The introduction of the GDPR in Germany dates back two years now. Is there a general assessment of how companies have accepted and implemented it?
There is certainly no universal answer to this question. Large companies in particular have made considerable efforts to become "GDPR -compliant". But even here, some companies may still have some catching up to do in one area or another - I am thinking here, for example, of the issue of "deletion".
For medium-sized and especially small companies, the situation is likely to look much more differentiated. There are also numerous companies that have made an effort and are now on a good level. Unfortunately, there are also companies that have done relatively little in terms of the GDPR . There is certainly still a need for implementation. But this cannot be generalized.
Data Protection and Cyber Security: Do both go hand-in-hand, or do they hinder each other?
Data Protection and Cyber Security certainly go hand-in-hand. For example, the GDPR requires companies to take appropriate measures to protect the personal data they process. Especially in times when personal data is predominantly processed digitally, measures such as firewalls, encryption mechanisms, patch management and backups play an increasingly important role. One need only think of the topic of "home office", which is becoming increasingly relevant and would be inconceivable without cyber security measures.
With regard to Data Protection: What types of cyber attacks are particularly dangerous? And what kind of data is of interest to cyber criminals?
Of course, all attacks that involve personal data are particularly dangerous, as are those that can lead to destruction, loss, modification and, above all, unauthorized disclosure. Cyber criminals are likely to target bank data, among other things. But this does not always have to be the case. For example, cyber criminals may also target access data or passwords and cause considerable damage as a result.
A company has become the victim of a cyber attack. When does a data protection officer need to be consulted, and what exactly are the steps they take?
There is no general answer to this question. Here, of course, it always depends on how a company has organized itself, whether it has an internal or external data protection officer at all. Even though it certainly makes sense, especially for smaller companies, to have a data protection officer, this is not always required by law.
In any case, companies, large and small, should know what to do in the event of a cyber attack or data breach, and should have a process in place.
From a data protection point of view, the most important thing here is to, first of all, gain knowledge of the cyber attack - and then lose no time. Remedial action must of course be taken immediately. In addition, it must be determined whether the data breach is likely to result in a risk, or even a high risk, for those affected. If necessary, the supervisory authority must be informed and the data subjects notified. Of course, the data breach and the measures taken must also be documented accordingly.
If the case arises that the supervisory authority must be informed, are there legal requirements as to when this notification must be submitted?
There are. The GDPR requires that data breaches that are likely to lead to a risk for those affected must be reported to the supervisory authority immediately and, if possible, within 72 hours of their discovery.
What are the possible consequences if this reporting requirement is ignored?
First of all, a violation of the reporting obligation can lead to a fine of up to 10 million euros or up to 2 percent of the previous year's revenue. Even if the supervisory authorities have a fine framework here, i.e. they do not necessarily have to impose a fine of this amount, the risk of a considerable fine should definitely be taken seriously.
But also claims for damages and of course a serious loss of image cannot be excluded if an attempt is made to sweep a data failure under the carpet.
For further information about data security, click here.