Companies and public authorities have now had to apply the General Data Protection Regulation for three years. But security incidents and data breaches seem to be even bigger and more frequent than before.

Doesn’t data security get off the ground? Can there be any data security at all?

GDPR demands secure processing of personal data

The General Data Protection Regulation leaves no room for doubt. It explicitly requires: the confidentiality, integrity and availability of personal data and the resilience of systems and services related to the processing of data must be ensured on a permanent basis.
Now, one might assume that three years of application of the GDPR would have led to the fact that IT security incidents and thus breaches of the aforementioned protection goals for personal data occur less frequently by now. But this is obviously not the case. The headlines of the daily press are full of reports about data losses, data misuse and espionage attacks on companies and public authorities. Is the GDPR’s call for comprehensive personal data security unrealistic? Can real data security perhaps not succeed at all?

One hundred percent security does not exist, but …

No security expert would claim that there is one hundred percent security, and even the GDPR cannot change that. Nevertheless, the requirement for data security is a mandatory part of data protection. Just because the reports of millions of data records found unprotected on the Internet are not going away, the measures of technical data protection cannot be dispensed with.
In fact, data security measures do prevent security incidents and data breaches, so without them there would be much more damage to those affected by data loss and misuse. Security experts say that even basic protection measures can help prevent the majority of potential attacks.
For particularly sophisticated attacks and complex incidents, on the other hand, special protective measures are needed. But even these cannot provide a guarantee.

Effectiveness of protective measures must be permanently monitored

For good reason, in addition to the security measures, the GDPR also requires a procedure for regular review, assessment and evaluation of the effectiveness of the technical and organizational measures to ensure the security of processing. Thus, it may well be that a measure taken does not fulfill what was expected for security. But it may also be that a protective measure is effective for a certain period of time, but then can no longer provide reliable data security. This should be detected by checking the effectiveness so that the protective measures can then be optimized.
The decisive factor for data security is the state of the art, as required by the GDPR. For example, encryption may no longer be strong enough in the future, as attackers will then have means to break it. In addition to new attack methods, it is also the new technologies that continue to challenge data security. New technology brings new vulnerabilities that attackers could exploit. But even existing technology can contain security vulnerabilities that only become known later.

Data security is and remains an ongoing task

So if we take a closer look, we should not be surprised that even three years after the application of the GDPR, security incidents occur and data protection is violated because data security was inadequate. This may be due to the choice of the wrong measures, lack of protection, incidents that cannot be prevented technically at all, but also due to the high dynamics of IT and the threat situation. So the security of personal data processing has not become worse because many data mishaps still occur. Instead, one can assume that the number of reported and detected incidents has increased – so this is a good sign for data protection if data breaches are not overlooked but reported and remedied. This can certainly be seen as a success of the GDPR, which has brought the reporting obligations more into focus for companies.
At the same time, it is important to continue to examine the effectiveness of data security. This includes not bypassing or disabling security features because they seem to reduce convenience. That would then actually worsen data protection. This is true today and will continue to be so in the future.