Ulrich Kelber - Companies must switch to competitive mode when it comes to data protection.

Prof. Ulrich Kelber has been the Federal Commissioner for Data Protection and Freedom of Information since January 2019. In the interview, the computer scientist and biologist talks about the necessary digitalisation push due to the pandemic, challenges for companies and governments, international data transfer and Pixi books on data protection. His credo: data protection is not an obstacle, but an integral part of digitalisation.

Mr Kelber. We are talking today on the occasion of European Data Protection Day. What would you say are the most pressing issues in terms of data protection and information security?

Ulrich Kelber: The pandemic saw a long overdue and significant push towards digitalisation and then there are the ideas of the new coalition government. This is a lot to deal with all at once. This year, my office is chairing the conference, so I’ve taken the opportunity to shine a spotlight on the topic of research data. In terms of freedom of information, we are looking forward to what the government announces as it intends to pass a transparency law.

What do these two topics have in common and where do they differ?

Ulrich Kelber: Use public data, protect personal data. This is the best way to describe the conflict between freedom of information and data protection in a nutshell. It becomes difficult when, for example, the state requires personal data in order to allow access to public data. in some cases, this is perfectly justifiable, but since I took on my role, I’ve been demanding that the state takes the initiative to make more information transparent.

Would it be wrong to say that data protection and information security don’t have the best reputation in Germany?

Ulrich Kelber: That depends on who you ask—and how. Most citizens believe data protection in particular is a good thing. Unfortunately, there will always be people out there who will use data protection concerns to try and justify snail-paced digitalisation and bad government decision-making. If you ask about people’s thoughts on data protection in this context, their responses will, of course, be less positive and that’s such a shame because there is nearly always a data protection-friendly solution for every problem.

 

 

Professor Ulrich Kelber has been the Federal Commissioner for Data Protection and Freedom of Information since January 2019. He was previously a Member of the German Bundestag representing the SPD for 18 years. He won the direct mandate in the city of Bonn in the 2002, 2005, 2009, 2013 and 2017 federal elections. Ulrich Kelber studied computer science and Biology. Since July 2019, he has been honorary professor for data ethics at the Bonn-Rhein-Sieg University.

At the end of last year, you published two children’s books. Is data protection really something for kids?

Ulrich Kelber: Absolutely! We are now witnessing the first generation grow up with smartphones and tablets the norm in their everyday lives. Social media, remote learning, gaming—wherever you look, personal data is at play. Our books are the first step towards generating awareness about how to take care of your own data. By the way, we have been overwhelmed with orders.

New legislation such as the GDPR demands an integrated approach to data protection and information security.

 

The way you handle data can make or break your reputation.

Personal data is a highly sensitive matter governed by strict legislation.

 

Data protection and information security are an ongoing process and you need to stay on top of it at all times.

 

Moving on from the smallest among us, are there any particular issues that companies need to tackle?

Ulrich Kelber: My colleagues in the individual countries are responsible for companies, but I wish European companies would see data protection as giving them a competitive edge. Instead of simply seeing obstacles, it would be so much better if our businesses leveraged their experience from the head-start they’ve had with data protection-compliant solutions. Right now, it’s more the case that privacy laws are being passed in other countries that are similar to the GDPR, but the companies there are adapting to them much faster.

 


If data protection is taken into consideration at the very start of these projects, the mountain of existing data can be better utilised.


In terms of state institutions and public administration, one of the many issues relates to processing medical data.

Ulrich Kelber: The digitalisation of administration is certainly a work in progress, and the pandemic has made it abundantly clear that Germany has a lot of catching up to do, particularly in healthcare. If data protection is taken into consideration at the very start of these projects, the mountain of existing data can be better utilised. That’s why, as the Chair of this year’s Data Protection Conference, I’ve decided to focus of research data and its potential uses.

Please allow cookies to see content from Youtube.

We use Youtube to embed video content on our website. This service may collect data on your activity. For more information, please go to the settings page.

It’s now been three years since the GDPR came into effect. What’s changed and where are we today in terms of implementation?

Ulrich Kelber: In Germany, the GDPR hasn’t really changed much in terms of existing laws. The greatest impact was probably on people’s awareness of what they do with their data and how there is now a Europe-wide regulation. Since then, we have continued to work very hard in the Data Protection Commission and Conference to harmonise oversight. Generally speaking then, implementation is going well. However, large international data companies lack a supervisory authority’s decision-making.

Exkurs: What is data protection? And what do we mean when we say information security?

Data protection covers the what, how, and for how long of data storage and processing. It tackles issues such as purpose and consent, as well as transparency when it comes to processing personal information. The definition of corporate data protection does not always map to the way it is seen by the general public, in that it is more about how data is being handled, not about making it secure. Safeguards such as encrypting a customer database, on the other hand, is a matter of data security.

Information security is about making sure data cannot fall into the wrong hands. This includes access policies, tiered clearance, and other mechanisms designed to make sure only authorised people are able to obtain the information. Backup strategies, access management, and protection against malware also pertain to the field of information security.

In a nutshell, data protection is about user consent and transparency into what information is being stored. Data security is about defence against attacks on this information, while information security deals with the underlying technology and processes, e.g. how many how many employees can access a customer database.

Let’s look at this topic in a bit more detail and discuss international data transfers. The European Parliament made headlines not too long ago ..

Ulrich Kerber: The Court of Justice of the European Union was very clear in its Schrems II judgement. It’s really frustrating that there aren’t any decisions being made by responsible data protection supervisory authorities when it comes to some international processing. I would wholeheartedly welcome the European Parliament looking closely at why these decisions are being delayed in some countries.

And a final question, what role is data protection playing in digitalisation? It is often seen as limiting, but I’m sure you don’t share that belief ...

Ulrich Kerber: If a European says that something isn’t possible because of data protection, that’s either because they are considering data processing that is not in line with European values, or they are just looking for a convenient excuse to cover up the fact there are other issues. Digitalisation done well considers data protection from the outset. This creates trust and also increases acceptance of the solution among citizens.

Thank you for taking the time to speak to us today.

Exkurs: What is data protection? And what do we mean when we say information security?

Data protection covers the what, how, and for how long of data storage and processing. It tackles issues such as purpose and consent, as well as transparency when it comes to processing personal information. The definition of corporate data protection does not always map to the way it is seen by the general public, in that it is more about how data is being handled, not about making it secure. Safeguards such as encrypting a customer database, on the other hand, is a matter of data security.

Information security is about making sure data cannot fall into the wrong hands. This includes access policies, tiered clearance, and other mechanisms designed to make sure only authorised people are able to obtain the information. Backup strategies, access management, and protection against malware also pertain to the field of information security.

In a nutshell, data protection is about user consent and transparency into what information is being stored. Data security is about defence against attacks on this information, while information security deals with the underlying technology and processes, e.g. how many how many employees can access a customer database.

Contact person.

Christian Grusemann

Business Manager Security
christian.grusemann@bechtle.com

 

Frank Peter

Head of data protection and information security, Bechtle Solingen
frank.peter@bechtle.com

 

Newsletter. 

Get the best from the Bechtle update every six weeks directly into your mailbox. Click here to register:
 

NEWSLETTER

 

Share this page

This post was published on Jan 28, 2022.