Infopool

Learnings after 1 year of GDPR

Robert Buschmann, Certified Data Protection Officer and Auditor, Enobyte GmbH

Changing landscape

Mi 19.06.2019, 11:07 Uhr

This month marks the first anniversary of GDPR enforcement. We’ve already seen fines being issued for major data breaches and violations of legal requirements. We have also dealt with several incidents. In the following report, we share our learnings from this past year helping our various clients, so that your company may implement changes which will help reduce the risk of data breaches, make their handling more efficient and reduce possible accidental violations of the legal requirements. In particular, we found streamlined communication flows to the Data Protection Officer (DPO), a solid backup system and regular deletion routines to be the biggest factor in helping a company react to data breaches calmly and in a structured way.


Technical

Physical IT security

  • Good back-up systems and procedures are important as unexpected events can damage or destroy equipment at any time. Having back-ups in multiple locations reduces the risk even further
  • Transports of data carriers should always be safeguarded by encryption, registered mail and tracking codes, to prevent loss or accidental data leakage
  • Keys to the server-room or closet should only be available to IT administrators and the general manager
  • Employees should never leave their devices unobserved when outside the office, as theft can easily lead to major threats to business secrets and personal data

IT security

  • Passwords should be at least 8 characters, for login passwords on devices even 10 characters or more, as modern GPUs can crack 8-character passwords stored on device within half a day
  • Passwords should not be renewed every few months, as this leads to overall weaker passwords
  • Every account should have unique passwords to protect against credential stuffing attacks
  • Logins should be blocked after only a few wrong attempts to hinder brute-force attacks
  • Login attempts should be logged for a few days to retrace malicious actions
  • Devices should be hardware encrypted to ensure a frictionless base level of security
  • All mobile devices (smartphones, laptops) should be remotely erasable
  • The company network should not be accessible to visitors. If it is necessary for a visitor to connect to the net, using a separated guest network is one option to reduce the risk of cross-contamination 


Measures

  • Access rights should be limited to the required tasks of a person
  • Firewalls and Anti-Virus software should be in place and outfitted with strict policies
  • E-Mail encryption can be difficult to implement, but easy to maintain and increases trust by customers
  • Increasingly, digital signatures on e-mails are required for business mails to customers and partners
  • Including a link to your privacy policy in the e-mail footer helps the perceived transparency of your company
  • IT staff should receive special training to incorporate personal data protection and IT security
  • Logs from websites should be kept for a limited amount of time (7-14 days unless otherwise specified by law)
  • Automatic deletion routines should be implemented were possible to decrease the administrative load
  • Devices issued to the employees should be locked down and forbid installation of untrustworthy apps or programs
  • Having specialised and data protection aware IT staff reduces the cost for outside consultants and usually leads to solutions that are a much better fit to the company

Organisational

Measures

  • All processes should be documented clearly and accessible to all relevant staff to help communication and clarity within the company
  • Deletion times and procedures for different kinds of data should be noted in a clear document
  • Lines of communication should be established in case of data breaches of incidents that might violate data protection (data loss, device loss, hacking, accidental disclosure). For quick response, the DPO should be included at the earliest possible time
  • In case of a data breach, one member of staff that is knowledgeable about the incident should remain available for clarifications, distractions should be limited
  • Guidelines and internal regulations should be discussed with all relevant staff to prevent misunderstandings
  • Staff should be regularly trained on the importance of data protection and IT security awareness as these trainings increase responsiveness and careful handling of new situations
  • To maintain clear procedures, having a workshop and role-plays can be helpful
  • Employees must not feel discouraged from questioning and processing of personal data, however minor it might seem
  • Managers should be aware of the general terms and principles of GDPR to guide their employees with questions
  • Appointing one point of contact for the DPO within the company (a data protection coordinator) will help streamline communications. Such DPC should be given extra time for these duties
  • Changes to documents, records and personnel files should be logged to find manipulations and to proof due diligence
  • Shredders should be easily accessible from the printer to securely destroy misprints

Laws & Regulations

  • The DPO has to keep up to date with any changes that might affect the company and should therefore be supported with time and resources (such as books, journals)
  • The privacy policy must be maintained and reviewed regularly, as many changes arise from court decisions and changing terms of service of service providers
  • Cookie Consent must be clear, voluntary and expressively given
  • Certain analytics software is only allowed with prior opt-in
  • Platforms that are used by the company must be disclosed in the privacy policy and it might be necessary to conclude separate contracts and agreements with them
  • CCTV operation must be clear to visitors and should not monitor public areas
  • Camera dummies are under the same regulations as real cameras because they might still influence peoples’ behaviours
  • WhatsApp is not and will not be GDPR compliant in a business context 

Changing landscape

The biggest truth to GDPR continues to be that there are no fixed certainties. Court decisions alter detailed interpretations on a weekly basis with major decisions changing implementation of GDPR coming every month. One example for this would be the assumed joint controllership between platforms and companies operating a page on those (i.e. Facebook, Twitter, LinkedIn).

We also expect further rulings on cookie-notices, tracking and analytics technology and more.

With the ePrivacy Regulation currently being delayed for another few months, many authorities already see the GDPR as overruling the existing ePrivacy directive implementations on national level. Unless specific laws or provisions are made for broadcasting (internet,TV, radio, etc) , it will be difficult to guarantee legal certainty with just the GDPR.

© Montypeter / freepik © Montypeter / freepik
Robert Buschmann
Certified Data Protection Officer and Auditor
Enobyte GmbH
info@enobyte.com
https://enobyte.com/
Robert Buschmann
Certified Data Protection Officer and Auditor
Enobyte GmbH
info@enobyte.com
https://enobyte.com/

Förderer