Cybersecurity and personal data processing: putting the GDPR into practice within corporate IT departments.

Attorney Alessandro del Ninno’s conference addresses, with a practical and operational approach, the IT and security aspects of personal data processing, outlining a structured path that links risk management to the design of effective security policies and to the implementation of technical and organisational measures that can be applied in practice. The session explores the concrete implementation of Article 32 GDPR, understood as a methodological benchmark for selecting, deploying and documenting “appropriate” measures in light of the context, the state of the art and the level of risk, and highlights the practical guidance provided by the EDPB Guidelines 4/2019—especially the related security policy checklist—as a tool for assessment and continuous improvement. Significant attention is devoted to personal data breaches under Articles 33 and 34 GDPR, focusing on how to draft and operationalise an effective Data Breach Procedure: incident qualification, containment, information gathering, decisions on notification and communication, and the organisation of evidence and audit trails. The framework is then extended to business continuity and resilience, illustrating the areas of convergence between the GDPR, the DORA Regulation and the NIS2 Directive in protecting the integrity, availability, confidentiality and accessibility of both personal and non-personal data in light of evolving regulatory requirements. The conference concludes with ICT supplier contracting, providing guidance on accountability, audit clauses and control safeguards throughout the supply chain, to ensure that contractual commitments are aligned with security requirements and with the controller’s ability to demonstrate compliance.