Security and Data Protection

Technical and Legal Support to protect Data and Security of your business is an experienced partner in the field of Data Security, both in technological and procedural terms and regulations, ready to guarantee you the utmost peace of mind in addressing the path of adoption of all the necessary and substantial elements of regulatory compliance. Moreover helps your business to find risks and limits of your IT System.


Our consultancy includes risk analysis, documentation writing, infrastructures adjustment and staff training. And then it includes also designation an internal staff person as DPO or Head of IT Security.


Steps to adopt GDPR procedures are: 1) Risk Analysis; 2)  Appoint the persons responsible (as DPO); 3) Certificate and update adopted procedures; 4) Adjust Infrastructures; 5) Staff training; 6) Inform Authorities, in case of data breach.

Roadmap to compliance: consultancy


1) Kick-Off


2) Starting Assessment


3) Risk Assessment


4) Gap Analysis


5) DPIA Delivery


6) Awareness and Nomination

GDPR Compliance – Phase One



Preliminar meeting with
Management and Stakeholders;

Detecting of critical areas,
according to targets.


Analysis and Mapping

Data Mapping;

Risk Analysis;

Impact Assessment Privacy on processes and projects;

Gap Analyss of procedures and IT System.



Roadmap skills and roles;

DPO designation (analysis);

Priority definition;

Timetable definition;

Necessary Documentation definition.



Controller, Data Processor, DPO designation;

Documentation writing;

Records of processing Activities;

Supervisions of interventions;

Consultancy and training.

SECURITY CERTIFICATION AND PARTNER S.p.A. is compliant with the ISO/IEC 27001:2013, 27017:2015 and 27018:2019 standard, which defines the requirements for ISMS (Information Security Management System) is Fortinet Silver Partner and its staff has these certifications: NSE7, NSE4, NSE3, NSE2, NSE1.

The General Data Protection Regulation (GDPR) – UE Regulation 2016/679 is the response of European Union to the exponential increase of technology in everyday life. The GDPR was approved in April 2016 by its member states and it became law on the 25 of May of 2018.


The GDPR introduces new duties and sanctions that oblige to adopt some specific measures; Companies have to address their investments to procedural and IT instruments compliant to the new regulation, such as the composition of a Data Protection Impact Assessment (DPIA) and an Audit to face a coherent gap analysis.


GDPR: to whom it applies?

  • GDPR application does not depend on the dimension of the company, but on the processing activities carried out;
  • Activities that disclose high risks that can influence freedom of rights of third parties, from SME up to Enterprises, are subject of procedures and prevision of Regulation;
  • In case of large scale processing of data.



Sanctions up to €20 millions or to the 4% of worldwide revenues.Now extended to bigger territorial area, with impact also on extra UE companies;


Data Breach. Obliged communication within 72 hours (art. 29);


Privacy By Design. The Data Controller has to implement the appropriate technical and organizational measures to guarantee that, by default, only necessary personal data are processed for each single purpose of processing;


Code of Conduct. The Data Processor’s acceptance of the approved Code of Conduct can be considered a sufficient guarantee.

Data Processor Officer (DPO): choose


The GDPR introduces the concept of «Data Processor», distinguishing it from the «Data Controller». The «controller» is the entity that establishes the purposes, the conditions and the processing means of personal data, while the «processor» is the one who processes personal data on behalf of controller.


The Data Processor is a role covered from the majority of Cloud Service Providers. Until some time ago the EU Directive obliged and subjected only the Data Controller to sanctions; with the GDPR the Data processor is committed to implement technical and organizational measures to be compliant to the Regulation itself, as identified by the Data Controller and in all the cases in which personal data processing is entrusted to third parties.


DPO, who is obliged to have one:
– Public Authorities;
– The organizations who carry out systematic monitoring on a large scale;
– The organizations who develop personal sensitive data processing on a large scale;


Who is the DPO
– He is an external professional, in terms of autonomy and impartiality, who helps the controller in his legal task (independence, authority, manager expertise: as shown in art. 38 and 39);
– He DOES NOT substitute the Controller, who is the effective responsible of compliance to GDPR;
– He HAS NOT to be a «controller» of one of the processes (e. g. NOT the HR Manager, nor the IT Manager);
– He has not to be an employee with a fixed-term contract;
– He has not to be supervised by a director, but he has to have a direct confrontation with the Top Management;


What does DPO do
– He composes and updates the DPIA;
– He carries out Audits and «sensitizes» the human resources;
– He suggests the Controller and the Processor about their tasks related to GDPR;
– He receives notices from people interested by data processing and processes the information itself;
– He coordinates meetings about Data Protection;
– He cooperates with Authorities;
– He has to have his own independence and his own budget;
– He has to have the chance to carry out an audit;
– He has to have the chance to access resources for his own training and the one of human resources.


The role should have a two years minimum duration and a maximum one of 5 years, with a renewal and conditions rigorously identified for the revocation only in extremely serious cases. is the right choice for Data Processor Officer of Private Companies and Public Administrations


How your data are managed in your business? Your IT Insfrastructure is safe? Find out!


Fill out the form and you’ll be contacted back for a technologic and legal consultancy


    I hereby authorize you to use my personal details, following your Privacy Policy