GDPR and IT security: These obligations affect SMEs
Jul 17, 2022
Companies inevitably have to process personal data in their daily work. The General Data Protection Regulation (GDPR) imposes a number of requirements on data controllers to ensure IT security, which you should take into account.
The General Data Protection Regulation (GDPR) is intended to strengthen the rights of individuals with regard to the processing of their data. Most well-known is the obligation to obtain written consent for the storage and processing of certain personal data. Somewhat less publicised, but therefore not less important, is the obligation to actively ensure the IT security of the network in which the data processing takes place. Nowadays, there are hardly any SMEs that carry out their bookkeeping and order processing by hand or using index cards. In almost all cases, at least one PC or laptop connected to the Internet is likely to be used. Therefore, the IT security regulations from the GDPR are relevant for most companies. We have summarised some important information on this topic for you.
DSGVO definitions: An overview
In order to know whether the provisions of the GDPR apply, a few basic prerequisites must first be examined. The following explanations should only serve as a rough guide. In case of doubt, you should of course seek advice from a lawyer.
Article 2 limits the scope of application to "wholly or partly automated processing of personal data" or non-automated processing if the data is stored in a file system. Definitions necessary for the classification are deposited in Article 4:
Personal data (Art. 4 No. 1): It is required that it is information about identified or identifiable natural persons. If, for example, the name is not recorded in plain text, it is also sufficient if an assignment is possible via an identification feature such as the identification number in a database.
Processing (Art. 4 No. 2): Refers to automated procedures such as the collection, organisation, storage, classification and retrieval of personal data. The definition is so broad that ultimately all conceivable actions of electronic data processing are likely to be included, provided that personal information is involved.
File system (Art. 4 No. 6): Is any structured collection of personal data. This must be accessible according to certain criteria, but independent of the type of filing and the structure of the order. This means that files in paper form are also affected by the general regulations of the GDPR, although these are of course not thematically part of IT security.
Furthermore, the person of the controller is important, which is defined in Art. 4, No. 7: This is the natural or legal person who alone or with others decides on the "purposes and means" of the processing of personal data.
Data processing must comply with the principles set out in Art. 5. These include, in excerpts:
- Lawful processing
- Purpose limitation
- Data minimisation
- Accuracy of the data
- Limitation of the storage period
- Protection by technical and organisational measures
The technical and organisational measures
Article 25 of the GDPR places certain obligations on the data controller in terms of technical implementation. In doing so, the law grants him a certain proportionality of the measures to be taken. Factors such as the current state of the art, the implementation costs, but also the probability of damage occurring and the associated risks must be taken into account. It is explicitly required that accessibility for "an indefinite number of natural persons" must be excluded. The following obligations thus arise directly from this article:
Access control: There must be no uncontrolled physical access for unauthorised persons to the equipment used for data processing.
Access control/separation requirement: Access to the data may only be possible for authorised purposes and may only include the data necessary for the respective purpose. Finally, Article 25 already obliges the responsible party to take appropriate precautions to at least significantly impede access to the network from the outside.
The legislator provides further details in Article 32, which deals with the security of processing. It requires the guarantee of an "adequate level of protection". The following measures are mentioned as suitable for this purpose:
Pseudonymisation and encryption of personal data. Importantly, this should completely prohibit the non-encrypted transmission of personal data. This should be one more reason to rely on techniques such as VPNs (Virtual Private Networks) if employees regularly need to access the company network while on the road or from the home office.
The permanent assurance of, among other things, the confidentiality, integrity and availability of one's own systems and services. This may require measures such as constant monitoring of the threat situation and sensitisation and further training of the company's own staff.
Restoration of availability after an incident. This can result in an obligation to take precautions in the sense of contingency plans and to regularly create backups of necessary customer data.
Procedures for regular review of the effectiveness of the technical-organisational measures. In addition to own checks of the systems for up-to-dateness and possible security gaps, audits or penetration tests can also be used for this purpose.
Proof of compliance with the requirements can also be provided by certification through a procedure approved under Article 42 of the GDPR. If a security incident has occurred in your company network in which personal data could be affected, there is a notification obligation pursuant to Article 33 of the GDPR. The notification must be made to the competent supervisory authority without delay, but at the latest within 72 hours. For SMEs, this is usually the data protection commissioner of the respective federal state. The notification can usually also be made online.
Further obligations under the GDPR
In many cases, data is not only stored on local computers. If you use the services of a cloud provider, you have only limited influence on the implementation of the technical-organisational measures. In this case, Article 28 GDPR provides that the so-called "processor", which in practice is the provider of the service, must provide "sufficient guarantees". In addition, it must be ensured that the processing is carried out in "conformity" with the requirements of the regulation. This results in at least the obligation to make a careful selection of storage providers. These must guarantee compliance with the regulations. A storage location outside the European Union can be problematic, as authorities there have access rights to the storage according to other requirements.
Data protection is not possible without IT security
Data protection and IT security are inseparable, and not just since the introduction of the GDPR. Only if you have control over stored customer and employee data can you guarantee its protection. Absolute security does not exist in times of rapidly increasing cyber attacks. Ultimately, any system can be hacked. Fortunately, the law is oriented towards this fact and "only" requires adequate protection. This requires some active measures from those responsible. Many of these, such as the constant updating of systems and the regular creation of backups, should be part of the duties of a responsible IT administration anyway. We are happy to help you check the effectiveness of the IT security measures with penetration testing.