Data protection officer as a seal of quality for confidentiality
by G-A Kemmner; D. Stankovic1
If the legal obligation to appoint a data protection officer, which is often seen as a necessary evil, is extended to include the protection of customer data, the obligation becomes an optional extra.
Since May 2001, the Federal Data Protection Act (BDSG) has regulated the handling of personal data. The aim is to protect the informational integrity of natural persons who are still alive. Personal data worthy of protection is information about the personal and factual circumstances of an identified or identifiable person. This includes basic data, which can be found on every business card, but also individual additional information such as preferences, marital status, birthday or even financial circumstances. Such data can be found in every customer and supplier file. A&K also records, stores and maintains data in electronic form. Apart from the personal data of our employees, we maintain more than 7,000 addresses in our CRM system, for example.
To make matters worse, we regularly carry out extensive data analyses for customers. Although the analyzed data is never personal data within the meaning of the Federal Data Protection Act, we consider this data to be just as sensitive as personal data. Confidentiality agreements between A&K and its customers represent an initial security mechanism. Defined processes on how to handle the data, whether and how it must be stored and backed up, and who has access to which data are further necessary measures. In addition to the extensive day-to-day business, however, it is difficult to master all these tasks, especially as only experts know all the legal requirements and have the necessary knowledge regarding possible and necessary measures.
Abels & Kemmner therefore decided to tackle the data protection review and update project with external support. The aim was to document the data processing procedures, both organizationally and technically, not only for personal data but also for all of our customers’ material and product data, to define quality standards and to ensure compliance with them.
In March 2007, a data protection specialist from ikado GmbH therefore analyzed the data protection situation at A&K. To this end, discussions were held with the secretariat, IT managers, consultants and managing directors. The entire IT infrastructure and the premises were also scrutinized. This analysis phase took the A&K employees far less time than expected: Only 90 minutes on average. The analysis also served to identify weaknesses and develop an action plan. The results of the actual data collection and the action plan were recorded in the data protection manual. Furthermore, a procedure directory was created. Ultimately, all A&K employees were trained and obliged to comply with the data protection policy. The result: A&K now not only has a comprehensive and suitable set of tools to master this complex problem, but also a seal of quality for customers that says: sensitive data is always in safe hands.
Quality has many facets: Data protection measures with added value should follow a clear control process and include clear and comprehensible documentation.
If you are also considering upgrading the legal provisions with added value for your company, we recommend that you proceed in a similar way. You should first check whether you can fulfill the legal requirements with an employee from your company or whether it makes sense to appoint an external data protection officer.
Qualification profile of the data protection officer
According to the provisions of the BDSG, a data protection officer must be appointed to ensure compliance with the BDSG. The data protection officer must be a proven IT specialist who can analyze and evaluate organizational processes and has legal knowledge. He must not be a member of the management or a senior employee of the sales or IT department. In this way, role conflicts should be ruled out. Choosing a suitable employee is not without its problems, both from the perspective of the company and the future data protection officer: in most medium-sized companies, it is not at all easy to fill the position of data protection officer with a suitable, truly independent internal person. However, costs certainly also play a decisive role in the introduction of comprehensive data protection management, as the required documentation of operational processes and IT operations requires not only expertise but also resources. The problem of choosing a suitable employee and the inevitable conflicting roles of internal data protection officers can therefore often be elegantly resolved by appointing an “external data protection officer”.
An external person also ensures that the work of a data protection officer does not get lost in day-to-day business – a factor that should not be underestimated. We assume that we would not have been able to pursue this project without the external support of ikado GmbH, as day-to-day business always brings other priorities to light that are supposedly more important.
Looking back on the first three months of the new organization with an external data protection officer, however, we can say that The minor deficiencies in our data protection organization that were uncovered have been eliminated. The external data protection officer is a competent contact person for customers, employees and management who can clarify any questions that arise at short notice and who keeps a watchful eye to ensure that no gaps in protection are opened up by technical changes or new software products.
Consulting and data protection
In the course of their consulting activities, consulting companies often gain knowledge and even possession of their clients’ personal data. This data is usually transferred to mobile computers or sent by e-mail. User data and personal data are inseparably mixed.
From a data protection perspective, precautions must be taken here in order to correctly implement data protection regulations.
With the appointment of the external data protection officer of ikado GmbH, A&K has created a comprehensive and suitable set of tools to master this complex issue. Practiced data protection has not only become an internal quality management tool for A&K, but also a seal of quality for customers, as the data protection guidelines now also apply to all customer data, even beyond personal data. This provides security and, above all, creates trust – right from the start.
1 Dragan Stankovic is a data protection specialist at ikado GmbH, an engineering office for data communication and database organization in Aachen.