This site uses cookies for its functionality, if you want to learn more or opt out of all or some cookies href="/ita/pag/informativa_cookies_privacy/70/">click here.
By closing this banner or clicking any of its elements, you consent to the use of cookies.

GDPR UE 679/2016


The activity consists in the analysis of the privacy system implemented in the company (ex Legislative Decree 196/03) and in the indication of the measures to be adopted in light of the new European Regulation (EU) 2016/679. The European Privacy Regulation UE / 2016/679 (GDPR) entered into force on 25 May 2016 and the deadline to comply with the new privacy obligations is set for 25 May 2018.

Risk Assessment As Is (d. Lgs. 196/03)

The performance of this service consists in the knowledge of the business context through the following activities:
  1. Census of treatments
    • Identification of the personal data banks (personal data) and the purposes associated with them.
  2. Analysis and definition of subjective roles
    • Verification of the actual responsibilities through the analysis of the powers of attorney and of the proxies.

The realization of the previous activities, carried out through interviews and document analysis, allows a verification to be carried out:

  • on the information in use for the interested parties (employees, suppliers, customers, curricula, etc.);
  • on the consents requested;
  • on existing appointment letters;
  • on documents used for data communication for outsourced services, including data transfer abroad;
  • on security measures to implement;
  • on the formalities required by the General Provisions of the Authority for the protection of personal data (System Administrator, Video Surveillance, Guidelines, Internet and e-mail, etc.).

At the end of the check, an assessment will be prepared that identifies any aspects that need to be implemented or that can be improved to ensure that the processing of personal data complies with the provisions of Legislative Decree 196/03.

Risk analysis European Regulation (UE) 2016/679

The Regulation aims to respond to the challenges posed by technological developments and new models of economic growth, taking into account the need to protect personal data increasingly perceived by citizens of European Union countries.

The Regulation promotes the accountability (accountability) of the data controllers and the adoption of approaches and policies that constantly take into account the risk that a particular processing of personal data may entail for the rights and freedoms of those concerned: a risk-based approach which rewards the most responsible subjects.

The key principle is "privacy by design", that is to guarantee data protection from the planning and design phase of a data processing or a system, and to adopt behaviors that prevent possible problems.

The realization of the present phase foresees the identification of the normative fulfilments foreseen by the Regulation and applicable to the company reality.

Gap analysis between Risk assessment As Is and European Regulation (EU) 2016/679

On the basis of the information gathered in the previous points ("Risk Assessment As Is" and "Risk analysis Regulation (EU) 2016/679"), a report is drawn up to identify the missing elements to ensure that the processing of personal data is compliant as provided for by the New Regulation (EU) 2016/679 and therefore the areas on which the company must intervene to ensure such compliance.

List of actions to be implemented for adaptation to the European Regulation (EU) 2016/679

At the end a list of the actions to be implemented is provided to ensure compliance with the European Regulation (EU) 2016/679, for example:

  • identification of the need to modify the documentation used;
  • identification of the need to draw up the Register of privacy data processing pursuant to art. 30.
  • identification of the need to adapt company procedures (for example, "Procedure for testing, verifying and regularly assessing the effectiveness of technical and organizational measures in order to guarantee the security of data processing" pursuant to Article 32, "Data Breach Notification "pursuant to Article 33);
  • identification of the need to carry out an impact assessment pursuant to art. 35;
  • identification of the need to perform conformity assessment for new products or services, ("data protection by design" and "data protection by default";
  • identification of the need to identify the person in charge of data protection - DPO pursuant to art. 37.

Drafting of the documentation and final presentation

Sharing with the managers of the documentation produced, approval by the same and final presentation of the results of the privacy system.


Information Security - ISO 27001


The consulting projects are carried out through the use of the Secure Information module ISO 27001 of the KRC®  platform.

The KRC® flow ISO 27001 adopts a model that provides for the definition of the following entities: Processes, assets, layouts, miancances, controls

The risk assessment dimensions of each asset covered by the algorithm are:

  • Confidentiality, defines the consequences that the administration would suffer in case the data processed by the service are disclosed to unauthorized persons
  • Integrity, defines the consequences that the administration would suffer if the service provides incorrect or inconsistent data
  • Availability, defines the consequences that the administration would suffer if the service in question is interrupted


The probability of occurrence of the threats is expressed in terms of the average time between two consecutive events (MTBO, Mean Time Between Occurrences), by means of a numerical scale from 0 to 5.

The impact, ie the extent of the consequences following a damaging event, with the same scale the levels of effectiveness of the Controls are also quantified. The implementation and planning values of the countermeasures are represented by the scale expressed in %.


Layouts are organized according to a hierarchical tree structure. The hierarchical logic is not necessarily that of the physical structure, but in most cases it is the most appropriate to adopt. The layout tree is shared with other flows in KRC® and in the case of flow 27001 it is used to contextualise specific Assets at a given location.

The Controls are classified according to a three-level hierarchical model, which distinguishes Clauses, containing Control Objectives that eventually host the individual Controls. Hierarchical division is only for classification purposes and does not affect the functioning of the algorithm.

The control structure provided with the flow is intended as a starting point and can be extended, modified or completely rewritten.

The list of threats provided with the flow is intended as a starting point and can be extended, modified or completely rewritten. Includes the following fields:

  • Title, name of the Threat
  • Description, extended description
  • Impact, declined for Confidentiality, Integrity and Availability and expressed according to the scale of impact quantification
  • Probability, expressed according to the probability quantification scale
  • Applicable controls, list of Controls acting on the Threat in question, for which the impact and probability reduction effectiveness vectors are reported for each.

Assets are organized according to a hierarchical tree structure. This organization is used by the evaluation algorithm in order to simplify the modeling of Threats (and of the relative Controls) by making the hierarchically dependent Assets inherit the Threats associated with the father (the father of the father and the whole hierarchy to rise).

In the case a child needs to describe specific threats or levels of application of Controls other than those inherited, it is possible to specify them explicitly and these overlapping values ​​will be used to those inherited.

The hierarchical structure of the Assets should therefore not be defined on the basis of necessarily "physical" or connection criteria, but also on the basis of optimization criteria in the definition and maintenance of the model of application of the Threats and related Controls.

Assets that need to define specific Threats (and related Controls) can be specified through an identification card composed of the fields:

  • Asset, chosen among those defined in the hierarchical structure
  • Optional layout, chosen among those defined in the dedicated hierarchical structure; the specification of a Layout allows to identify the Asset specifically for its physical location (the hierarchy of inherited Threats and Controls is acquired, but the definitions associated to the eventual card referring to the same Asset but without associated Layout are not considered)
  • Threats, list of associated threats and relative probability for each of these.

The card contains a tile that shows the set (union) of the Controls associated with the selected Threats. For each Control it is possible to specify the level of implementation and programming.

Processes are represented through a hierarchical tree structure. On each node are associated the Assets that contribute to the delivery; also in this case the hierarchical inheritance rule applies: Assets that are associated with a higher level are considered by the algorithm as inherited during the evaluation of the lower levels.

Processes can be associated with nodes of the layout structure. In this case the Assets specifically defined for that Layout will be evaluated, if present, if absent the Generic Assets will be evaluated, ie without Layout.

The Business Impact Analysis (BIA) is fundamental for risk analysis; this activity has the purpose to determine the consequences deriving from the occurrence of a critical event to evaluate the impact of this event on the Process and, ultimately, on the operation of the administration.

For each of the Process activities to be evaluated (leaves) the sensitivity (pain threshold) must be defined for the three dimensions of impact: Confidentiality, Integrity, Availability.

The risk is calculated starting from the Elementary Risk, ie the risk profile of Processes and Assets without the application of any countermeasure.

Current Risk is the risk profile of Processes and Assets with the countermeasures applied up to the time of the analysis. The Planned Risk is the risk profile of Processes and Assets of at the end of the application of risk data processing plans. When the values of impact (I) and probability (P) are represented on matrices (HeatMap) the values are discretized on the respective scales according to the mathematical rounding criterion. Discrete scale of the risk R = P x I.