ITALY Law and Practice Contributed by: Paolo Balboni, Luca Bolognini, Francesco Capparelli and Giulia Finocchiaro, ICT Legal Consulting
Security of processing (Article 25, GDPR – Privacy by Design and by Default) Organisations must integrate cybersecurity protections from the outset of data-processing activities. Systems must be configured to minimise data collection, restrict access and ensure secure storage. Third-party risk management Companies using cloud services, external data processors or ICT vendors must ensure con - tractual compliance with GDPR security require - ments. Data-processing agreements (DPAs) must include security guarantees, incident-reporting procedures and compliance obligations. Enforcement and Penalties for Non- Compliance Severe GDPR fines apply for cybersecurity fail - ures: • up to EUR20 million or 4% of global turnover for major violations; and • additional penalties for failing to report data breaches or lack of adequate security meas - ures. The GPDP conducts security audits, issues compliance orders and enforces corrective measures. Conclusion Italy’s data protection cybersecurity obligations require organisations to implement strong secu - rity controls, monitor risks and report breaches. Failure to comply can result in significant finan - cial penalties and regulatory actions, reinforcing
ing Italy’s national and EU-wide cybersecurity defences.
6. Cybersecurity in Other Regulations
6.1 Cybersecurity and Data Protection Italy enforces strict cybersecurity obligations under the GDPR and national data protection laws. These rules require organisations pro - cessing personal data to implement technical and organisational security measures to pre - vent data breaches, unauthorised access and cyberthreats. Key Cybersecurity Obligations Under the GDPR Risk-based security measures (Article 32, GDPR) Organisations must implement appropriate technical and organisational security measures based on data sensitivity and processing risks. Required measures include: • data encryption and pseudonymisation to protect personal information; • access controls and multi-factor authentica - tion (MFA) to limit unauthorised access; and • regular cybersecurity audits and vulnerability assessments. Data breach notification (Articles 33 & 34, GDPR) Organisations must report personal data breach - es to the GPDP within 72 hours. If the breach poses a high risk to individuals, the organisation must also notify affected data subjects without delay.
155 CHAMBERS.COM
Powered by FlippingBook