Data security and integrity have gained dramatic weight in recent years, tracing data’s importance for business processes and models. The media, the public, and, most critically, organisations, have come to understand just how sensitive user information really is, and by consequence, how crucial it is to keep it safe. Policy violations and data leaks frequently cause a whirlwind of negative publicity and scandal, eroding public trust in affected businesses, not to mention the potential legal fallout. That’s why it is imperative for companies to have the knowledge, tools and policies in place they need to stay on the safe side at all times as they process data and personal information. What are the steps you need to take to put data protection and information security on track in your organisation? We’ll help you keep your reputation out of harm’s way and effectively secure your customer’s data, backed by years of experience in data protection and information security.
Rarely have four letters caused so much turmoil in organisations like GDPR. It brought with it a slew of requirements for data protection and compliance, and the issue to the attention of the public mind. The way businesses have treated their user’s information for decades was suddenly a violation of the law. At the same time, IT managers and data protection officers must be aware that GDPR compliance will always be a work in progress; it’s not a one-off project, but a continuous process that envelopes the entire organisation. In fact, the courts will be busy clarifying the concrete do’s and don’ts for years to come, as claims based on the GDPR make their way through the mills of justice. Cookie policies, tracking pixels, social media, etc. will be the subject of many verdicts that will ultimately affect the business world at large.
In this free whitepaper, you’ll learn:
Since the GDPR took effect, data protection has become an integral issue of every new business process or tool, because it is about much more than privacy policies and user consent. Current trends such as self-service capabilities for customers, external access to CRM data, and the rise of remote work have dramatically increased the attack surface for criminals and keep IT managers on their toes. That’s why IT experts need support on a number of security layers, from system configuration to employee awareness. We’ll help you make sure your organisation is on the safe side when it comes to data protection and legal compliance.
Head of Data Protection & Data Security
Getting data protection and IT security right is critical for organisations to stay competitive and successful. Introducing a new business process without efficient data protection and information security built in is no longer the order of the day.
The European General Data Protection Regulation (GDPR) came into effect in May 2018. At first glance, this doesn’t seem to affect Swiss companies, but, in fact, this is only partly true.
Swiss businesses are obliged to comply with the GDPR if:
It’s important to note that, even if a Swiss business does not make its offerings available for the EU, but an EU user is tracked by a tracking tool, the GDPR will ‘probably’ apply In other words, even Swiss companies are going to have to get to grips with the GDPR.
When organisations consider information and data security, they often focus exclusively on external threats. But it’s not just inbound attacks that result in data leaks or violations of contracts or legal requirements. Employers must make sure that their own workforce is able to safely and confidently handle personal information in compliance with the GDPR.
Acute penalties for violations and the potential damage to an organisation’s reputation leave no doubt that data protection is a serious matter that requires a serious and consistent approach. The devil’s often in the details: Does your mail server or e-mail client allow e-mails with an excessive number of CC recipients entered as plain text to leave your network? Does your system trigger an alarm and initiate a security protocol when someone exports a large number of records from your customer database? Are your employees able to easily encrypt their messages? Our Bechtle consultants help you create an integrated concept that covers all your bases when it comes to processing and protecting personal and your company’s data.
It’s often the little things that can have the biggest consequences, such as a lack of awareness of security issues. An unsolicited outbound e-mail can be all it takes to get a company in hot water.
Data protection covers the what, how, and for how long of data storage and processing. It tackles issues such as purpose and consent, as well as transparency when it comes to processing personal information. The definition of corporate data protection does not always map to the way it is seen by the general public, in that it is more about how data is being handled, not about making it secure. Safeguards such as encrypting a customer database, on the other hand, is a matter of data security.
Information security is about making sure data cannot fall into the wrong hands. This includes access policies, tiered clearance, and other mechanisms designed to make sure only authorised people are able to obtain the information. Backup strategies, access management, and protection against malware also pertain to the field of information security.
In a nutshell, data protection is about user consent and transparency into what information is being stored. Data security is about defence against attacks on this information, while information security deals with the underlying technology and processes, e.g. how many how many employees can access a customer database.
Data protection affects everyone in your organisation. Having a legal team and data protection officer who know their stuff is one thing. But as an employer, you have to make sure that the correct way to process personal information is engrained in your business culture. Your legal and IT staff merely lay the groundwork for you to build awareness and protocols that must be embraced by everyone who handles or just so much as sees customer or employee information, or who works with the tools that process such information. If someone’s in doubt, they must know who to contact about it in order to eliminate any potential risk. The GDPR offers a clear-cut definition of the data protection officer’s role. In large organisations, the complexity and sheer number of people working within a huge ecosystem of scattered responsibilities is a particular challenge.
A memo or a training seminar don’t cut it when you want to make sure that personal data in your organisation is secure and protected. Implementing IT security and GDPR compliance happens all the time, across your organisation. IT systems must reflect all legal requirements, meaning each system and every tool must be designed to make it easy for users to do the right thing, and difficult to get it wrong. If, for example, it is impossible to send out a newsletter to someone who hasn’t given their consent, you’ve one less potential violation to worry about.
Making sure that everything and everyone complies with the GDPR and related policies and regulations is a data protection officer, who may be an internal employee or even an external entity. The GDPR requires every company that processes data as part of its business to name a data protection officer. But in many companies, finding the right person for the job is easier said than done, because they have to strictly eliminate any potential conflict of interest between this role and their usual day-to-day tasks. IT, HR or executive management staff rarely make good candidates because of the nature of their role within the company, and their proximity to sensitive data.
Many small companies hence do not have the internal structures it takes to ensure compliance on all accounts. The solution to this conundrum is an external data protection officer, who can enforce policies and assist employees when they need help. The obvious benefit of having an external data protection officer is that these are highly specialised experts who know the ins and outs of the GDPR and related issues. This can save a company significant time and money they would otherwise have to sink into training, research and consulting. Plus, an external data protection officer is never side-tracked by other tasks.
In addition to the legal cover that you may get from specialised agencies, our experts also understand the operational aspects as well as the technology behind it all, for a 360-degree solution. Benefit from our abundance of experience in IT, security and project work. Our specialists for data protection and information security are happy to help you tailor an integrated solution that is right for you.
“When you protect data, you’re protecting people’s basic rights,” explained Ulrich Kelber, the German Federal Commissioner for Data Protection and Freedom of Information, in a press release from early December. He keeps an eye on GDPR compliance and prosecutes violations. And the number of fines is growing, as are the fines themselves. The period of grace that was granted to companies after GDPR was implemented in May 2018 is clearly over. If your organisation is not up to speed yet, it’s high time to get into gear.
Data protection is not merely about complying with applicable legislation, including the abstract provisions laid down in the GDPR, or even about gaining users’ trust. Certainly, both are critical, whether you rely on a data protection in house, or on an external expert.
But more than that, it’s about your relationships with suppliers, service providers and other companies, too. Your business with them may indeed hinge on your ability to present proof that your organisation is taking data protection and information security seriously, and implementing the right measures. Are they all properly documented? Does your Purchasing department conduct due-diligence checks of your supply chain? Where is your cloud-based data stored? And have you really stopped up all the gaps in your procurement process?
Protect your company’s reputation and financial integrity. Our consultants and specialised experts help you plan and implement measures and policies for GDPR compliance, information security, and safe data processing.