A virtual round table with Klaus Veselko, managing director of CIS – Certification & Information Security Services GmbH, and CIS network partner and lawyer Dr. Markus Frank on the occasion of the European Data Protection Day on January 28th. A brand new study on data protection violations by the Osservatorio of Federprivacy also provided a lot of discussion.
We have summarized the findings of the study briefly for you: In 2020, a total of 341 sanctions for violations of the General Data Protection Regulation (EU-GDPR) were imposed in the European Economic Area – and that amounting to € 307,923,725.
Sanctions in the amount of € 148,156,645 were imposed in December 2020 alone. That is around 48% of the total sentence. April 2020 was a comparatively quiet month for data protection with few legal steps taken – a possible cause could be the COVID-19 pandemic and that many companies had to reduce their business activities to a minimum.
Spain has most of the sanctions (133 sanctions), but France is the country with the highest fines (a total of € 138,316,300). In terms of data protection, Austria tended to be in the lower third of all the countries examined. With a total of only three fines and an average amount of € 33,583.00, the sum of the sanctions was only € 100,750.00. In comparison, that was more than 37 million euros in Germany, that is 370 times (!). These figures allow the following interpretations: Either the domestic companies are very mature and legally compliant when it comes to data protection or they are not yet monitored or judged so closely in this country. However, that could change very quickly. The EU Commission is increasingly pushing for uniform implementation of the GDPR in the EU. By far the most common reason for penalties was the lack of lawfulness of the processing, followed by inadequate IT security. Data protection management systems (DSMS) help to avoid both.
Here you come to the study (Link)!
The new study contains alarming figures. How would you reflect on this study? What do these results mean for companies?
Klaus Veselko: The study shows how strongly there are actually warnings and, unfortunately, also how high the risk for organizations and responsible managers is in reality.
For companies, this means that the subject of data protection cannot be taken lightly. Walking the tightrope, as may have happened in recent years, can and must no longer be continued. This report makes it clear once again how important the protection of personal data both for companies and consumers on the one hand and the use of management systems in the area of data protection and information security on the other hand really are. This is the only way to minimize or uncover gaps and ultimately save companies a lot of stress, frustration and, of course, costs. I think all managers know better things to do than invest time and money in legal disputes.
So how can companies be supported in terms of data protection?
Klaus Veselko: In addition to an ISMS (note: information security management system), a GDPR assessment looks at the data protection situation of a company from a legal point of view. Gaps are identified and specific, necessary steps to improve GDPR compliance are set out. The next logical step is a certificate according to ISO 27701, which serves as proof of GDPR-oriented data protection and a functioning data protection management system in the company. One thing is very clear: data protection must be anchored in the corporate culture and continuously evaluated. A data protection certification increases the trust of employees, customer and partner organizations in the company.
What preventive measures and legal opportunities do standards and certifications in the field of data protection and information security offer?
Markus Frank: With a certificate for data protection and information security, the legal security and transparency of processes are continuously increased. At the same time, of course, the risks of data protection violations and the consequences thereof are minimized and solid data protection mechanisms are ensured. A ISO 27701 certification and a data protection management system help to systematically avoid GDPR violations and, in the event of a case before the data protection authority or in court, to reduce the liability of the responsible managers. According to a current decision by the Austrian Administrative Court, the data protection authority must determine a natural person in the organization to whom the violation can specifically be attributed. In future, the data protection authority will list this person as a further suspect in administrative criminal proceedings alongside the organization.
What is the situation in the home office like? As we all know, home office activities have increased massively since spring 2020. Are there legitimate concerns about data protection and processing? What else do you need to consider?
Markus Frank: Especially when many employees are currently working from home, special data protection and security measures must be taken. The confidentiality of personal data and that it is protected from unauthorized processing as well as from accidental loss or unauthorized access must continue to be guaranteed. It is therefore particularly important, for example, that only the hardware and software solutions provided by the employer are used and that the organizational IT infrastructure is only accessed via a secure VPN connection. At the same time, a “clean desk policy” must be ensured – this also means that neither family members nor other people living in the household have access to the data to be protected. Ideally, this implies working alone in a room or a password-protected screen lock when leaving the workplace Pay attention to data protection-friendly default settings, data protection impact assessments may be necessary as well as the addition of order processing contracts and the processing directory.
If data protection incidents become known in the company, this must be reported immediately to the responsible data protection officer and management and a corresponding procedure must be established. And of course: always document everything!
How important is it to employ competent and highly qualified personnel?
Klaus Veselko: With the increasing importance of data protection, we are also noticing a very strong demand for specialist staff in this area. Be it the Chief Information Security Officer, the data protection officer or the information security manager: People who internally raise awareness of data protection and at the same time carry out possible optimizations and measures to protect data will remain an integral part of the company in the future. Ultimately, they have the essential know-how to operate data protection and information security management systems.
When choosing training partners, it is important to ensure that a company is accredited. CIS is a competent accredited partner with an extensive program Training and personal certification, which will help you to be more successful with security and privacy.
Finally, I would like to remind you of 2018. Do you remember that the General Data Protection Regulation was voted “Unword of the Year”? What do you think about it?
Klaus Veselko: It is human nature to reject the unknown and that is exactly what the unword of 2018 expresses. Many panic about the switch in 2018 – reports of horrific fines running into the millions have added to this general hysteria and negative sentiment. In the meantime, many companies have successfully implemented the processes of the GDPR and the first companies have their internationally valid certificates on data protection or data privacy (note: certifications according to ISO / IEC 27018 – data protection in the cloud, or ISO / IEC 27701 – Data protection management system).
The GDPR per se does nothing or harm to anyone. Fortunately, this seems to have largely reached the leading minds of companies and private individuals. The GDPR has strengthened the lawful processing of data, more transparency and the protection of personal data, and we also hope that this negative perception of sanctions will decrease in the future.
This article and related links can also be found under https://at.cis-cert.com/Pages/de/News-Presse/Aktuelle-Fachbeitraege/Datenschutz.aspx
– .
