Privacy: consultancy services to ensure compliance with the European Regulation 679/2016 (GDPR) regarding the protection of personal data
The objective of the privacy division is to help companies in the process of adaptation to GDPR through two main phases, the master plan and the implementation of the required changes.
Sernet methodology for the GDPR
Years ago, Sernet has established a Privacy Competence Centre with an interfunctional approach, open to the contribution of a privacy specialists network qualified in the methodology –organizational, technological and legal area.
The Privacy Competence Center updates the solutions submitted by Sernet clients in compliance with GDPR, Personal Data Protection Code and Authority Measures requests, monitoring the evolving regulations and implementing the best market practices according to ISO and UNI Standards regarding information security and data protection (i.e. ISO 27018 personal data protection, UNI 11697 regarding professional profiles concerning personal data protection management).
Sernet has been dealing with the topic of European privacy since 2016 proposing a specific planning method (Master Plan) and GDPR implementation, promoted through Workshops and Webinairs, and realizing specific projects for some important companies in various sectors (chemistry, IT services, brokerage and insurance outsourcing, trade and distribution, publishing, etc.).
In some cases Sernet consultants have also developed and provided training interventions in the Associative field (for example Aiea, Clusit, ClubTI, Assintel, Asseprim) and for important training organizations (e.g. IPSOA), on issues dedicated to Privacy-GDPR and Security information.
The activities carried out in the GDPR implementation projects include the main changes in the European privacy regulation:
- Data protection by design and by default (Privacy By Design and By default);
- Identification and updating of the new rights of the interested parties;
- Data Protection Impact Assessment (DPIA) for new treatments, where required, with application of data protection measures appropriate to the risk;
- Periodic conduct of preliminary investigations to assess the security risk of personal information;
- Notification of data breaches to the control authority (Data Breach notification);
- Appointment of the Data Protection Officer (DPO), where applicable;
- Updating of specific registers documenting the processing performed by the Data Controller, in the cases provided.
The GDPR Management System designed by Sernet is divided into six sections that make up the GDPR System Manual:
- Business context
- Register of treatment activities
- Governance of the Privacy system
- Risk, security and privacy measures
- Violations of personal data
- Training, improvement and audit
Based on the contents of the Regulations, the publications of the Guarantors and the project experiences, Sernet has prepared a series of operational tools for the implementation of the GDPR projects:
- Check list Master Plan
- GDPR System Manual
- Tool for the Register of Treatments
- Methodology and tools for the analysis of security risks
- Tool for impact assessment
- Fac-similar documents (information and appointments)
Sernet has been enabled, together with three other consulting companies, to play the role of DPO for the associated companies Assintel who will request it from an independent and multidisciplinary Evaluation Committee.
Consulting for the activation of corporate ICT security services
The evolution of the technological scenario, the new business models and new technologies, increasingly sophisticated attacks and external threats, and much more, require companies to adopt proper IT security analysis procedures.
The objective of this business unit is to ensure efficient and safe ICT security services, in line with best practices and business needs, consistent with risk assessments and respect of current regulations through ICT governance projects, risk management, audit and business continuity, adopting best practices and ISO certified management systems.
The preparation of the Sernet consultants
Sernet consultants are AIEA CISA, Cobit5 Foundation, Cobit5 PAM Assessor, ITIL Foundation, ISO 27001 and ISO 20000 lead auditors.
These certifications are a guarantee to ensure an effective and complete service to customers who come to Sernet for ICT security. They also allow access to public or private calls for tenders which generally require a series of documentation to verify the quality and level of the supplier.
Expertise and services
- ICT security & compliance
Sernet offers a consultancy service for the corporate IT security themes and support to comply with the standards of the main regulations and certifications that concern the ICT Secutity & Business Continuity sector. Through an in-depth audit and risks evaluation process, Sernet identifies the best possible route for a company to achieve regulatory compliance, accompanying it in every step thorough the final certification (where requests).
Sernet also offers specific support on Application Security to clients in areas where company information systems have a strong business and privacy relevance, being Application Security one of the keys to counter hackers attacks, one of the most important data protection measures in compliance with a GDPR (EU Regulation 679/2016). Sernet advocates an holistic approach to Application Security focused on company organization, in terms of roles and proficiency, on applications development, project and change management, risk evaluation and, not least, ICT infrastructures security and the most appropriate technologies to prevent the attacks.
Among these services there are:
- Information security and ISO 27001 and PCI-DSS compliance
Sernet assists companies in the ISO 27001 certification process (Information Security Management System) and PCI DSS, the Payment Card Industry Data Security Standard for the security of payment systems and protect cardholders of credit / debit cards.
- Cloud Security and ISO 27017 – ISO 27018 Compliance
The spread of cloud computing, that is the use of information technology resources, as the transmission and storage of data between several common devices, has imposed the development of systems of specific protection that is embodied in the cloud security service. These procedures help companies to comply with specific certifications (STAR BSI / CSA, ISO 27017, ISO27018) and preparing for annual surveillance visits.
- Business continuity and compliance to ISO 22301
Sernet helps companies to implement Business Continuity Management, i.e. the set of procedures to guarantee operational continuity in case of unexpected unforeseen events. Sernet also supports companies in the adjustment process to obtain the related ISO 22301 certification – Business Continuity Management System.
- ICT governance (COBIT PAM)
The COBIT 5 PAM service allows to evaluate the “level of capability” of companies in the application of ICT processes, through a specific methodology that assigns a synthetic evaluation from 0 to 5 (maximum level of capability), considering the actual presence of the processes and the completeness-depth of application of the same .
- ICT service management (ITIL and 20000)
Sernet performs a gap analysis of the Service Management processes addressed by the ISO 20000 standard (and ITIL) in order to highlight the need to improve the company’s IT processes. Projects are implemented to develop and update the policies and procedures relating to IT services, conducting internal periodic audits and providing support during the inspections of the Certification Bodies.
ACI Global | Banca Intesa Sanpaolo | Basf Italia | CNP Unicredit Vita | Corvallis | Costa Crociere | Editoriale San Paolo | Fastweb | Fratelli Carli |Gilardoni | Gruppo Wuerth | Il Sole 24 Ore | Intesys | ITO Finance | SEV | SNAI | SPB Italia | Tagetik | Zucchetti |