The media reports daily on cyber incidents, as the victims become more prominent and numerous. In many companies, the realization is growing that more needs to be invested in IT security. Many rely on their supervising system house, according to the motto “they will make sure that nothing happens to us”. Is this your motto?
Then the data processing officers in the company could still face a painful fine in the event of a data protection breach if it is determined that a data processing agreement is not in place. The agreement addresses the data risk, in particular with the description of the technical protective measures. Why?
Well, because the company that outsources the IT only sufficiently takes into account the legal requirements of the General Data Protection Regulation or the revised Data Protection Act if this agreement is in place.
According to Art. 28 GDPR/Art. 5 DSG, data processing exists if a body processes personal data on behalf and under the instruction. This is certainly the case with the external IT service provider. But why must they also act on the instruction of the responsible party? What does that mean? From a data protection perspective, hospitals, industrial companies, banks, public municipalities or even authorities process personal data with varying degrees of sensitivity: personal data therefore also differ in their individual, technical level of protection. The responsible decision-maker must identify, evaluate and protect the risks of personal data of patients, customers, suppliers, etc. on the basis of a risk analysis with organizational and technical protective measures to be determined against loss, misuse and alteration by unauthorized third parties: for the integrity of the data, protective measures such as encryption, pseudonymization, anonymization, etc. are possible, confidentiality is guaranteed with a rights and roles concept as access control for data and availability with redundancies of data carriers – to name just three examples. The responsible decision-maker must not delegate the decision on the means of the measures to the external IT service provider.
What needs to be done? If personal data is processed on behalf of other bodies, the client is responsible for the data protection regulations. The contractor may only process the data within the framework of the client’s instructions. In such a case, both parties are obliged to conclude a so-called data processing agreement with listed protective measures in the annex. On the part of the system houses, the right tools must also be available in the portfolio; the IT service provider may advise on the selection of these!
Examples of the conclusion of a data processing agreement include external payroll accounting, external accounting, but also the use of multifunction printers in the network with storage function, but not the tax advisor or the lawyer!
The explanations are not exhaustive and the risk analysis and the data processing agreement are only two of many tasks that your data protection consultant will gladly carry out for you with your support.
