The EU General Data Protection Regulation (GDPR) has now been in force for over a year. The number of data breach reports received by the Data Protection and Freedom of Information supervisory authority in Baden-Württemberg has increased more than tenfold compared to the same period last year and shows no signs of slowing down. What can businesses do to stay secure?
Companies and authorities that use software or commission a service are responsible for the lawful processing of data, NOT the software vendor or commissioned service provider as many people assume. For this reason, Controllers must check the lawfulness of data processing. If commissioned data processing is carried out by a service provider, companies must ensure that a commissioned data processing contract has been signed. If a service provider uses data for its own purposes, as a rule, both the service provider and company bear joint responsibility and the company must ensure that processing is carried out lawfully.
Article 32 GDPR stipulates that, amongst others, the state of the art as well as the risk to the rights and freedoms of the data subject need to be taken into account with regard to IT security. The company Controller therefore has to take into consideration the development stages of advanced processes, facilities and operating methods that leading experts certify as guaranteeing that specified goals can be achieved. That means being on top of current developments in IT security and aligning with the German Federal Office for Information Security (BSI) baseline protection.
The Need-to-Know principle applies for the safeguarding of all data. Only those who need the information for their work should be able to view it. Even IT administrators should not have direct access to information in databases or applications, particularly when these data are sensitive. It must therefore be made technically impossible to view the data, for example, by using encryption.
The most common reason for a data breach has always been lost or stolen storage media such as mobile devices, USB sticks, hard drives, memory cards and notebooks. For this reason, mobile devices in particular should be encrypted. Every modern operating system has its own process for encryption (BitLocker, FileVault, LUKS and GELI).
Companies should secure their external communications using by means of a VPN or two-factor authentication, for example. Data should be only be transmitted after being encrypted using a state-of-the-art encryption process.
The GDPR also brings with it new rules for tracking on websites and in smartphone apps. Before a third party coverage analysis can be carried out, the data subject must give informed, voluntary, active, prior and revocable consent.
More information (German)
There is an obligation to report personal data breaches. The company must report these breaches to the responsible data protection authority within 72 hours. Data loss is a reportable incident. The Controller must also check if the data subject needs to be informed, depending on whether there is a risk to its rights and freedoms.
The supervisory authorities support companies in the case of any questions as the main focus of their work is on advising and not on monitoring. In 2018, a total of 4,440 requests for advice were received, which represents a year on year increase of 50% from the corporate and public sectors and a 270% increase from the private sector.
Those who seek out advice will find out that sensationalist headlines such as “Nursery blacks out photographs”, “Doorbells no longer allowed to display names” and “Schools ban parents from taking photographs” are nothing to be concerned about. Alvar Freude describes them as being completely blown out of proportion: “These headlines neither reflect the intention of the law, nor do the authorities interpret them that way, let alone pursue such perceived breaches.”
Bechtle advises and accompanies companies and authorities on the topics of data protection, IT security and IT law. Our qualified specialists offer workshops and training courses for data protection awareness, offer manufacturer-independent solutions for company organisation, appoint external data protection officers, assume operational responsibility and carry out data protection audits.
Head of the Data Protection and Security Competence Centre
Bechtle IT System House Neckarsulm
Get the best from the Bechtle update every two months directly into your mailbox. Click here to register:
Published on Jul 17, 2019.