Data protection and computer security

The adoption of efficient measures of personal data protection has a relevant effect also on the protection of all the informative asset of a company which represents an inestimable value.

Therefore, setting up a computer security system is necessary not only to fulfill a legal obligation but also to be defended against the likelihood of information leakage or theft.

Data protection is a growing need that goes hand in hand with technological development.

The Internet of Things, IoT, puts on the market products and services acquiring information without the person knowing it. Robots, in turn, acquire information about the life of people they help.

It is not a coincidence that on 9 May 2018 will enter into force the Directive 2016/1148/UE NIS, Network and Information system security, on cybersurity which has many points in common with privacy Regulation.

The Regulation has also to be coordinated with other regulations among which the Dir. 2000/31/CE on electronic commerce, the CoE convention 108/1981 on automatic personal data processing, art. 7 and 8 of the European Union Card which protect private and family life and the respect of personal data.

Data protection and privacy are always more two sides of the same coin, till the point that the new term “data protecy” was invented to indicate the protection of data also from the privacy point of view.

Companies need to adopt all the measures required to safeguard itself and the data it processes.

For all legal persons working or willing to work on the Italian territory, whether or not they are part of the EU, it is necessary to evaluate the compliance, by the adoption of the specific organizational Model, to the regulation included in the Legislative Decree 231/2001 in order to oppose the risk of facing the very heavy sanctions foreseen by it.

This regulation issued in the fulfillment of the OCSE Convention on corruption of foreign public officials during international commercial operations signed on December 17, 1997 in Paris, accepts the “respondeat superior doctrine already in force in the US as a result of the protocol of the Foreign Corrupt Practise Act  then expanded and explained by the 1991 US Federal Sentencing Guidelines and by the Ad hoc Advisory Group in the Organizational Sentencing  which make reference, with the only aim of relieving responsibilities, to concepts of effectiveness of the organizational model and of the culpability of the organization attenuated by the “existence of effective compliance and ethics program; self-reporting, cooperation, or acceptance of responsibility”.

There are similar regulations, at a worldwide level, in Canada (section 22.1 and 732.1 -3.1- Canadian Criminal Code) in the UK (Moussell Bros v London and North Western Rly Co [1917] 2 KB 836; Griffiths v Studebakers Ltd [1924] 1 KB 102; Ltd v Woodward [1972] AC 824; Supermarkets v Nattrass [1972] AC 153) in Japan, in Germany, (Ordungswidrigkeiten of 24 May 1968 exclusively for administrative profiles), in Russia (art. 2.10 of the code of the administrative malpractices of 20.12.2001) and in France (art. 121-2 French Criminal Code of 1994).

This regulation, that in Italy concerns a wide range of grave misconducts (among which environmental crimes, corporate crimes on budget, social communication and of use of social privileged information, crimes against the Public Administration, etc.), includes also crimes closely related to security and business computer activity sectors and to processing, latu sensu, of data, information and non- material goods in the business field.

In reference to this precise field, the correct compliance of the privacy regulation with the effective realization of the foreseen normative provisions constitutes the minimum and essential protection and starting point for the adoption of the Model 231 in contrast with the risk of runnig into responsibility 231 for computer crimes and the copyright infringement.