The security management of personal data on computers, smartphones, tablets and other mobile devices in companies and organizations is usually the responsibility of the IT department. The last three months have shown how well the two-year transitional period has fared: in some places, everything worked, in other companies, chaos broke out. For regular tasks, such as reporting, best practices have already emerged. However, some weaknesses came to light. The following advice and tips should help IT administrators improve their daily work on GDPR-related tasks.
Beware of blind activism
Despite the long preparation period, many companies jumped into the deep end on May 25th when GDPR went into effect. Out of ignorance or insecurity, many unnecessary actions have been taken or contracts have been made which are superfluous or even disorderly. Administrators often sit at the bottom of a decision-making chain and have to take remedial action at short notice, even if an action does not make sense or is proven unsustainable.
As an administrator, the best way to protect yourself is to gain in-depth knowledge of “GDPR activism”. If you have not already done so, IT staff should train on their own initiative to convince the supervisor or privacy officer — with strong arguments — that certain consent or data encryption is superfluous.
Effective internal communication
Even if GDPR has been implemented according to the specifications, it often still lacks effectively informing those most impacted by it. Recall the flood of e-mails around May 25: information on how a company deals with customer data has been passed on to customers. At the same time, however, there is still a lot of catching up to do when it comes to communicating internally.
In particular, communication may lack in the following places when it comes to informing employees about their rights and obligations:
- Standardized regulations for working from home
- Regulations for the use of software, web-based applications and email programs
- Password policies and password protection for mobile devices
- Consent for the use of images of employees (possibly even after they have left the company) or of visitors during corporate events
In addition, written documentation should be available for the following safety-related areas, which can be viewed by the employees involved:
- Processes for right of access requests: What data of the affected person is saved in all IT systems – also local resources such as email address books need to be considered
- Concept for deleting data and associated retention periods
- Authorization concepts for file server and applications
- Concept for email archiving and auditable long-term archiving
- Concept for firewalls and backups
Regularly seek exchanges with other departments
A frequent source of error is an unstructured approach. If topics are only dealt with on a selective basis and the relationships with other areas are not taken into account, individual measures ultimately cannot take effect throughout the company.
An example: The written reference for customers, employees and applicants on the company website informing them about being GDPR compliance is important. However, if the company fails to refer to it in an appropriate place, for example in the e-mail signature of all employees, the whole thing is questionable. If you find out in retrospect that the communication with some customers has always been by post, additional information must be provided by post. This is how a poorly planned process quickly becomes duplicate work.
The reporting of existing customer data is a similar case: The creation of these reports is possible thanks to modern management tools by pressing a button. However, if the exchange with the department that typically enters the data into a CRM system is missed, this data could be completely absent or only partially present in a digital format. According to GDPR, the source from which the personal data came into the company must be proven. A frequent failure is to define a mandatory field in CRM.
In principle, therefore, if processes or concepts are defined that require the involvement of departments other than IT, it is important to develop and test the process together.
Beware of “printed” blind spots
The protection of personal data is the main focus of the GDPR. As soon as personal data is printed out, for some employees, this data seems paradoxically less sensitive. Although IT admins are not primarily responsible for printed data, they often come into contact with it. For example, if the person who printed it fails to retrieve their document in a timely manner. Not infrequently, the documents of the last applicant are still in the paper output tray or old customer correspondence is stacked on the clipboard in front of the shredder. Talk to colleagues about things like that. Why focus on data encryption if the data is ultimately made available to anyone who prints?
Vulnerability with mobile devices
The “mobile office” finds its way into everyday working life. Many employees work in their home office or use smartphones and touch pads on their way to work. The loss or theft of mobile devices becomes particularly dramatic if the devices were not adequately protected, or if no provision was made to remotely wipe a device. If a stolen laptop is in the hands of a criminal, business-critical but also personal data are at stake. That’s a disaster for companies in terms of data protection.
But even GDPR standard tasks such as the implementation of the “right to be forgotten” can quickly mean a lot of work for IT. If appropriate precautions have not been taken, such as the installation of a dedicated device management solution, deleting all the data of a single person from all devices in the company can take days.
A binding concept for the protection and remote management of mobile devices is therefore a must for IT. The encryption of mobile devices and binding regulations for the use of private devices are important to-dos here. Also, the use of software that automates access to address books, such as messenger services, should be curtailed with plan and purpose.