It’s not always just about fraud and extortion attacks

Alexander Deicke

Alexander Deicke works as an independent lawyer and also as a data protection interim manager. In this interview he explains where data protection and IT security need to go side by side and what the state of expertise is in the field of data protection.

Among the other services you offer at K11 Consulting, you provide external data protection officers. This is a booming topic, most likely also due to the General Data Protection Regulation. From your perspective, what speaks for filling the data protection officer role with external experts?

In my opinion, even for regulatory functions, an external solution is the better way to go. While their involvement in the day-to-day work is sometimes more difficult – for instance, in new projects – an external data protection officer can also continually bring in new knowledge from working with other clients. Another key argument is the independence, which is not always possible at the same level with an in-house employee.

In general, is there sufficient data protection officer (DPO) expertise in the German-speaking regions?

It’s difficult to give a blanket answer to that question. In my opinion, within the data protection officer realm, expertise is often split three ways. The DPO needs to have an in-depth technical understanding of IT security, a solid base of management skills and process knowledge around data protection, and also data protection regulation know-how. These things are hard to find in combination and I believe that the knowledge is often distributed among several people, including among external advisors. Fortunately, a lot has developed over the past several years; unfortunately, however, a uniform “data protection degree” still does not exist. Of course, we have different types of providers, but I would like to see a clear requirement coming out of the so-called Data Protection Conference.

How do you generally become familiar with the company and its actual situation when you take on a new client? Is the approach standardized?

In the meantime, yes. We develop a precise gap analysis – remotely and onsite. We do this in a way that involves a dedicated question catalog that allows us to determine everything that already exists in the company that can be implemented and what is not yet available. For doing this, it is always good to plan being onsite for a couple of days. In the one-on-one meetings with those responsible, you learn one or two things between the lines. Unfortunately, that’s currently not always easy to do because of the guidelines on limiting contact – and of course, our health comes first.

In practice, where do you see the biggest need for action in data protection and data security?

That depends on if we’re talking about larger or smaller companies. In larger companies with international business units, the data flow between the BUs in non-secure third-party countries is always a big challenge. For smaller companies, it’s often still in the process orientation (e.g., in the reporting of problems). In all companies, I still see “deletion” as the most often-neglected obligatory task.

From your viewpoint, what would be the “low-hanging fruits” in this area that can be addressed without any large investments or great in-house efforts?

In my opinion, every company should have its data protection information written down in a well-structured format and create awareness among employees. Ideally, this should be combined with the IT security topic. The subject of data is becoming increasingly important. If companies also take data protection into account while they are setting up their IT security structures, there’s no need to do things twice. In addition, I would always recommend using a tool for managing processing activities.

The increase in cyberattacks is unfortunately showing no signs of slowing down and you also can’t avoid regularly hearing something about ransomware in the media these days – what impact do you see this having on data protection? 

As I already explained, I see an opportunity to get both data protection and IT security under control. I think many companies underestimate the reputation damage that can result from lost personal data. It’s not always just about fraud and extortion attacks. 

What concrete upcoming or most likely changes should companies have on their radar screens regarding data protection?

There are always going to be changes when it comes to cookies. Also, the so-called EU standard contractual clauses (SCC) were adjusted in 2021. Not all companies have tracked these so closely, since other topics were more critical. But now it’s time to implement the (new) regulatory requirements.

If you could send a mail to all data protection authorities with a recommendation, what would it say?

Let’s try to put some pressure on the data protection authorities together, so we can put an end to the patchwork or interpretations of data protection rules in Germany and at least all apply the same standards. I think it’s difficult for many companies to understand and accept that the same circumstances are potentially assessed differently by the authorities, depending on the federal state. This can be seen, for instance, in the reporting of problems among the various federal states.

Please remember: This article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.

And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.