Last year, in May, the transitional period for the long-awaited EU General Data Protection Regulation (EU-GDPR) ended. A set of rules has thus come into force that has meanwhile become the central hub for companies when it comes to data exchange and GDPR. Companies that collect, store, manage or transfer data of EU-citizens are legally obliged to comply with the GDPR. This also includes client data, names, telephone numbers, email addresses or other data with which a person can be identified.
More than a year after the implementation, the data protection authorities have a lot of work on their hands. As became known in July 2019, the British data protection authority, for example, is imposing a fine on the airline British Airways of over 2 million euros for a data breach in online bookings in 2018. During an attack in 2018, cyber criminals managed to get hold of personal data and credit card information including security codes from passengers. Nearly 500,000 customers were affected. According to British Information Commissioner’s Office (ICO) this was due to the airline’s weak security precautions. The Information Commissioner of the ICO, Elisabeth Denham was very clear about this case: “People’s personal data is just that – personal. When an organization fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office.”
However, the US hotel chain “Marriott” has also done too little for data protection in the eyes of the authorities to secure their computer systems sufficiently. In November 2018 the company had to admit to a massive information leakage through which hackers could get information of 383 million guests. 5.25 million passport numbers and 385,000 valid bankcard numbers were obtained.
But it’s best to sweep at your own door: In Baden-Württemberg a fine of over 50,000 euros was imposed on a bank that had processed data of former customers without authorization.
The uncertainty and confusion among the citizens, but also among companies, remains great. Even if the now valid regulations sometimes conjure up paradoxical cases – just remember one idea of “Bild” and the owners’ association Haus & Grund as to whether it might be necessary at some point in the course of the GDPR to dismantle all doorbell panels for data protection reasons – in principle the focus lies on the protection of sensitive data. And this should not be ignored under any circumstances. After all, it is primarily a matter of safeguarding and protecting the rights of the individual.
With the GDPR, the protection of sensitive data has become more important than ever. The embedded principles call for preventive measures to be taken; to ensure exactly this comprehensive protection. Thus, the risks of data misuse should be significantly reduced. Concepts such as privacy by design, standardization and certification are increasingly shifting data protection requirements to the technical level. Companies should use the GDPR as an opportunity to consolidate their data and thus also to control internal processes more sustainably. Data protection requirements based on certain standards and certifications, as well as the corresponding evidence on data processing, have already led to a better assessment and control of the risks associated with data processing. And that is exactly what is needed for data-driven business models and the ongoing digitalization process.
The GDPR focuses strongly on the subject of technical data protection and IT security.
Depending on the required protection level specific security measures need to be implemented (Art. 32 GDPR). The required technical and organizational measures include:
>When determining individual protection needs, you must consider the risks to the individual of destruction, loss, alteration, unauthorized disclosure, or unauthorized access to personal information.
According to Article 25 GDPR the principles of data protection should already be taken into account when implementing and developing products, services, applications and technical processes that concern personal data (Privacy by Design). Appropriate technical implementation should ensure that
only certain data is collected,
which is pseudonymized and encrypted as fast as possible,
processed only to the extent necessary,
deleted after the storage period has expired, and
only accessible by certain persons.
The principle of data protection-friendly default settings (Privacy by Default) is anchored in Article 25 GDPR. It requires IT systems and applications to be preset in such a way that they only process personal data that is necessary for the purpose pursued in each case.
As a forward-looking basic decision, you should definitely take these principles into account. The GDPR focuses on prevention instead of posterior corrective, data protection by default, an embedding of data protection and data security in the design, full functionality, and protection of the entire life cycle, visibility and transparency and respect of privacy. If you already ensure a minimization of the data to be processed and its protection through technical and organizational measures at a technical level, the processing risk is significantly reduced.
The specific security measures you need to take will be determined by an individual analysis of the nature, extent and content of the processed data, the purposes and the circumstances of the data processing, including the relevant business processes, IT systems, applications and infrastructures. Companies can address the issues of IT security and privacy by design with the help of appropriate compliance audits, certifications according to Article 42 GDPR and Best Practice Guidelines. The GDPR also provides the possibility of adhering to approved industry-specific rules of conduct in accordance with Article 40 GDPR.
For every company worldwide, which stores, process or works with data from EU-citizens, the European Data Protection Regulation is binding. For this it is irrelevant where the headquarters of a company are located. In recent years, data has been stored in various places, but now the EU-GDPR is putting a stop to this by demanding a permanent overview of data distributed throughout the company. Therefore, the sovereignty over stored data is becoming increasingly important.
Individuals in particular have various rights which you and your company must fulfill at all times upon request:
This is inseparably linked to proving that data protection and data security (including the use of EU-GDPR-compliant software) are maintained. According to the GDPR, the so-called “built-in” data protection “Privacy by Design” is mandatory. It states that only software that automatically meets these requirements may be used. Overall, the GDPR places greater emphasis on the principle of risk-based data protection.
With the implementation of the new EU-GDPR, the liability risk for data protection violations has increased enormously not only for companies, but also for their CIOs, managing directors, employees and internal data protection officers. Since 25 May 2018, all parties involved have had to expect much higher penalties than before for violations of data protection regulations or their supervisory duties. According to § 42 DSAnpUG (Datenschutz-Anpassungs- und -Umsetzungsgesetz EU – Data Protection Adaptation and Implementation Act), infringements in the handling of personal data are subject to criminal sanctions in addition to fines, such as imprisonment for up to three years. In order to protect yourself from these severe penalties, you must establish an appropriate compliance structure and develop specific measures for compliance with the EU-GDPR. Train your employees and prepare them for the changed regulations. An external data protection officer reduces your personal risk by shifting your liability. Regular audits serve to check the extent to which you and your company comply with data protection requirements.
A GDPR-compliant IT partner can make a lot of things easier if the infrastructure is operated by him. Use technical solutions that adhere to the principles of “Privacy by Design” and “Privacy by Default” and are manufactured and operated in Germany or Europe. These solutions are subject to the strict European data protection laws and ensure GDPR-compliant data processing. If the software has end-to-end encryption, including client-side encryption, you can also be sure that your data is protected to the maximum. In this case, the data is already encrypted at the end device. There is no possibility to decrypt the data on the server itself, because the key material is on the client. This ensures that neither the cloud provider itself nor third parties are able to access stored data.
Enterprises should use the GDPR to protect themselves against the risks associated with digitization. The German cloud solution DRACOON supports enterprises in ensuring secure and GDPR-compliant data processing.
Christian Volkmer, data protection expert and managing director of the Projekt 29 GmbH & Co.KG, thinks so too: “I see the GDPR as an opportunity for companies to position themselves well for the challenges posed by digitization. German cloud solutions such as DRACOON provide the perfect electronic basis for exchanging and storing data in a GDPR-compliant manner”.
DRACOON is being developed in Germany and operated in ISO27001-certified computer centers. The integrated client-side encryption prevents data from flowing out. Thanks to the data protection-friendly technology design (Privacy by Design) and data protection-friendly pre-settings (Privacy by Default), your users also work in compliance with data protection right from the start. Furthermore, the universally applicable API enables a connection or integration of other applications such as MS Offices or even special industry software – DRACOON serves as central data storage for all (sensitive) company data. Via the DRACOON web app and mobile apps, authorized users have access to the data at anytime and anywhere.
|Confidentiality||Suitable protection for personal data, including protection from unauthorized or unlawful access||Client-side encryption, allocation of permissions|
|Integrity||Data remains unchanged, alterations can be tracked||Audit log, allocation of permissions, recycle bin (versioning)|
|Availability||Availability and resilience of systems and services||Advantages of a cloud solution: data is available everywhere, all the time, backup, recycle bin|
|Transparency||Personal data must be handled in a comprehensible way for the people involved||Audit log, transparency of entitlements|
|STATUTORY REQUIREMENT||DEFINITION||DRACOON SOLUTIONS|
The data subject’s right to information
|Right to information on purposes of processing, categories for processing, recipients, storage period||Activity log, audit log|
Right to be forgotten
|Personal digital data should not be available for an unlimited amount of time||Expiry date for users, files and releases|
Right to data transferability
|Release and transfer of the data in a structured, commonly used and machine-readable format||Via open JSON/REST-API|
Data protection-friendly default settings
|Privacy by Default
Privacy by Design
|Encryption standards, authorization management and data releases|
Requirements for responsible selection of order processors
|Careful selection of any other processors, so that the data processing is also carried out in accordance with the EU GDPR||DRACOON complies with all relevant data protection and compliance requirements and has relevant data protection seals as well as certifications|
Security of processing
|An appropriate level of security must be ensured||Client-side
encryption, allocation of permissions
Notification in case of a data breach
|Obligation to communicate breach of data security is voided if the data has been encrypted||Client-side