Much has been done, nothing has helped

Imagine if your company had organized contests on various occasions and collected personal data from the participants, including contact information. Your company also wanted to use these data for advertising purposes, provided of course that the participants had given their express and informed consent. Your company has taken various technical and organizational measures to prevent persons who have not consented from receiving advertising after participation in the competition. Among other things, it has drawn up special guidelines and held training courses. Nevertheless, even those participants who did not give their consent will receive advertising. Obviously the data protection measures did not work. This is not just a theoretical example, it happens in practice.

Data protection was not effective

All the data protection measures could not prevent the data from being used for other purposes. Without any consent, the contact information was used for advertising purposes. It must be noted: The data protection was not effective. However, this should not only become apparent through such a data protection violation and complaints from affected persons. A company must determine this itself at an early stage. For example, the Basic Data Protection Ordinance (DSGVO) expressly requires „a procedure for the regular review, assessment and evaluation of the effectiveness of the technical and organizational measures to ensure the security of processing“. If a data breach occurs despite data protection measures, as in the case described, it can be assumed that there is no such procedure – at least not one that works. This can then lead to a supervisory authority imposing a fine or resorting to other sanctions.

Checking and testing data protection

„Data security is an ongoing task,“ emphasizes Dr. Stefan Brink, Baden-Württemberg’s State Commissioner for Data Protection and Freedom of Information. „Technical and organizational measures must be regularly adapted to the actual conditions in order to ensure an appropriate level of protection in the long term. In practice, this means that companies must review their data protection measures for success and effectiveness. Data protection guidelines must therefore not only be defined, trained and introduced, they must also be checked for effectiveness and revised if necessary. This includes in particular replacing all measures that cannot be implemented in practice with other, effective measures that pass a practical test. Here, everyone is called upon to ensure the success of data protection measures. It must not be the case that employees simply dismiss data protection measures as impractical and ignore them. Rather, you should point out possible problems if you notice deviations in data protection, which can also be caused by well-intended measures not working.

Is data protection effective? Take the test!

Question: If data protection measures seem unrealistic, you do not need to comply with them. Is this true?

  1. no, but you should point out your concerns.
  2. yes, because such measures do not benefit data protection anyway.

Solution: The answer 1. is correct. As with any company policy, you must also observe the company’s data protection guidelines, even if the meaning may not be immediately apparent or you may think that this or that does not help. If you notice any problems with measures, please report them. But do not simply ignore the guidelines.

Question: Known privacy measures such as encryption are always effective. Is this true?

  1. Yes, otherwise not so many companies would use them.
  2. no, you also have to check such measures regularly for success.

Solution: The answer 2. is correct. Measures such as encryption have been tried and tested in practice for many years, but whether they provide the desired protection must be clarified in each individual case. It may be that the encryption does not cover all data to be protected, the encryption no longer corresponds to the state of the art or the key for decryption is stored insecurely, to name just a few examples. The effectiveness of even such well-known measures as encryption of personal data must be checked, otherwise there could only be a sham security. A data protection violation could be the result.