de | English
IT Security Dec 17, 2019

DSGVO: How to get GDPR compliance right.

“When you protect data, you’re protecting people’s basic rights,” explained Ulrich Kelber, the German Federal Commissioner for Data Protection and Freedom of Information, in a press release from early December. The press release continued on to state that telecommunications provider 1&1 had not implemented sufficient technical and organisational measures to prevent unauthorised individuals from obtaining customer data when calling the customer service hotline. In other words, 1&1 had failed to comply with the GDPR and was fined nearly 10 million euros as a result. This should serve as a serious wake-up call for those who haven’t taken the GDPR as seriously as they should be. Keep reading to learn how you can take ownership of data and information protection in your company.

Share article

When applied correctly, data protection and IT security can ensure your competitive position and business success. It’s simply unimaginable nowadays to establish business processes without efficient data protection and information security. The GDPR, which has been in effect since 2018, has significantly impacted how the majority of companies understand security. Since the Regulation’s introduction, data protection and IT security can no longer be thought of as separate concepts. Quite the opposite: the one depends closely on the other.

 

Why? You cannot successfully protect data if your company doesn’t have proper IT security. This means that if you want to comply with the GDPR, you've got to be on top of your IT security. In addition to enhanced risk management, the Regulation requires the “state of the art” when meeting data protection requirements. Moreover, the GDPR obligates you not only to take into account the state of the art, costs of implementation, and the nature, scope, and purposes of the processing, it also asks you to consider the probability of risk events occurring.

 

The main question then is, “What specific action can you take to meet all these obligations?” It’s clear that simply introducing new products and security mechanisms is not enough.

 

Data protection concerns both workers and bosses.

Executive managers carry strategic responsibility—and liability—for IT security and risk management. They’re also responsible for implementing information security management systems (ISMS). This requires them to provide the right resources to control, monitor and continually improve information security.

 

Compliance, which covers information security, availability, data protection, and data retention, is also a key concern for IT staff. Management and IT departments alone can’t take care of it all. Every employee must do their part—it’s required by law. Art. 39(1) a of the GDPR requires that employees receive awareness training. If companies neglect to raise awareness about information security and data protection, there’s simply no way for them to reach the level required for business success and legal compliance.

 

In addition, cyber-attacks are usually reported by employees. If they’re not aware of the threat, they’ll be ill-prepared to recognise them when they occur. Conversely, employees can be an underestimated risk for companies as the best security plan is useless if an uninformed worker opens the attachment of a phishing e-mail.

 

Summary.

  • Choose an official security standard, such as ISO 27001, ISMS native or, if you’re in Germany, the Federal Office for Information Security’s baseline security guidelines, taking into consideration the GDPR
  • Establish a management strategy for data protection and security
  • Provide the appropriate expertise and staff
  • Considering all stakeholders, define the required protective measures to apply across your entire company. Make sure to take IT compliance into consideration when doing so
  • Take inventory of your data processing and conduct a risk assessment to determine how well you’re currently protecting data and processes
  • Document your IT systems and processes as part of a data protection and information security plan
  • If necessary, have your company certified for GDPR or ISMS compliance according to a current security standard
  • Train all employees and remember that you’re legally required to document this

Most importantly, act now to avoid any business loss or personal liability.

heiner-golombek.png
Heiner Golombek
Head of Data Protection & Data Security