The most common data security pitfalls – and how to avoid them
Data protection violations are subject to heavy penalties by the supervisory authority. Annoying if a violation against the GDPR happens unintentionally. It's not just your money that suffers when a breach is disclosed, but also your reputation.
After all, in a study by Aikami, 66% of all Internet users say they support privacy policy regulations policies like GDPR and would like to see more similar laws.
So complying with all privacy policies saves both your wallet and your image. Unfortunately, data breaches often happen unintentionally when people are unaware of the most common data security pitfalls.
That’s why we’re here to clear things up and give you tips on how to avoid the most common pitfalls!
Not updating data privacy information
You know about the obligation to provide information under the GDPR and, of course, you have obtained all consents when collecting data for the first time. But have you also thought about the need to adapt the data protection information? Data protection information changes more often than you might think. As soon as new IT systems are set up or new processing activities are carried out, the data security information must also be renewed. All data subjects must be informed of the update – even those who have already accepted previous notifications.
Solution: Find a way to view current changes and communicate them transparently.
Forgot your records of processing activities
According to Article 30 of the GDPR, you must list all your processing activities, including which data is transferred to whom and for what purpose. The date of deletion must also be recorded. Your company has less than 250 employees? Then you don’t have to keep a processing register, right?
Wrong.
Please put this myth out of your mind. A processing directory does not depend on the size of a company. It only doesn’t apply if no risks arise from data processing. However, risks always arise.
Solution: Please maintain records of processing activities carefully.
Hoarding dead documents
“I just print out the processing directory, put it in the data protection documents folder and store everything in the basement. Duty fulfilled,” said no responsible data protection officer ever.
Because it is important to keep all data up to date, also with this pitfall. Don’t rely on analog paperwork, whose transparency only a few people can comprehend.
Use templates from providers
Unfortunately, many companies lack the time or motivation to deal sufficiently with data protection. To save resources, they rely on templates from various providers. However, these are often not specifically customized for your company, and so it can quickly happen that you forget some important details. For example, you also need to document when recorded working times and application documents are deleted.
Solution: So rather leave the processing activities small-scale and work carefully!
Not objecting is far from consenting
Verbal consents to data processing are not effective. Without written consent that is fully and transparently documented, the basis for data processing according to GDPR is missing. So be aware of when and for which topics you need consent and get the consent written. Watch out. Effectively given consents can be forfeited.
Solution: The best thing to do is to have a tool at hand to view the current statistics on consent.
Designate an alibi Data Protection Officer
In some cases, you may need to designate a data protection officer. Due to time constraints, it is common to simply nominate a person so that the issue is off the table. But take this matter seriously! Data protection officers should be competent and reliable. In addition, there must be no conflicts of interest. Consequently, it does no good if you also want to appoint your external IT service provider as external data protection officer. After all, you cannot monitor yourself.
Solution: Don’t try to trick the supervisory authority. Take the issue seriously.
See data security as your enemy
You are an agile company with thousands of brilliant ideas, and of course you want to implement them all. But it often happens that a company’s data protection officer puts supposed obstacles in your way. This and that cannot be implemented for data security reasons. You need consent for every photo. So cumbersome!
In such situations, please remember the study quoted at the beginning: Most people are grateful that the GDPR exists. You personally certainly don’t want your sensitive data to be freely accessible, either. Therefore, it is also important that you raise the awareness of the employees in your company for the topic of data security. As a team leader or even CEO, you should set an example and live a positive data protection culture. Your data protection officer is not a buzz kill, but wants to protect you from penalties and unflattering headlines.
Outsourcing what’s possible
In principle, there is nothing to be said against outsourcing data privacy matters. In many cases, this is even more effective than an in-house solution. Nevertheless, as soon as activities are outsourced, an order processing contract must be drawn up with all details such as technical organizational measures. Sounds daunting, but our article about order processing according to GDPR article 28 will take away your fear.
Solution: Carefully create an order processing contract and a data processing agreement (DPA) – also with the help of apps.
Wanting to keep data security breaches quiet
Mistakes can happen. And yes, it’s embarrassing to report them to the supervisory authority yourself. But you know what’s even more embarrassing (and costly)? When people affected by the data breach report the incident. So in the case of a data breach or unauthorized disclosure of personal information, be sure to:
-
Contact the affected individuals to mitigate the damage, and
-
Report the data breach to the authority as soon as possible.
Data protection evidence trap
According to Article 5, paragraph 2 of the GDPR, you are under accountability. So if you are accused of a data breach, they don’t have to prove that you committed a breach – you have to prove that you are acting in a data protection compliant manner! Another reason to have a transparent data protection program.
Solution: An application that lets you quickly get real-time data on your data protection strategy on demand.
One solution for all data security pitfalls
To fully ensure data security in Jira and Confluence, there are several manual solutions and workarounds. Or you can get one app for everything, namely GDPR (DSGVO) and Security for Jira/Confluence.
Integrate the app with your software, and you have all the tools you need to overcome any and all obstacles. So you get full data protection compliance with the least effort.
Advantages of GDPR (DSGVO) and Security
-
One single tool for all use cases
-
Obtain consents for data processing easily
-
View statistics of consents
-
Benefit from daily updated figures
-
Covers other data protection laws such as CCPA, HIPAA or LGPD as well
-
Benefits beyond data protection (for announcements, authorizations, etc.)
-
Save time and ensure data protection without risk
Using the GDPR app is the ideal basis to easily avoid the stumbling blocks. But the installation alone is not sufficient to ensure compliance with the GDPR. Be sure to do a requirements analysis of your specific situation so that the processes can be refined and adapted to your needs.
You’ll see, with this app, data protection can be surprisingly simple.
Was this helpful?
Thanks!
Andreas Springer _Actonic_
About this author
Head of Marketing
Actonic GmbH
Germany
2 accepted answers
0 comments