Data protection - stay away from me ...
Dr Alexander Deicke, Managing Director of K11 Consulting GmbH
Published in: DiALOG - THE MAGAZINE FOR ENTERPRISE INFORMATION MANAGEMENT | 2020
This sentence is probably the first thing that comes to most people's minds as soon as they hear the word ‘data protection’. The main reason for this thought is that many people assume that they themselves are not affected by data protection (law). However, data protection plays an essential role in many areas, and not just since its introduction on 25 May 2018.
But what exactly is data protection?
Data protection is the protection of personal data from misuse, which is why data protection aims to safeguard the fundamental right to informational self-determination.
As a result of advancing digitalisation and networking, the collection, storage, transfer and use of data is increasing accordingly. People usually pass on their data without giving it a second thought, be it by providing their address for competitions or registering with a social platform.
However, there is still a certain indifference to data protection among large sections of the population and companies, who attach little or no importance to data protection or even perceive it as an annoying and innovation-inhibiting element. This is probably due to the fact that most people only see one side of the GDPR, namely the increased obligations and fines for violations, while ignoring the other side of the GDPR, which also takes economic interests into account and establishes free movement. Striking a balance between data protection and the exchange of information is therefore not always easy.
Why must personal data be protected?
It can have serious consequences if your private e-mail address or the intimate details of your medical history become known, but the disclosure of sensitive account data or business data such as designs or construction plans can also cause serious damage.
Especially in the age of digitalisation, the fear of the ‘transparent person’ is omnipresent.
Especially in the age of digitalisation, the fear of the ‘transparent person’ is omnipresent. Despite this, experience shows that many people still treat the disclosure of personal data carelessly. Although everyone is free to decide when and to whom they make which of their data accessible and for what purpose, this should always be carefully considered. Global platforms such as Facebook and Google are constantly collecting data about their users' activities. This analytically calculated user behaviour is used to collect information about everyone's preferences, which makes it possible for third parties to create personalised advertisements. Millions in profits can be made each year from this collected data. Furthermore, the misuse of sensitive data also has consequences under criminal law.
How can data protection be implemented?
Will companies then realise that the legislator is not only implementing the If companies then realise that the legislator did not adopt the GDPR just out of gloom and do indeed have to comply with data protection, the next question is often how to get a grip on the data octopus while taking our federalism nonsense into account.
Data protection should not be taken lightly: Within the framework of the BDSG/DSGVO, various elements must be taken into account, including whether and how the data flow is regulated, for example, in a group and non-EU countries; have BCRs (Binding Corporate Rules) been used for this or is this covered by the EU standard contractual clauses? If the companies have also utilised external service providers or specialist services, such as payroll accounting or software providers, this must also be regulated separately in the contract. Another important question is who should be responsible for the processing. Is there joint responsibility for this (so-called joint controllership within the meaning of Art. 26 GDPR) or should the responsibility be determined by a controller-to-controller agreement? In addition to all these questions, a certain level of IT expertise should also be available for the correct implementation in order to ensure the correct introduction of a data protection management system.
As a guide for the correct implementation of data protection, the SHIT method should be used, i.e. implementation by:
- Sensitisation: by always referring to data protection
- Help: familiarising employees with data protection through guidelines, processes and specific instructions
- IT connection: dovetailing with IT and IT security is essential due to digitalisation
- Transition: i.e. building bridges between theory and practice or between big data with the principle of ‘we collect everything’ and privacy by design with the principle of data minimisation
Outlook and why companies benefit from data protection compliance
Although data protection regulations are primarily aimed at user interests, companies are also increasingly benefiting from being data protection compliant. Companies can no longer afford to operate with other companies that do not take the protection of company data seriously. This is because it is precisely in digital exchange that the source of danger for internal company data is realised. Data protection-compliant implementation within the company can therefore not only improve the company's reputation at B2B level, but also set it apart from the international competition.
Companies at the forefront of digitalisation or those who want to get to the top should therefore rethink and not see data protection as an obstructive element, but as something that goes hand in hand and protects both sides of a company's interests.