Data protection management errors can threaten the existence of companies, either because their reputation suffers or because the responsible supervisory authority imposes high administrative fines (e.g. up to 20,000,000 Euros) or injuctions.
A systematic approach to data privacy management helps companies minimize these risks.
Table of Contents
What is data protection?
We all have the “fundamental right to informational self-determination”. This means that everyone can decide who can access and process which personal data, where, when and for how long.
Data protection law protects natural persons by regulating how personal data may be processed.
The right to informational self-determination is a universal fundamental right and therefore has a worldwide applicability. Nonetheless data protection law may differ considerably and regionally.
The GDPR (“General Data Protection Regulation”) as an EU regulation is applicable in all EU member states and serves as a standardised European data protection law.
Individual countries have frequently already imposed national legislation, such as the BDSG (Federal Data Protection Act) in Germany. By means of so-called opening clauses, the GDPR allows national legislators a so-called leeway to specifically regulate matters by means of additional laws.
Individual countries have national legislation, such as the BDSG (Federal Data Protection Act) in Germany. “Opening clauses” within the GDPR permit national legislator a certain scope to regulate individual matters in national law.
What is personal data?
To understand data protection, it is important to understand how personal data is defined. The EU Regulation 2018/1725 definition states:
In case this appears to be too abstract, some examples from everyday life to illustrate where personal data is an issue:
- You visit a website
- You store an employee’s address for accounting purposes
- Someone takes a photo of you
- You pay with your credit card
- A doctor takes notes of a health-related diagnosis
Special categories of personal data
If you have read the examples above, you may recognise variations in the quality of personal data. Some require a higher degree of protection than others. These will usually relate to the following characteristics such as:
- health
- sexual orientation
- origin
- political and religious beliefs
The examples referred to illustrate why some forms of personal data such as an email address may be subject to a different level of protection compared to a medical record.
Why is data protection important?
Data protection is essential for companies to comply with the law, maintain customer trust, protect their reputation, safeguard intellectual property, gain a competitive edge, ensure operational continuity, and uphold employee privacy.
Compliance with data protection requirements is not only important from a legal perspective. A glance at the news is sufficient to see how strongly a loss of confidence in the area of data protection can affect turnover or share price and how frequently major data protection problems occur.
In extreme cases, a breach of data protection regulations (in Germany) could result in criminal charges and up to three years’ imprisonment, or a fine of up to 20 million Euros or 4% of the total annual turnover achieved worldwide (Article 83(4) et seq., GDPR). This example displays the high relevance for businesses and their management irrespective of size.
Data protection management and procurement
Data protection may also be highly relevant when applying for public sector contracts. This is applicable to both, you as provider and any subcontractors you may use. Professionally organised data protection may also contribute towards increasing turnover and may also give you an advantage to set yourself apart from competitors.
If your company is to be sold, correct data protection management often has a positive impact on the sales price, as no liability provisions for privacy risks have to be made.
How to meet data protection requirements?
Almost every company is confronted with the processing of personal data and is as such subject to the implementation of data protection rules in accordance with legal requirements. The types of processing activities determine which protective measures a company must take.
This is where technical and organisational measures come into play.
TOM – technical and organisational measures
To illustrate the importance of technical and organizational measures, we explain the benefits of such measures using an example – a cyber attack. This is not an isolated case, as the following bitkom study shows:
An example of some technical measures:
- Deletion and archiving rules
- Authorization concepts
- Data categorization
- Data backups
An example of some organisational measures:
- Data protection-compliant contracts, such as data processing agreements
- Cross-border data transfer policies
- Documentation requirements policies
- Data protection impact analysis
Successful Data Protection Management – an example
The fictitious company Supersmart LLC approaches Riscreen for support and appoints Riscreen as data protection officer for the company. They jointly develop and implement TOMs.
For years, Supersmart LLC was able to work without any problems thanks to these precautions. The precautionary measures such as the access rights management ensured that employees who left the company where imediately excluded from data access.
In our example, a software error in an office application enabled hackers to penetrate the firewall system and install ransomware. Important company data was encrypted and could only to be released against a ransome-payment of 2.5 million Euros.
Based upon the established BCM procedure the IT manager immediately informs all relevant departments – including the external data protection officer.
The BCM commitee convenes and first key actions are taken. In order to identify the source of the breach and to establish future measures the incident is documented, forensic data is collected and meeting-minutes are taken.
Thanks to business continuity management (BCM), backups of the company’s data have been stored in a protective environment and cannot be accessed from the internet. These backups are therefore not affected by the ransomware and can be used to replace the encrypted data.
A short time later, the data restore has been performed and the error in the office software is identified and fixed.
In parallel the data protection officer submits a preliminary incident notification to the data protection supervisory authority and the police cybercrime unit.
As a result, Supersmart LLC can refuse to pay the ransome. Instead of a loss of 2.5 million Euros and further (financial) damage due to loss of reputation, Supersmart LLC only incurres a minor financial damage as result of time and effort required to reset affected systems and restoring a clean system landscape and the forensic analysis to determine the origin of the attack.
Supersmart LLC was lucky. Usually however, the economic damage caused by blackmail, loss of data, costs of recovery and system reconstruction are often significantly higher due to inadequate or non-existing BCM procedures.
How is your data protection management set up?
How would this case have turned out for your company? Are you prepared? Are TOMs and procedures in place?
It is often difficult for management to assess the risks in their company relating to data protection and information security. That is why they should seek support from external advisory such as Riscreen.
If desired, we can provide a data protection officer who will carry out an audit, check data protectin and information security procedures in your company and submit suggestions to improve company setup.
Contact us now for a free initial consultation.