From a data protection perspective, hospitals, industrial companies, banks, public municipalities or even public authorities process personal data with varying degrees of sensitivity: personal data consequently also differ in their individual, technical degree of protection. The responsible decision-maker must identify and assess the risks of personal data of patients, customers, suppliers, etc. on the basis of a risk analysis and protect them against loss, misuse and modification by unauthorized third parties with organizational and technical protective measures to be determined: protective measures such as encryption, pseudonymization, anonymization, etc. are considered for the integrity of the data, confidentiality is ensured with a rights and roles concept as access control for data and availability with redundancies of data carriers – to name just three examples. The decision on the means of action must not be delegated by the responsible decision-maker to the external IT service provider.

What must be done? If personal data is processed on behalf by other entities, the Principal is responsible for the data protection regulations. The contractor may only process the data within the scope of the client’s instructions. In such a case, both sides are obliged to conclude a so-called order processing agreement with listed protective measures attached. On the system house side, the right tools must also be available in the portfolio; the IT service provider may advise on the selection of these!

Examples for the conclusion of an order processing agreement are among others the external payroll accounting, the external accounting but also the use of multifunction printers in the network with storage function, but not the tax advisor or the lawyer!

The explanations are not exhaustive and the risk analysis and the order processing contract are also only two tasks of many that your data protection consultant will be happy to carry out for you with your support.

The Internet has been around since 1989. It connects all computers together, because it should be a democratic source for all people of freely available information and services. The Internet facilitates our lives through many services, Wikipedia, social media, the sale and trade of products, online banking, many good aspects. Only we do not pay for it directly, but with our privacy, our data.

Data transmission in email traffic between computers is guaranteed and allowed by the communication protocol, TCP (Transmission Control Protocol) and the IP (Internet Protocol), but communication protocols are only formal descriptions of digital message formats and rules. Since the Internet was never set up with a built-in cryptography layer, when information is uploaded and published to Facebook or social media, data is always stored on the Internet. Data is controlled by companies and institutions in the process, and in those moments we lose control over them. 

Privacy should remain a personal right; the General Data Protection Regulation also emphasizes the „right to be forgotten and delete data“. To secure data, encryption is a technology that has been known for a long time, but we still use it much too little, if at all. Terrorist activities gave rise to the „Homeland Security Act“ in America in November 2002, which, among other things, established standards for maintaining information security and an annual independent assessment. Constitutional rights should not be relinquished. And yet, we must take note that not only the Brexit campaign and the elections were abused by steering data.

Blockchain technology could stabilize the Internet because no one can control the data. The financial structure is supported by encryption of the protocol layer. However, with the introduction of Bitcoin, only the data structure is changed from a centralized to a decentralized approach, but Bitcoin does not remain anonymous because of this! ……“. Privacy by design is essential. A technology is and remains only a tool! Privacy law dictates that it should be designed in such a way that it does not control people, but helps us to protect privacy. That is why data protection is so relevant!

“Best practice” for the systematic identification of risks is the neutral risk assessment that ensures systematics and objectivity. The result is an overview of the hazard potential and a risk assessment for preventive measures:

• So that failures in digital supply chains are no longer a cause of business interruptions;
• So that the advantages of new technologies – artificial intelligence, IoT etc. – and digitization can be used to increase efficiency.
• So that fires, explosions and natural disasters no longer threaten IT systems, data centers and cloud services, but instead protect redundancies, fail-safety and recoverability.
• And cybersecurity largely serves as protection for digital transformation and data protection.

Future-proof your business with a data policy of trust for progress and innovation. It’s a quality attribute. It positively influences the success of the company and leads to higher employee satisfaction.