Page 47 - Consolidated Non Financial Statement
P. 47

Banca Ifis



                                                                                  | 2020 Consolidated Non-Financial Statement
           warnings and events that can give rise to security incidents can originate from internal channels (other organisational
           units) or external ones (customers, suppliers, and institutional channels). The Information Security Organisational Unit
           manages such warnings in partnership with any other concerned and interested parties, based on the extent and type
           of the event.

           Personal data protection
           The main internal document governing personal data protection is represented by the  Privacy Regulatory Manual
           approved by the Board of Directors of Banca Ifis as Parent Company, and incorporated by the subsidiaries through a
           Directive. Said document and the privacy regulations and procedures make up the privacy management model as well
           as the set of guidelines and rules defining how data is protected within the organisation.

           The Privacy & Security function, specifically through the unit dedicated to Privacy:

               •   prepares and updates the internal documents required by privacy regulations;
               •   monitors and regularly assesses compliance with regulations and the implementation of the security measures
                   required by law;
               •   analyses the personal data processing methods adopted by the Bank and the relevant risks;
               •   assesses the privacy impacts that result from launching new products and services, starting new operations,
                   entering new markets, and in all instances in which the Bank plans to internally develop or purchase new
                   software;
               •   notifies the Bank's organisational units of any changes in privacy regulations concerning their respective areas
                   of expertise and provides compliance support;
               •   supports Human Resources in developing an appropriate corporate privacy culture.


           In addition, as far as business continuity is concerned, it carries out an impact analysis on business processes and
           prepares the relevant plan through the Business Continuity Organisational Unit.

                                                                                                      [GRI 418-1]

           In 2020, as for last year, the Group received 4 complaints concerning privacy breaches, almost all associated with
           operational mistakes/human error. In any case, no sensitive data was exposed.

             Substantiated complaints concerning breaches
             of customer privacy and losses of customer data                2020         2019         2018
             Total number of complaints documented as received concerning
             customer privacy breaches                            No.        4            4            6

             from third parties and substantiated by the organisation   No.   4           4            6
             from regulatory bodies                               No.        0            0            0

             Total number of events relating to substantiated losses and thefts of   16
             customer data                                        No.       32            10           8

           The growing number of incidents that entailed the loss, access or unauthorised disclosure of personal data is mainly
           due to an increase in the dangers and risks of cyber-attacks in connection with the new methods of remote working. In
           order  to  mitigate  exposure  to  these  risks,  the  Bank  has  launched  an  internal  awareness-raising  campaign  on
           cybersecurity.



           16  The figure represents the total number of incidents that took place in 2020, entailing the loss, access or unauthorised disclosure of personal
            data (e.g. theft or loss of mobile telephones or tablets, loss of paper forms, incorrect sending of correspondence by e-mail). The events can
            be divided up between the Group companies as follows: 10 incidents for Banca Ifis, 20 incidents for Ifis Npl, 1 incident for Cap.Ital.Fin., 1
            incident for Npl Servicing. Another incident impacted the whole of the Banca Ifis Group and took place when an incorrect flow of data was
            sent in reference to the Group staff to a company providing transport services. None of the incidents that took place involved any risks to the
            rights and freedoms of the data subjects and, therefore, no communication was made to the Data Protection Authority and/or data subjects.

                                                                                                             39
   42   43   44   45   46   47   48   49   50   51   52