact Assessment Privacy on processes and projects;

Gap Analyss of procedures and IT System.

3

Roadmap

Roadmap skills and roles;

DPO designation (analysis);

Priority definition;

Timetable definition;

Necessary Documentation definition.

4

Execution

Controller, Data Processor, DPO designation;

Documentation writing;

Records of processing Activities;

Supervisions of interventions;

Consultancy and training.

SECURITY CERTIFICATION AND PARTNER

T.net S.p.A. is compliant with the ISO/IEC 27001:2013, 27017:2015 and 27018:2019 standard, which defines the requirements for ISMS (Information Security Management System)

T.net is Fortinet Silver Partner and its staff has these certifications: NSE7, NSE4, NSE3, NSE2, NSE1.

The General Data Protection Regulation (GDPR) – UE Regulation 2016/679 is the response of European Union to the exponential increase of technology in everyday life. The GDPR was approved in April 2016 by its member states and it became law on the 25 of May of 2018.

The GDPR introduces new duties and sanctions that oblige to adopt some specific measures; Companies have to address their investments to procedural and IT instruments compliant to the new regulation, such as the composition of a Data Protection Impact Assessment (DPIA) and an Audit to face a coherent gap analysis.

GDPR: to whom it applies?

• GDPR application does not depend on the dimension of the company, but on the processing activities carried out;
• Activities that disclose high risks that can influence freedom of rights of third parties, from SME up to Enterprises, are subject of procedures and prevision of Regulation;
• In case of large scale processing of data.

Data Processor Officer (DPO): choose T.net

The GDPR introduces the concept of «Data Processor», distinguishing it from the «Data Controller». The «controller» is the entity that establishes the purposes, the conditions and the processing means of personal data, while the «processor» is the one who processes personal data on behalf of controller.

The Data Processor is a role covered from the majority of Cloud Service Providers. Until some time ago the EU Directive obliged and subjected only the Data Controller to sanctions; with the GDPR the Data processor is committed to implement technical and organizational measures to be compliant to the Regulation itself, as identified by the Data Controller and in all the cases in which personal data processing is entrusted to third parties.

DPO, who is obliged to have one:
– Public Authorities;
– The organizations who carry out systematic monitoring on a large scale;
– The organizations who develop personal sensitive data processing on a large scale;

Who is the DPO
– He is an external professional, in terms of autonomy and impartiality, who helps the controller in his legal task (independence, authority, manager expertise: as shown in art. 38 and 39);
– He DOES NOT substitute the Controller, who is the effective responsible of compliance to GDPR;
– He HAS NOT to be a «controller» of one of the processes (e. g. NOT the HR Manager, nor the IT Manager);
– He has not to be an employee with a fixed-term contract;
– He has not to be supervised by a director, but he has to have a direct confrontation with the Top Management;

What does DPO do
– He composes and updates the DPIA;
– He carries out Audits and «sensitizes» the human resources;
– He suggests the Controller and the Processor about their tasks related to GDPR;
– He receives notices from people interested by data processing and processes the information itself;
– He coordinates meetings about Data Protection;
– He cooperates with Authorities;
– He has to have his own independence and his own budget;
– He has to have the chance to carry out an audit;
– He has to have the chance to access resources for his own training and the one of human resources.

The role should have a two years minimum duration and a maximum one of 5 years, with a renewal and conditions rigorously identified for the revocation only in extremely serious cases.

T.net is the right choice for Data Processor Officer of Private Companies and Public Administrations