LawBytes #22 – Italian DPIA list and ENISA IoT security guidelines

LawBytes deals with the Italian DPIA list published by the Italian Data Protection Authority and the security guidelines by ENISA on the Internet of Things (IoT).

Privacy – Italian DPIA list published by the Garante

Shortly after France and Ireland, the Italian Supervisory Authority (the Garante) published its list of personal data processing operations which require a Data Protection Impact Assessment pursuant to article 35 of the GDPR.

Taking into account the Opinion adopted by the European Data Protection Board in September, the Italian DPA has amended the first draft producing a (non-exhaustive) list of 12 data processing activities likely to result in high risks to data subjects’ rights, freedoms and interests.

Among the 12 examples, the most interesting of the Italian DPIA list are Nr. 3 and 7 which respectively cover:

• processing of unique identifiers able to identify users of information society services (web services, interactive TV, etc.) including metadata processing, for example in telecommunications, banks, etc. carried out not only for profiling, but more generally for organizational reasons, budget forecasts, technological upgrades, networks improvement, anti-fraud services, antispam, security etc.
• processing involving innovative technologies also with particular organizational measures (e.g. IoT, artificial intelligence systems, on-line voice assistants through voice and textual scanning, monitoring carried out by wearable devices, proximity tracking such as wi-fi tracking) whenever at least one other of the criteria identified in the EPDB DPIA Guidelines is met.

Although the Italian DPIA list is to be considered non-exhaustive and the GDPR shall prevail in any case, this is useful since it provides a good overview on what could be the Authority’s approach as to scenarios where the DPIA is required. The list remains quite broad and might include a large number of scenarios and in absence of more detailed indications our recommendation to clients is to avoid risks and carry out a DPIA also on uncertain scenarios.

On the topic above you may find interesting the article “When and how shall a privacy impact assessment be run?“.

IoT – The ENISA publishes new guidelines on security in the Industry 4.0 sector

The European Union Agency for Network and Information Security (ENISA) is a centre of network and information security expertise for the EU, assisting member states in implementing relevant EU legislation and working to improve the resilience of Europe’s critical information infrastructure and networks.

On 19 November 2018, ENISA released its “Good Practices for Security of Internet of Things in the context of Smart Manufacturing“. The study aims at addressing the good practices related to the evolution of industrial systems and services precipitated by the introduction of IoT innovations, while mapping the relevant security and privacy challenges, threats, risks and attack scenarios.

The guidelines and security measures listed in this study by ENISA aim at improving the cybersecurity measures of Industry 4.0 organisations that have adopted or plan to adopt industrial IoT devices and solutions that enhance automation in industrial operations.

ENISA reviewed more than 150 resources on Industry 4.0 and IoT security and mapped them against the security measures proposed in the study which, makes a series of contributions, and most notably it

• categorises the Industry 4.0 assets in a comprehensive taxonomy across the manufacturing process and value chain,
• introduces a detailed Industry 4.0 threat taxonomy based on related risks and attack scenarios, and
• lists security measures related to the use of IoT in smart manufacturing and Industry 4.0 and maps them against the threats and affected assets.

As previously expressed in this article “Trust is the backbone of IoT, and there is no shortcut to success”, the backbone of IoT is trust and therefore cybersecurity is the key success factor that could foster Industry 4.0 enabling companies to exploit data safely. Also, read more about the recent cybersecurity obligations provided by the NIS Directive in this article “NIS Directive applicable, is your cybersecurity plan compliant?“.