In recent years, individuals and businesses around the world have been hit by truly exceptional situations that hardly a few could have predicted. The pandemic and instability have caused many changes in the way businesses operate. Most recently, the war in Europe has forced companies to reassess their own corporate responsibility and to consider the nature of their business operations in the future. As part of corporate responsibility, it is important to assess how a company protects its own employees and customers so that privacy and personal data are protected. Taking care of data privacy and data security is part of corporate responsibility. The effects of cyber-attacks have already been seen in the past (e.g. the Vastaamo data breach). Now is the time to assess your company’s practices in the light of the General Data Protection Regulation (GDPR): when was the last time you reviewed your company’s data protection policies and data security mechanisms? Do they need to be updated?
Technical and organizational measures as a means of protection
Data security and data protection are two different things. Data security can be considered more simply as a means of implementing data protection, i.e. the protection of personal data. Data security matters are classified as technical measures and can include password protection, the correct way to destroy documents, proper antivirus software, firewalls, and even safety and security systems inside buildings. Organizational measures, on the other hand, are mainly internal company policies that, among other things, provide guidance on how employees can contribute to data protection and security. These organizational measures include, for example, data protection policies, risk assessments, employee trainings, and audits. However, for organizational measures, it should be borne in mind that it is not enough to simply draw up a data protection policy. It is particularly essential how these policies, guidelines, and measures are applied in practice.
When assessing data protection and security safeguards, emphasis must be placed on technical and organizational measures. The main safeguards are described in Article 32 of the General Data Protection Regulation, entitled “Security of processing”. This article contains the most critical safeguards, such as encryption of personal data, which companies can use to implement their data security. The technical and organizational measures may sound massive and complex, but the reality behind the words is much simpler. It is crucial to ask when these measures were previously reviewed and assess the need to update them. The content of technical and organizational measures has been written about quite extensively, and information can be found, for example, on the website of the Data Protection Ombudsman.
“What, then, needs to be taken into account when assessing the adequacy of technical and organizational measures?”
Technical and organizational measures lie at the very core of data protection when assessing whether a company is sufficiently and robustly protected against cyber-attacks and other data security breaches. Today, hacking and phishing are so sophisticated and effective that it cannot be fully protected against malicious attacks. Meeting GDPR requirements are an ongoing process that must be constantly reassessed and updated as necessary. If your company last updated its privacy and security policies two years ago, it is more than likely that they are no longer up to date and corrective action is needed immediately. The recent case of Google Analytics is a good example of this. Google Analytics has been and continues to be used by many companies as an analytics and data collection service but has been found by the European data protection authorities to be in breach of GDPR, and therefore it provides inadequate protection, as it allows, among other things, the US intelligence services to freely obtain data.
Technical and organizational measures, therefore, cover a wide range of ways and means to protect against data security breaches such as cyber-attacks and a massive amount of different types of breaches which cannot be exhaustively listed here. But one thing is certain: there can never be too many protection mechanisms.
Vulnerable areas are in everyone’s daily use
What is significant about the GDPR is that, although it is primarily only applicable in the European Union, it has had a major impact also at a global level. Data protection and security breaches are often carried out by different organizations, but cyber attackers can also be individuals. According to several statistics and studies, one of the most vulnerable aspects of corporate operations is the lack of multi-factor authentication (MFA). Cyber-attackers’ work is made very easy when the theft or cracking of just one password gives access to all networks of a company or organization. Updating security systems is also essential. If security systems are not regularly updated, this opens the door for cyber-attackers to use malware and compromise the reliability of internal networks, for example.
It is now, at the latest, a good time for companies to assess the adequacy of their organization’s data protection and security. It is also advisable to assess the adequacy of risk analysis, the level of protection, the necessity and completeness of record-keeping, internal audits and whether personnel within the company are really sufficiently well informed and trained. Even at the start-up stage, it is a good idea to consider at least the following issues:
- Are the personnel trained and aware of the requirements of the GDPR?
- Have the necessary data protection policies and internal practices been drawn up?
- Has a data protection officer or other responsible person(s) been appointed to manage the day-to-day maintenance of data protection?
- Has a risk analysis been prepared for internal processes, software, policies and guidelines, and regarding how information gathered on what personal data is processed?
- How does the level of data security correlate with data protection requirements?
- Can the level of protection of personal data be further improved in any area?
This can be summed up in one question, which is applicable to both businesses and individuals:
“Are my activities each day such that my own and others’ personal data and privacy are secure?”
The world is constantly changing and guidelines and regulations are also living and breathing when it comes to data protection. A clear and well-thought-out game plan is a big step towards a truly responsible business, but you don’t have to struggle with your own uncertainties and questions alone. At Mäkitalo, we help you solve these dilemmas.
Legal Clinic for Maria 01 Members
Office Hours at the Maria 01 Campus allow our startup members to meet with experts from the community to discuss and receive advice on various topics. On March 28th and 30th, we will have Jani Rantanen and Paul Durac from Mäkitalo at the campus. Read more about how to book a free 45-minute legal consultation session here.