\documentclass[a4paper]{jpconf}
\bibliographystyle{iopart-num}

\begin{document}
\title{Internal Auditing INFN for GDPR compliance}
\author{V. Ciaschini$^1$, P. Belluomo$^2$}
\address{$^1$ INFN-CNAF, Bologna, IT}
\address{$^2$ INFN Sezione di Catania, Catania, IT}

\begin{abstract}
With the General Data Protection Regulation (GDPR) coming into
force, INFN had to decide how to implement its principles and
requirements.  To monitor their application and in general INFN's
compliance with GDPR, INFN created a new group, called ``Compliance
Auditing,'' whose job is to be internal auditors for all structures.
This article describes the startup activity for the group.
\end{abstract}

\section{Compliance Auditing Group}
\subsection{Rationale for creation}
When discussing GDPR application during the Commissione Calcolo e Reti
(CCR) 2018 workshop in Rimini, it became clear that setting up
a set of rules and assuming that all parts of INFN would correctly
follow them was not, by itself, enough.  Indeed it was necessary to
comply with the duty of vigilance, which in turn required periodic
checkups.

To counteract this worries, and to vigilate on its proper application,
it was soon proposed to create a team which would take the
name of ``compliance auditors,'' whose job was to act as internal
auditors for all of INFN structures to check on the proper
application of the regulations as implemented by INFN.


\subsection{Startup Activity}
Following the proposal of the group creation, the first task to solve
was how to staff it.  Two people, who had previous experience with the
setup of ISO compliance structures for some of INFN sections
volunteered, Patrizia Belluomo (Lead auditor, Sezione di Catania) and
Vincenzo Ciaschini (CNAF).

The first activity undertaken by the group was a collection, followed
by the study of all the norms applicable to INFN's implementation of
GDPR, like the text of the normative itself, other applicable Italian
legislation, the documents describing INFN's implementation, and
several INFN regulations that, while not specifically talking about
GDPR, still governed issues that were related to it, e.g data
retention policies.

We also had to decide how to structure the audits.  We decided to
implement it according to well-known quality assurance principles.  To
apply these principles, we ended up deciding on a set of arguments
that would be investigated during the audits, and a set of questions
that could, but not necessarily would, be asked during the audits
themselves, to act as a set of guidelines and to permit INFN
structures to prepare properly.

When the group was formally approved, these procedures were
presented at the CCR workshop in Pisa in October, and an indicative
calendar for the audits created and sent to the structures as a
proposal on when they would be audited.

Due to budget limitations, it was also decided that, at least for the
first year, most of the audits would be done by telepresence, with
on-site audits reserved for the sections that had, or would have, the
most critical data, i.e: the structures that hosted or would host
INFN's Sistema Informativo.

The rest of the year was devoted to refine this organization and
prepare the formal documentation that would be the output of the
audits and the procedures that we would follow during the audits,
which began in earnest in 9 January 2019, but that would be out of
scope for 2018's Annual Report. 
\end{document}