26/10/2016
msg advises on the technical impact the new ordinance has on companies.
The new EU General Data Protection Regulation has gone into effect. Companies now have until May 25, 2018 to implement the requirements set forth in the regulation. Among them is a demand for “Privacy by Design” and “Privacy by Default”, as well as much stricter sanctions than previously imposed by the Federal Data Protection Act in case of violations.
What exactly do the two requirements mean for companies, especially in the technology industry? To find out, companies must first identify which personal data they have in their possession and use, and then determine precisely which data is necessary to achieve specific ends. Essential keywords in this context are data economy and earmarking. After all, only data that is actually necessary for processing purposes should be collected, stored and use. At the same time, any data that is collected and used must be adequately protected. Further, the portability of the data must be guaranteed, meaning the ability to transfer the data to other providers.
The range of technical modifications that may be necessary is immense and can vary from, for example, the use of encrypted https standards for websites, the question of whether IP addresses should be transferred to third parties as soon as a website is accessed and whether a person’s data of birth should be requested for online orders to whether the data used by a company should be pseudonymized, anonymized and encrypted prior to use. Yet, the aforementioned examples may not be equally applicable in every company as such depends on what data is being used for and which data is required for that purpose.
The EU General Data Protection Regulation itself does not provide technical details. Thus, realization thereof in companies should follow existing standards, such as ISO/IEC 27018 or “Best Practices” like the OWASP Top 10 Privacy Risks Project.
“In the end, there is no blanket statement that covers everything companies need to change to meet the new regulation,” explains Florian Stahl, an expert in data privacy and information security at msg. “One thing is certain, however, and that is that each and every company must examine the new guidelines and determine which aspects apply to their particular situation, because there are very few companies who are already so well prepared that they do not need to make any improvements at all”, Stahl continues.