Today, no company can avoid the topic of data protection and information security. Taking the right approach to them as well as setting up and maintaining clear rules in companies are key factors in maintaining a competitive edge—both domestically and internationally. And why? The security and stability of all IT activities are fundamental for companies and data is the most valuable asset that needs to be protected. It’s simply unimaginable nowadays to establish business processes without efficient data protection and information security.

This state of affairs is also reflected in legislation. With the introduction of the European General Data Protection Regulation in May 2018, organisations are more obligated than ever to conduct proper data processing and be able to prove it. But that’s not all. The interplay between data protection and information security has been drastically changed with the GDPR. Until now, traditional data protection and purely compartmentalised IT security have been considered separate entities, but the introduction of the General Data Protection Regulation has led to them becoming directly intertwined.

Symbiotic data protection and information security. What does this mean for companies?

Even if many companies don’t fully realise it, the GDPR means that they absolutely have to get on top of the topic of IT security, as it is now an even more important component of data protection than ever before. The GDPR’s provisions on data protection also make clear requirements of IT security. The logic behind it is obvious, as data protection can hardly be successfully implemented in companies without proper IT security. For organisations, this means that if you want to comply with the GDPR, you’ve got to be on top of your enterprise IT security. A stable and reliable IT security strategy forms the foundation for implementing data protection measures.

The situation on the ground in many companies.

Companies have by no means all reached an acceptable level of GDPR conformity. According to a Bitkom survey, around 24 per cent of companies asked said that they were at first partially implementing the GDPR’s regulations in their companies—as of September 2019, around five per cent had not yet started with implementation.

The result is data protection infringements, the threat of fines, but also negative customer opinions and loss of reputation. But what content and components need to be considered as part of the GDPR? Which of those are not yet common knowledge among companies and therefore require urgent addressing? We’ve summarised the most important points for you here.

1. Data protection and IT security—no products, more of a corporate culture.

As part of introducing the GDPR, the requirements of IT security have changed, and with them, those for technical and organisational measures. In the past, the measures only had to be conducted in a reasonable way—but the GDPR requires higher compliance and IT risk assessment. Legislation now requires companies to have adequate state of the art technology to comply with data protection regulations, as well as enhanced risk management. Moreover, the GDPR obligates you not only to take into account the state of the art, costs of implementation, and the nature, scope and purposes of processing, it also asks you to consider the probability of risks for those affected.

2. Information security and data protection rests on management’s shoulders.

Executive managers carry the strategic responsibility—and liability—for IT security and risk management. They’re also responsible for implementing information security management systems (ISMS) and continually improving them, because, generally speaking, an ISMS is a framework of regulations, processes, and provisions in an organisation. For this, companies have to provision suitable resources that consistently define, control, monitor, maintain, and continually improve information security. These obligations are also enshrined in some legal texts. Those in charge must secure their company’s continued existence in accordance with various laws and regulations.

3. Legal obligations: IT compliance and the role of management.

What does compliance mean? For the most part, compliance with the law in all areas of an enterprise—achieving legal compliance. IT compliance primarily effects a company’s IT systems. These include information security, availability, data protection, and data retention. Below are some examples of legal rooting of IT compliance in addition to the GDPR:

  • IT Security Act (KRITIS): Act for increasing the security of information technology systems
  • KonTraG: Law on Control and Transparency in Business
  • GoBD: Principles for the proper keeping and storage of documents in electronic form
  • SOX: Sarbanes-Oxley Act
  • Basel II/III and MaRisk: Credit and risk analysis based on ranking systems
  • KWG: German Banking Act with banking supervisory requirements for IT
  • Product liability law or § 823 BGB (German Civil Code) (e.g. when purchasing software)
  • Teleservices Act (TDG): Law on the use of teleservices
  • Telecommunications Act (TKG): Regulates competition in telecommunications
  • Basic Law Article 10 and G10 Law (privacy of correspondence, posts and telecommunications are basic rights)
  • Copyright Act (UrhG)
  • StGB (German Criminal Code): incl. IT-related offences, sections 202a (data espionage), 202b (phishing)

According to these and other legal requirements, corporate management bears full responsibility for IT and data security in companies. In plain English, this means a breach can lead to personal liability of management.

4. Getting employees on board: Raising awareness.

Art. 39(1) a of the GDPR requires that employees receive awareness training. Companies should also ensure that the IT security aspects of data protection are addressed as part of data protection training. Companies must correctly implement their IT security and data protection concept and follow up on it. This applies, above all, to employees and there are clear legal obligations to provide proof. If companies neglect to raise awareness about information security and data protection, there’s simply no way for them to reach the level required for business success and legal compliance. For this reason, regular employee training and awareness raising is essential.

Moreover, reports from employees are the most common way that cyber-attacks are identified within companies—and even the best security concept has no effect if employees open the attachment of a phishing e-mail, for example, as they are unaware of the threat.

All of these points highlight the immense significance of data protection and IT security. But companies don’t often know which concrete steps to take in order to ensure appropriate protection or how to become legally compliant. If you need a reliable and experienced partner at your side, look no further than Bechtle for everything data protection and information security. We have therefore put together a ten point plan of the key steps for you. Find out more in our presentation on 01 October 2020 at Bechtle C-Day.