by Frank Peter
Data protection is a European basic right and non negotiable. However, far too many companies still see simply as a necessary evil that needs to be dealt with in order to avoid incurring fines. But it’s actually got a lot to offer. Protecting your personal data is in your own interests and can give you a real competitive edge.
It’s essential for every company to approach data protection with the respect and organisation it deserves. But far too often this is not the case. Either because only the bare minimum is done to ensure regulatory norms are complied with, or because the system has grown over the years with single solutions that cannot be linked up or centrally managed. Making the switch is not that complex in itself. It’s about getting rid of silos and carrying over trusted solutions and new ones into an holistic data protection concept.
Many companies have already adopted an information security management system (ISMS), but some of them are pursuing other security goals. These types of systems have the primary goal of protecting companies against damage—such as from cyber-attacks. Data protection’s main aim, however, is about protecting the basic rights of a natural person. The General Data Protection Regulation (GDPR) and the Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG) in Germany, lay out the concrete legal regulations. It requires, among other things, concerned persons to be informed of the purpose, content, and duration of processing of their data. Moreover, they need to be told their legal rights to be informed about the erasure of personal data.
Implementing the guidelines is easier said than done. Because it requires an holistic approach to set up all internal and external processes so that they meet the requirements. For example, the GDPR requires all infringements to be reported to the relevant authorities immediately and within 72 hours when possible. If, in the event of an infringement, you first have to check who has to do what, this itself with create pressure, causing you potential to make further mistakes and, in the worst case, exceed the deadline.
In practice, experience shows that there are many reasons that data protection is a headache for companies. One is the overwhelming amount of challenges such as the Corona pandemic and delivery chain issues that would seem to take priority. But data protection isn’t less important—quite the opposite. The risks you would be taking range from cyber-attacks and potential damage to your reputation in the event of data leaks or loss to fines for infringements of the GDPR. This is because it also specifies risk minimisation as a fundamental obligation for any organisation that collects or processes personal data.
A complicating factor for many companies is that they find it difficult to assess the price-performance ratio and the quality of external experts needed. This often leads to in-house developments that solve single, short-term problems, but lead to a patchwork approach. Even riskier, this approach often leads to data protection projects not being followed up in the long term.
There are many, many more arguments for an holistic data protection approach, including a better overview of corporate processes. Audits test internal security measures and reinforce customer, business partner, and other people’s trust in you. Welcome side effect: Raises the protection level of personal data, automatically increases the level of information security in a company.
Data protection needs to be viewed as an ongoing process and as the responsibility of every employee—not as a D-day measure. To foster this mindset and implement corresponding operative measures for data protection, Bechtle has developed a structured process model. It begins with clarification of roles and responsibilities. A Gap analysis then determines where the biggest need for action is—and which foundations can be built on.
Next, internet presence and e-mail marketing are put under the microscope. And for a good reason. There are a great number of pitfalls that outsiders can easily identify and potentially exploit. The good news is that they can be relatively easily mitigated. Quick success boosts motivation to offensively tackle even complex topics. A larger—but therefore more rewarding—beast is the procedure directory that also drives the GDPR. Enriched with additional important information, it can be expanded into a central document for your own data protection. Now it’s time to check additional details. These include checking potential employment agreements and service providers contractors, as here too, mistakes can be made.
If these challenges can be successfully mastered, next you can move on stabilising the technical and organisational measures of data protection. One example is defining new processes so that everyone will know when to do what. This is also the basis upon which the employees will be regularly trained. They are the ones who live the regulations day in and day out and need the security in their daily work with data protection. Subsequent audits will demonstrate that a consistently high security level has been achieved. They will quickly see that it’s invaluable to have this type of framework of structured processes and measures to ensure and facilitate data protection in your company.
To make a distinction between these concepts and ISMSs the term data protection management system (DSMS) is used. But that shouldn’t scare anyone off. The security level suitable for every company is custom and depends on the size and industry. The basic requirements such as set out in the GDPR need to be complied with, but there are many more measures ranging from voluntary and useful to strongly recommended—and sometimes all three. How high each company’s particular level of protection is can only be determined on a case by case basis.
With their expert and practical knowledge from numerous projects with companies from the widest range of industries, Bechtle has developed best practices to aid them and you.
We are your experienced consultants for
Providing a data protection officers when needed
Get in touch to find out more about data protection solutions in particular or our IT security services and solutions.