The European Regulation on the protection natural persons with regard to the processing of personal data has abolished the minimum security measures that were at the basis of the “privacy policy” system and listed in Annex B of Legislative Decree No. 196/03. Pursuant to Article 32 of the Regulation, in fact, the Data Controller and Processor – taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing – must implement suitable measures to “guarantee a level of security appropriate to the risk”. This is because the Data Controller and Processor must be able to guarantee and demonstrate that they have done everything possible to limit the occurrence of a risk, in compliance with the principle of “accountability” which leaves them full freedom to identify the appropriate technical and organisational measures. To this end, both the Data Controller and the Data Processor cannot do without a gap analysis and a risk assessment, that is a preliminary assessment of the various risks. Should there be a risk of negative impact on the rights and fundamental freedoms of the data subject, this risk must be analysed through a specific evaluation process (e.g. impact assessment). In this sense, on the basis of the foregoing, the protocols relating to the Special Part of Model 231 on IT crimes must be kept updated, also in order to be able to demonstrate the status of compliance with the European data protection regulation.