Privacy Challenges for the New Decade
Bei der Sortierung alter Texte traf ich auf einen kurzen Vortrag zum Europäischen Datenschutztag, den ich online gehalten habe. Ich war der Bitte eines Kollegen in einem internationalen Konzern gefolgt, der online Fortbildungen organisiert. Obwohl der Europäische Datenschutztag ja schon eine eine ganze Weile zurückliegt (28. Januar), veröffentliche ich den Vortrag hier noch mal. Vielleicht ist es ja ganz gut ein paar Gedanken abseits von Covid-19 zu lesen. Das Thema des kurzen Vortrags war: “Privacy challenges in the new decade”.
Privacy challenges in the new decade? Talking about privacy and challenges, I think there are actually two major challenges.
Number one: to work for the better transparency of IT-system. Number two: to invest in the knowledge about privacy and IT security on any level in the companies.
Let me explain this a little in detail.
I don’t know how many times I found thousands of datasets at my client’s, datasets that should’ve been deleted long ago. There are usually two reactions to such findings, quote: “We might still need all this”. When asking back, “what exactly do you need it for”? most of them have only vague answers. Second statement in this context: “Our software cannot delete data”. The answer that I heard very often a couple of years ago – “we didn’t know we were supposed to delete old data” – has more or less disappeared since the GDPR came into effect.
Last week it became public that a German car renting company made more than 3 million datasets public – by accident -, due to a mistake in opening a certain port on the firewall. The datasets went back until 2006, among them reports about accidents, police reports, blood tests. I was immediately reminded of all the data graves that I’ve seen and I was reminded of myself saying that whatever isn’t there cannot be compromised. This incident puts the focus on the problems: the obvious negligence when it comes to deleting data and the obvious negligence in taking care of the security of databases.
Privacy and IT-Security
Therefore, one of our challenge as privacy professionals will be to have the management understand that data protection and IT security are inseparable. Above all, they need to understand that neither is just an annoying evil, that costs a lot of money, but an indispensable prerequisite for proper business operations.
In daily business the challenge will be to work towards a transparency of IT systems. Here too, we still have a huge lack of knowledge and understanding the details. This is easier said than done, I know, but I see a responsibility for IT companies not just to put up any system and assure that everything is all right. I see a special responsibility for IT companies that process data on behalf of others. For them, it will no longer be enough to just run down a list of more or less detailed technical and organizational measures – the way it still happens most of the time. Instead those companies will have to deliver a thorough documentation, will have to present convincing proof that their processes and systems only carry a residual risk. Plus, it will be the responsibility of the management not to let anyone get away with half-baked documentation and IT security measures.
So what it all comes down to: we must invest in awareness and knowledge on any level. Who else but us, the privacy professionals, would be able to make this clear?
On a personal level the challenge for us will be that we have many roles: we are the hunters that push the CEOs to action, the staff to get the information that we need in order to do our work. We are the patient mothers, explaining necessary procedures again and again until they work without us. And sometimes, too, we are knights in the shining armor who get things straight again when they went terribly wrong. To combine these very different roles will be our very own challenge, but if we succeed, we will be able to work towards a better working privacy and IT-security on any level.
Thank you very much and I’d like to hear your thoughts.