articles around the new EU data protection basic regulation (EU-DSGVO) or sprout from the ground like spring flowers at warm temperatures. The uncertainty of companies is great and often ends in a kind of shock. We don't want to throw paragraphs around your ears, but rather break the topic down into three main points to support you in this process.
Let's start by saying that I think the idea behind the GDPR reflects the "common sense" on the subject of data protection. When I order a smartphone from Digitec or new shoes from Zalando, I want my personal data to be kept safe and not fall into the wrong hands. DSGVO basically takes care of exactly that. I hope and assume that most companies share this thought and already protect their customer data to the best of their ability. Granted: In part, the law in the SME sector shoots with cannons at sparrows. However, unlike large companies, SMEs have a very easy time identifying the data that needs to be protected. This topic is discussed in more detail in the last section.
If we take a closer look at the regulation, we see that natural persons resident in the EU are mainly granted the following three fundamental rights:
- Right to information
- Right of cancellation
- Right to protection against unauthorised access
Thus, all companies that store and/or process personal data of natural persons from the EU are affected by DSGVO.
In order to fulfil these three basic rights, I, as a company, must first know exactly where these data are. With this we have already arrived at the core challenge.
Problem: Where is my customer data?
In most companies there is no ongoing process for this. In the past, the IT department usually knew (at least approximately) where the customer data was located. CRM and ERP are the classics. Maybe an external newsletter tool. A webshop. But often there is no documentation about what data is where. Are there perhaps still Excel sheets that only the sales representatives know about? And with increasing size of the company it becomes even more opaque. Moreover, in the cloud age, departments often subscribe to external services and applications that IT no longer knows about. The chaos is perfect.
This is exactly where DSGVO comes in.
The DSGVO forces companies to think about what customer data is where and to integrate this as a central process in the corporate culture. Data must be identified and classified. Depending on the size of the company this is a very complex task. For smaller companies and SMEs the effort is usually limited. Often, however, this process is also the starting point for a consolidation of services, which thus serves to make IT clearer and simpler again.
Right of access and deletion
As soon as I know which customer data is where, I can tackle the actual requirements and processes. Right to information and deletion means: The customer has a right to know what data the company has stored about him. The company has 30 days to provide the information after such a request. The law requires a defined process for this. The customer can also have his data deleted in the same way.
Right to protection against unauthorised access
Who has access to my personal data? Are there people in the company who never need this data in their daily work, but still have access to it? How are these accesses secured? Password? Multi-Factor Authentication? How are the servers protected? Is the customer data transferred encrypted to the cloud? Does my customer portal have a Web Application Firewall? These are questions you should ask yourself, regardless of whether your company is affected by the DSGVO or not.
The DSGVO project can be quite daunting at first glance. Don't let this discourage you. Take the chance to analyze your services and maybe even consolidate them where necessary. In smaller companies the IT department and the management can make a first list of the data together and see relatively quickly what complexity the whole project has and where there is potential for optimization. In small environments DSGVO can be implemented without any problems within a few days. Larger companies with more complex environments are usually dependent on external help. Specialized and experienced IT service providers support you in this way and make sure that your environment meets the current security requirements.
Put the main focus on the identification of the data!
Over the last few months, we have been able to support a number of customers in analysing their current security measures and providing input and optimisation options based on this. Thanks to our manufacturer-neutral view, we can provide independent advice. When it comes to "protection against unauthorized access", we recommend focusing on the following topics:
- Is the data transferred encrypted to and from the cloud?
- Are there personalized accesses to servers, applications, etc., so that it is possible to restrict which user has access to which data?
- Are my servers updated regularly?
- Does my server have endpoint protection?
- Is an up-to-date firewall with features such as an IPS for zero-day protection used?
- Are my web applications protected by a web application firewall against attacks like SQL injection, cross site scripting, etc.?
- Do I use a central Log Correlation Tool (SIEM) to quickly identify potential threats?
Fortunately, many of our customers are already well underway in this area and only need to make selective improvements, if at all, so that the main focus can be placed on identifying the data and setting up the processes. We have put together some links which can also support you in this process.
Would you like to talk about the topic again in peace? Contact us!
The Regulation will enter into force on 25 May 2018. If you are not sure whether and in what way the company is affected, or if you want to analyze the security of the environment in general, it is high time for a first conversation. We are happy to support our customers, both with an initial analysis and with further implementation. Thanks to our network of IT system integrators, we can also fall back on a wide network of contacts if necessary, and call in a suitable partner for your concern.