ITALY—Simplification interim law decree impact on DPS

On January 27, the interim law decree on urgent measures on simplification and development, known as the “Simplification package,” was adopted by the Italian government. It provides for further amendments toward the Legislative Decree of June 30, 2003, n. 196—the Personal Data Protection Code. This is the third change in the data protection legislation passed in the last 12 months in Italy. The Simplification package, due to its nature of interim rule, should be confirmed by the Parliament within 60 days; otherwise, it will expire with no further effect. At the time of this writing, it is also still pending the publication of the Simplification package on the Italian Official Gazette. As a consequence, the interim rule is formally not yet in force, and we have been provided with a provisional draft only.

However, if confirmed by the Parliament, the Simplification package would introduce into the system significant changes with respect to one important data protection obligation and requirement: the security policy document (DPS). In fact, according to the draft version of Section 47 of the Simplification package, “Paragraph 1, Letter G and even Paragraph 1-bis of Section 34 are deleted,” and “within the technical specifications concerning minimum security measures, referred to in Annex B, Paragraphs from 19 to 19.8 and 26 are cancelled.” In turn, Section 34 of the code in force set forth that the personal data processing carried out throughout electronic means is only allowed if all required minimum security measures are adopted, including the “keeping an up-to-date security policy document.”

According to the Simplification package’s amendments, the data controller will no longer have to comply with the duty of keeping and updating the DPS, since such a document would not represent any more a minimum security measure that the data controller is required to comply with and adopt “in order to ensure a minimum level of personal data protection.”

Under a practical point of view, the immediate effect of such a change—we recall again that the law decree will come into force only after its publication on the Italian Official Gazette and for an interim period of 60 days until the confirmation of the Parliament by means of the approval of an ad-hoc law—would imply the cancellation of the mandatory obligation to draw up, keep and update the DPS on an annual basis every March 31.

Under a general point of view, yes. Unfortunately, the DPS is just one of the various material activities required, and its deletion does not imply any decreasing of the level and number of all mandatory requirements, obligations and suggestions provided for by the code with respect to personal data processing and relevant security measures to be adopted. In other words, each of us is aware about the function of the DPS; it has been and it is still a sort of summon or picture of privacy policy adopted within and by a company.

Once prepared and rolled out, the DPS is a helpful tool aimed at providing to data protection officers, data processors and persons in charge of data processing useful guidance that lists and collects all mandatory policies and measures to be adopted.

In case of confirmation of the Simplification package, the DPS will be no longer required, but the relevant policies, measures, requirement and obligations underneath and duly described in and attached to it will still be. More in detail, we want to point out that, even though the DPS and related reference section of Annex B of the code would be definitively cancelled, the further legal requirements that the data controller must comply with are still all mandatory for all companies.

The answer is yes in principle but no in concrete. In fact, our suggestion is not to definitely set aside a useful and virtuous document like the DPS, especially for those companies that have invested time and money in it for years. For sure, we will take benefits from the abolition of the annual updating, so that in the future we will be free from being required to update the DPS by March 31—and running to meet the deadline. But, we want to recall once again the purpose of such a document.

The DPS describes the organizational and management structure of the company as well as providing a clear description of all kinds of personal data processed—common, sensitive or judicial data, and describes accurately all kind of security measures—organization, physical, logical and informatics, which must be adopted by each company. Therefore, even though the DPS could no longer represent a mandatory requirement for the data controllers in the near future, its drafting and updating represent always the optimal vehicle in order to summarize and consider all the existing security measures within each company, which otherwise would be illogically allocated within the different functions of the company, and in absence of the DPS, their reviewing and natural/necessary updating would become time- and cost-consuming activities.

At the same time, it is also the optimal vehicle in order to allow the specialized corps of the financial and fiscal police—which are in charge of checking compliance with the provisions of Data Protection Code—to carry out easily the due inspections with a strong reduction of risks of noncompliance for the company.

In conclusion, our opinion is that Section 47, Letters B and C of the Simplification package, if confirmed, would likely generate a visible dyscrasia and confusion in the system rather than simplifying the personal data protection requirements. In other words, the Italian legislature could have simplified the DPS’s drafting rather than excluding it from the minimum security measures.

Our suggestion is, however, to always save and keep best practices in use within the company in order to avoid the risk of severe sanctions—administrative and criminal—and/or request of compensations for data breaches and relevant noncompliance with legislation in force at a national and EU level.