What kind of data do companies secure

Data security: tips and measures on how to make your company more secure

What is meant by data security?

The term data security describes the general protection of data, regardless of whether it is personal or not. The issue of data security is not about the question of whether data can be collected and processed at all. Rather, it is about the question of which measures have to be taken to guarantee the protection of the data and thus ultimately to achieve the best possible data security. This desired state can be achieved through a variety of measures.

And what is the goal of data security? The primary goal of data security is to protect data of all kinds against manipulation, loss, theft and other threats. In the context of data protection in the company, data security must be ensured by implementing suitable technical and organizational measures. Data protection and data security therefore go hand in hand. Because the state of data security cannot be achieved without data protection measures. Conversely, adequate data security is a prerequisite for effective data protection measures.

Data security: is it not relevant for my company - or is it?

Our data are sacred to us. This was once again clearly felt with the entry into force of the GDPR. Data security has therefore become a major issue, especially for companies. But so far, smaller companies in particular have given far too little attention to the topic. Often companies simply place too much trust in technology and have too little knowledge of the importance of data security. But data security should not be dealt with lightly. Failure to comply with the regulations can result in high fines and sanctions.

In addition to the personal data that must be handled accordingly, other data naturally also play a role. If companies do not handle these carefully, in the worst case scenario they can even pose an existential threat. With this in mind, companies should regularly back up their data. It is recommended that you back up all data at least once a day. A daily backup also fulfills the requirements for legally compliant archiving of the data.

Data security dangers lurk in everyday work

We often overlook small, yet important details that affect data security. Because the dangers of security gaps usually lurk in everyday working life and do not threaten from outside at all:

  • USB sticks: Especially the little helpers can quickly get lost and quickly cause damage unnoticed and unconsciously through unprotected plugging into the internal company network.
  • Terminals: Especially when using laptops, problems can arise due to a lack of encryption, locally stored information or inadequately secured VPN access.
  • Viruses: a firewall, virus scanners updated daily and spam filters should be part of the basic equipment of every PC.
  • Cloud: Carrying out internal company and personal data and thus handing over responsibility to external providers also poses a risk.
  • Fire / flooding / theft: You must always expect unexpected disasters to occur.

As you can see, data security begins in everyday working life. A coherent compliance strategy is a good way of preventing or at least reducing these dangers. This evaluates the points accordingly and provides best practices for this:

  • Creation and implementation of suitable, company-wide user guidelines for dealing with potentially hazardous technologies
  • Regular training and awareness-raising among employees
  • Continuous briefing of management and employees about new threat scenarios due to technical developments

This ongoing activity is a classic field of activity for your data protection officer.

Obligation to report in the event of a breach of personal data

But what if an incident is so bad that it has to be reported? What exactly does the message have to look like? Since the GDPR came into force in May 2018, all data breaches or "breaches of personal data" that occur in the company must be documented.

The term includes the following personal data breaches:

  • Data will be destroyed and thus made irretrievable
  • An unforeseen one loss of the data
  • There will be content Changes made on the data
  • Data will be given to third parties without your consent passed on
  • Unauthorized persons or lack of authorization for data processing

A data breach could, for example, be the loss of files or data carriers that contain personal data. If it cannot be ruled out that there is a risk to the rights of the data subjects, such data breaches must be reported to the responsible data protection supervisory authority within 72 hours.

The content of a notification of a data breach must include:

  • Description of the data breach with details of those affected and the data records affected,
  • Name and contact details of the data protection officer,
  • an illustration of the consequences of the data breach as well
  • A description of the measures taken or proposed to correct or alleviate the data breach.

If a data breach is not reported and documented, there is a risk of fines of up to 10,000,000 euros or 2% of the annual sales achieved in the previous financial year.

You don't know how to achieve the highest possible level of data security for your company? An IT security officer can help together with your data protection officer. You can find out more about data protection officers here.

Continue reading

Data security vs. data protection - what's the difference?

Data protection and data security: Terms that differ and are often used incorrectly in everyday language - true to the motto: "Oh, you know what I'm talking about". But in fact there are enormous differences between the two terms:

Data securityprivacy
Data protectionProtection against data misuse and breaches
Protection of all dataPersonal data protection
Protection against loss, destruction, misuse and access by third partiesProtection of privacy
Technical measures / solutionsLegal regulations

In summary it can be said that data security describes the practice, which among other things involves the implementation of the requirements of data protection, whereby the practical approach “What is possible?” Is followed. In data protection, finally, the theoretical approach “What should be fulfilled? " tracked.

8 data security requirements

There are very different measures to ensure data security. The technical and organizational measures (TOM) can serve as an example. As data security measures, they indicate various types of controls that must be carried out or given. Measures to increase data security can be:

# 1 The access control

All data to be processed may not be made freely accessible spatially. This means that buildings, rooms, end devices, etc. must be adequately secured.

# 2 The access control

Unauthorized persons must not be able to put data processing systems, e.g. software, into operation or use them. This can be ensured, for example, by assigning passwords.

# 3 The access control

Who can and may access the data - that is what this measure is about. Regulations are set out here which are intended to ensure that only authorized persons have access to data and can only use them according to their authorization.

# 4 The disclosure control

The main aim here is to make data transfer predictable and controllable in order to guarantee data protection and data security.

# 5 The input control

This measure includes the requirement of an input control.

# 6 The order control

Order control is only relevant if data from external service providers is processed.

# 7 The availability control

Personal data is protected against accidental destruction and loss, for example through power outages or water damage.

# 8 The separation requirement

Data must be separated based on their purpose. The reason for this is that it ensures easier allocation of the data and, on the other hand, the fulfillment of the basic principle of data protection law of the exclusive use of data for a specific purpose.

The measures to increase data security are therefore various control mechanisms that are intended to prevent unauthorized access and thus also knowledge, manipulation or removal of the data.

Steps to implement data security in the company

With the General Data Protection Regulation, or GDPR for short, companies are also faced with new obligations in terms of data security - that much should be known by now. However, implementation in companies is only progressing slowly. These 5 steps make it easier for founders, self-employed people and small companies to get started with this complex topic:

  1. Awareness and training: Everyone in the company, even if they are not directly responsible for data protection and data security, must be sensitized and trained for the topic. Because almost every employee in a company has to do with personal data at some point in the workflow. In addition to creating general awareness of the issue of data security, extensive training is also required.
  2. Define responsibilities: The management is legally responsible for data protection, but a permanent contact person should be specified for practical implementation and a data protection officer should be appointed if necessary.
  3. Transparent infrastructure: Create transparency in your company's data jungle. Data security can only be guaranteed if it is clear where which data is located.
  4. Encrypt data: In the best case scenario, data should always be encrypted in order to keep damage to a minimum in the event of an emergency.
  5. To act quickly: You should have already implemented the General Data Protection Regulation and the associated regulations. Otherwise there is a risk of high fines. Haven't you yet? Then don't wait with the implementation: seek advice and support immediately to prepare the company for the new standards.

5 tips for data security in the company

Data security is a hot topic. One hears again and again of new scandals in which sensitive data falls into the wrong hands. If you want to secure your data, you should protect it from illegal access, deletion, copying and physical loss. But how does that work in practice? We give you an overview of 8 important protective measures to give your company better data security:

# 1 Establish behavioral guidelines

Define certain behavioral guidelines, such as who may own, view, change or delete which data or which standards should apply to data destruction, data transfer and data storage. These points should be stored in a comprehensible manner for every person in the company. Also, train your employees and make sure everyone knows and follows the guidelines.

# 2 Encrypt data

Always encrypt all data, regardless of the medium on which it is stored. This will make it more difficult for unauthorized persons to access them. In addition, you should never send personal data unencrypted by e-mail or via a messenger service. Make sure that these are passed on personally and document all processes. Alternatively, you can use VPN (Virtual Private Network) connections.

# 3 assign passwords

Each of your employees should have their own user account, which is configured in such a way that only the account owner is allowed to perform actions. In this way, it is always possible to trace who, when and what data was changed. The same goes for passwords. Every employee has to assign an individual password for their devices in order to prevent third party access. Password should be at least 8-12 characters long and consist of upper and lower case letters, digits and special characters and should be changed regularly.

# 4 do backups and updates

Another important point are backups and regular updates. If the PC or laptop on which all important data is stored breaks unexpectedly and you have not previously made a backup of the data, it will be lost. To prevent this, have your IT run regular backups and updates. In this way, the data is always secure and the PC is always up to date.

# 5 Firewalls & Virus Scanners

Anti-virus programs and firewalls should be a must in every company, regardless of which operating system is used. Even if there will probably never be 100% protection against hacker attacks and the like, such programs can protect you from nasty surprises.

It has never been more important than to be up to date with data security and data protection and, above all, to stay up to date. Only those who know what threats exist and how to defend against them can protect their data effectively. Therefore, keep yourself and your employees up to date and attend training courses on these topics.

Conclusion: Are you doing enough for data security in your company?

Data security is and will remain an important topic in the future. Because the data in companies is a treasure trove of inestimable value, but it is exposed to a variety of risks and dangers. Recognizing and minimizing them is essential for data security in companies. For this reason, companies must take care of the security of their data and that of their customers and always take data protection and data security seriously.

A data protection officer offers support in the areas of data protection and data security. You may be obliged to appoint a data protection officer anyway. In the chapter on data protection officers, we have put together for you which tasks a data protection officer takes on, when he should be appointed and whether it always has to be an external data protection officer.

Author: Für-Gründer.de editors

As editor-in-chief, René Klein has been responsible for the content of the portal and all publications by Für-Gründer.de for over 10 years. He is a regular interlocutor in other media and writes numerous external specialist articles on start-up topics. Before his time as editor-in-chief and co-founder of Für-Gründer.de, he advised listed companies in the field of financial market communication.