Page 47 - Consolidated Non Financial Statement
P. 47
Banca Ifis
| 2020 Consolidated Non-Financial Statement
warnings and events that can give rise to security incidents can originate from internal channels (other organisational
units) or external ones (customers, suppliers, and institutional channels). The Information Security Organisational Unit
manages such warnings in partnership with any other concerned and interested parties, based on the extent and type
of the event.
Personal data protection
The main internal document governing personal data protection is represented by the Privacy Regulatory Manual
approved by the Board of Directors of Banca Ifis as Parent Company, and incorporated by the subsidiaries through a
Directive. Said document and the privacy regulations and procedures make up the privacy management model as well
as the set of guidelines and rules defining how data is protected within the organisation.
The Privacy & Security function, specifically through the unit dedicated to Privacy:
• prepares and updates the internal documents required by privacy regulations;
• monitors and regularly assesses compliance with regulations and the implementation of the security measures
required by law;
• analyses the personal data processing methods adopted by the Bank and the relevant risks;
• assesses the privacy impacts that result from launching new products and services, starting new operations,
entering new markets, and in all instances in which the Bank plans to internally develop or purchase new
software;
• notifies the Bank's organisational units of any changes in privacy regulations concerning their respective areas
of expertise and provides compliance support;
• supports Human Resources in developing an appropriate corporate privacy culture.
In addition, as far as business continuity is concerned, it carries out an impact analysis on business processes and
prepares the relevant plan through the Business Continuity Organisational Unit.
[GRI 418-1]
In 2020, as for last year, the Group received 4 complaints concerning privacy breaches, almost all associated with
operational mistakes/human error. In any case, no sensitive data was exposed.
Substantiated complaints concerning breaches
of customer privacy and losses of customer data 2020 2019 2018
Total number of complaints documented as received concerning
customer privacy breaches No. 4 4 6
from third parties and substantiated by the organisation No. 4 4 6
from regulatory bodies No. 0 0 0
Total number of events relating to substantiated losses and thefts of 16
customer data No. 32 10 8
The growing number of incidents that entailed the loss, access or unauthorised disclosure of personal data is mainly
due to an increase in the dangers and risks of cyber-attacks in connection with the new methods of remote working. In
order to mitigate exposure to these risks, the Bank has launched an internal awareness-raising campaign on
cybersecurity.
16 The figure represents the total number of incidents that took place in 2020, entailing the loss, access or unauthorised disclosure of personal
data (e.g. theft or loss of mobile telephones or tablets, loss of paper forms, incorrect sending of correspondence by e-mail). The events can
be divided up between the Group companies as follows: 10 incidents for Banca Ifis, 20 incidents for Ifis Npl, 1 incident for Cap.Ital.Fin., 1
incident for Npl Servicing. Another incident impacted the whole of the Banca Ifis Group and took place when an incorrect flow of data was
sent in reference to the Group staff to a company providing transport services. None of the incidents that took place involved any risks to the
rights and freedoms of the data subjects and, therefore, no communication was made to the Data Protection Authority and/or data subjects.
39