Since the GDPR came into force, domestic companies have learned a lot about data protection – 78 percent even feel (very) well positioned when it comes to data security today. However, many data protection incidents go unnoticed.
–
On the occasion of the European Data Protection Day on January 28th Deloitte Austrian companies asked for their self-assessment on the subject of data protection. The result: More than three quarters have the feeling that they are (very) well positioned in terms of their general data protection. Almost four years after the GDPR came into force, data protection awareness is very high in business. The majority of those surveyed also have concrete plans for the coming year: almost 60 percent have planned projects for 2022 to further improve data security in their company. Only 26 percent see no need to take steps towards optimization in the coming months.
However, Georg Schwondra, partner and cyber security expert at Deloitte Austria, warns against overconfidence and emphasizes: “Data protection is not a final state that can be achieved. It should be understood much more as a process that must be continuously adapted and improved. This is the only way companies can prepare for a constantly changing threat landscape.”
Targeted measures planned
In order to prevent incidents in the new year or to recognize them in good time, the Austrian companies are considering specific measures: regular training for employees and awareness campaigns are intended to put the topic of data protection in the foreground in the long term. The continuous improvement of existing authorization concepts should also help to optimize data protection in one’s own organization – these points are tackled very specifically, especially in larger companies.
“In recent years, the focus has been on fulfilling the documentation requirements of the GDPR. Now it’s a matter of fulfilling the documented requirements in practice and establishing them in the company through technical and organizational measures,” says Georg Schwondra.
Technical measures for data classification
Better business decisions can be made with data classification. Deleting unnecessary data reduces storage costs and achieves legal compliance. Large companies and state-regulated areas in particular are currently using technical measures for data classification. “Data classification is an essential part of the data security strategy. At least a quarter of domestic companies still have some catching up to do,” explains Georg Schwondra. “Small and medium-sized companies are already showing signs of following suit.”
Around two thirds of those surveyed state that they were not affected by any (perceived) data protection incidents in the past year. A third noticed at least one incident. The survey shows that data breaches can happen regardless of the company’s industry and size. The problem: Many remain undiscovered.
Many data protection incidents go unnoticed
“We know from consulting practice that SMEs in particular are often unable to identify such incidents for technical or organizational reasons. You then feel a false sense of security,” explains Sascha Jung, partner at Deloitte Legal and external data protection officer for companies. “In general, it can be expected that there will be at least a few incidents per year in every company.”
According to the study, only one in four detected incidents is reported to the authorities. “In order for domestic companies to be able to comply with the statutory reporting obligation, they should revise and update their processes for identifying, evaluating and reporting data protection incidents at regular intervals,” concludes Jung.
–
