Especially in times of advancing digitalization and more complex networking, companies that process personal data should put the issue of data protection at the top of their list of priorities. However, DSGVO-compliant work still poses major challenges for many companies. However, a breach or non-compliance with the GDPR regulation can result in heavy fines.
Data protection expert Annika Fuchs-Langanke, lawyer and owner of the law firm Fuchs & Coll. Rechtsanwaltsgesellschaft mbH in Potsdam, explains in an interview with Perseus what needs to be paid particular attention to
The introduction of the GDPR in Germany is now a good two years ago. Is there a general assessment of how companies have accepted and implemented it?
There is certainly no general answer to this question. Large companies in particular have made considerable efforts to become “GDPR-compliant”. But here, too, some companies may still have some catching up to do in one area or another – I am thinking here, for example, of the topic of “deletion”.
For medium-sized and especially small companies, the picture is likely to look much more differentiated. Here, too, there are numerous companies that have made an effort and are now at a good level. Unfortunately, there are also companies that have done relatively little when it comes to the GDPR. There is certainly still a need for implementation here. However, this cannot be generalized.
Do data protection and cybersecurity go hand in hand, or do they get in each other’s way?
Data protection and cybersecurity go hand in hand with security. For example, the GDPR requires companies to take appropriate measures to protect the personal data they process. Especially in times when personal data is predominantly processed digitally, measures such as firewalls, encryption mechanisms, patch management and backups play an increasingly important role. One only has to think here of the topic of “home office”, which is becoming increasingly relevant and would be inconceivable without cyber security measures.
In terms of data protection: What types of cyberattacks are particularly dangerous? And which data are particularly interesting for cybercriminals?
Of course, all attacks that affect personal data are particularly dangerous, as are those that can lead to destruction, loss, modification and, above all, unauthorized disclosure. Cybercriminals are likely to target bank data, among other things. However, this need not always be the case. For example, cybercriminals can also target access data or passwords and thus cause considerable damage.
A company has been the victim of a cyberattack. When does a data protection officer need to be consulted, and what exactly are the steps he or she takes?
This question cannot be answered in a standard way. Of course, it always depends on how a company is organized and whether it has an internal or external data protection officer. Even though it certainly makes sense for smaller companies to have a data protection officer, this is not always required by law.
In any case, companies – whether small or large – should know what to do in the event of a cyber attack or a data breach that is very likely to result from one, and should have an appropriate process in place for this.
From a data protection perspective, the most important thing here is to first become aware of the cyber attack – and then to lose no time. Of course, remedial action must be taken immediately. In addition, it must be determined whether the data breach is likely to result in a risk or even a high risk for the data subjects. If necessary, the supervisory authority must be informed and the data subjects notified. Of course, the data breach and the measures taken must also be documented accordingly.
Assuming that the supervisory authority must be informed, are there any legal requirements as to when this notification must be made?
There are. The GDPR requires that data breaches that are likely to result in a risk to data subjects must be reported to the supervisory authority without delay and, if possible, within 72 hours of becoming known.
What are the possible consequences if this reporting obligation is ignored?
First of all, a violation of the reporting obligation can lead to a fine of up to 10 million euros or up to 2 percent of the previous year’s sales. Even though the supervisory authorities have a fine framework here, so they do not necessarily have to impose a fine of this magnitude, the risk of a hefty fine should definitely be taken seriously.
But claims for damages and, of course, a considerable loss of image cannot be ruled out if an attempt is made to sweep a data breach under the rug.