Today we had a pleasant chat with Stefano Rossi, the DPO of Great Estate.
Welcome, Stefano. First of all, would you like to tell us what a DPO is?
The Data Protection Officer (or DPO) is a long-established professionality in Europe, but quite new in Italy. Here, we started to hear of it since the recent General Data Protection Regulation (EU) 2016/679. To sum up, the DPO is a professional with multitasking knowledge: from the data protection regulation to aspects such as the information security, risk management, and general management that the General Data Protection Regulation (GDPR) wanted for all those public organizations and some specific private agencies with the aim of improving their privacy compliance and the security on the personal data processing.
Which are the tasks of a Data Protection Officer?
Article 39 of GDPR gives to the DPO the tasks of informing and offering his/her consultancy to the managing director of an agency on the privacy regulation, as well as the one of monitoring its compliance, the sensitivity, and training of the persons in charge for the data processing, the cooperation with the Italian Data Protection Authority (Garante della Privacy).
How long have you been working in the Data Protection field?
I started to deal with data protection many years ago. During the several training workshops I usually do, I love to remember that I started my career in this field when the PCs did not have passwords. In the EU, real personal data protection started after Directive 95/46/EC of the European Parliament. In Italy, through law 675 31/12/1996. After that, my vision had an objective response and became a new profession.
Why the protection of the personal data is so important?
First of all, let’s remember that personal data protection is one of the fundamental rights of human beings, and it is written in Article 8 of the Charter of Fundamental Rights of the European Union. Often, the concept of data protection and the ones of privacy are confused: these are two different aspects. The concept of privacy has an exclusive meaning (the right of being left alone). Instead, the concept of data protection is referred to the control on your own data, which have to be necessarily communicated to the different organization – both public and private – during our existence.
How did this regulation change in time?
We moved from a first approach aimed at personal data protection (soggetto interessato) to the protection of the processing infrastructure. Through a metaphor I use, from the protection of a unique gold bar in a bank caveau, we start protecting the whole banking system because useful and at the service of society.
Moreover, the European legislator created this new regulation not just on the basis of the new challenges connected to IT innovation, media, and services, but especially to give trust to the citizens who do not consider their data to be properly protected.
The current period is characterized by a rapid transformation of the economic model, from an object-based economy to a data-based economy. This economic pattern based on data will be the main one, especially in Europe. At this moment, there is no business that can avoid data processing within its informative structures. Some of them base their mission on data. Restoring trust to the EU citizens is an essential condition for the Digital Age development, maybe the most relevant economic opportunity of next generations.
Since the introduction of the GDPR, we often hear talking about accountability: can you explain to us what this is?
Accountability is an English term that has no unique matching in our language: indeed, the mainstream translation is “responsabilizzazione”, but this word gives not the complete meaning of the concept. Withing the regulation, accountability means that the owner is completely aware of the personal data value, makes some responsible and clear choices to process them through the use of some risk management strategies while responding to his/her own work. In this light, nominating a true professional as DOP is a very relevant measure that proves the accountability of a business.
In this regard, how would you become DPO and how are his/her skills rated?
The regulation – at Article 37 – highlights that the DPO is designed in function to his/her professional qualities. To be more specific, to the ones addressed to the law regarding personal data protection, and his/her ability to fulfill a task. The term “legislation” is addressed to legal competencies, while “procedure” to the technical ones. To date, there is no mandatory training path or a DPO target, even if there are some certification panels that can identify the skills of a professional. In my case, I studied in the technological field. After my degree, I also attended a specialization in the juridical field. In August 2020, I obtained the UNI 11697/2017 certification. Anyway, even in this professional activity, constant training is required.
What does your activity consist of? Which is your role within the Group?
I think that the base of DPO’s role is data protection risk management. In this field, the DPO establishes the risk level, proposes some improvements to the agency, and monitors the effects obtained: a traditional Deming of the managing patterns. Today, compliance with the privacy policy cannot be obtained statistically, but just through some dynamic and pro-active activities that affect the majority of the business processes. A new modus operandi, the key to the recent EU Regulation, necessary to operate in today’s changing scenarios, and on which I have found great sensitivity on the part of Great Estate. Moreover, the DPO has another important function: his role of guarantee towards all the stakeholders. In addition to his/her consultancy and monitoring towards the managing director, the DPO has been a referent for all the subjects involved (the people who gave their data to the agency). These people can contact him/her for every aspect of their data processing.
So, the DPO is an independent character of guarantee. He/she stays close to the managing director, but talks to all the people.
I would like to take this occasion to remind our readers that, from May 2018, Great Estate refers to a DPO precisely for all the reasons just explained. You can find all the contacts of the Group and of his DPO on this page.
How do you see the future scenarios? Will there be developments concerning data protection?
The new vision of the EU is a digital and data-driven future; a sound regulatory framework for the digital-data based economic ecosystem is essential. New challenges are on the horizon, while new technologies are already among us (think of digital assistants, autonomous driving, IoT up to Artificial Intelligence and the Electronic Person, so far only present in science fiction scenarios).
In all these areas, the protection of individual rights is of primary importance. The next step will certainly be the new ePrivacy Regulation, which aims to ensure the security and therefore the confidentiality of electronic communications of European citizens. It will have an extremely significant impact on all organizations active in the I.T. sector, including Great Estate.
Just recently, the Council of the European Union started the revision of the text in order to arrive at the final draft as soon as possible. We expect it to enter into force within 2-3 years.
Obviously, we are following with interest the legislative process, which we have already seen, and which will introduce several changes that we will try to adopt even before they become mandatory.
What are the most relevant activities carried out in the Great Estate’s G.D.P.R. compliance process?
The G.D.P.R. has introduced new rules on the protection of personal data, but the most important aspect is a different approach, which today must be proactive and no longer merely reactive: therefore, prevention is needed instead of ex-post intervention. Therefore, risk assessment, management, and reduction, in order to adopt adequate processing tools and procedures, also in view of the new concept of privacy by design. Then, there is the fundamental awareness-raising within the company and the training of data processors, in order to obtain knowledge of the regulations and operational best practices, but above all to reduce errors, even unconscious ones, and to produce safe behavior.
To this end, we have organized several seminars and hold regular meetings to assess the current state, areas for improvement, and related activities.
I would also like to mention the great overhaul of the company’s information infrastructure that began in 2018 and was adopted by Great Estate at my suggestion, in order to improve performance and security and to bring back under direct management most of the services implemented in the cloud. Obvious improvements, of which I am sure your customers will have noticed!