Definitions and delimitation of technical data protection
In the context of the GDPR, data protection goals are formulated both directly and indirectly. In order to achieve these protection goals, the existing data processing processes must be analyzed and, if necessary, measures must be taken to ensure that the data protection goals are achieved. In this context, the term “TOM” is known – technical and organizational measures in full.
Technical data protection refers to all measures that can be “physically” implemented.
Organizational measures, such as employee training or the creation of concepts and processes, such as segregation of duties, the dual control principle or work instructions are differentiated from this.
Technical data protection according to the old BDSG
In the old Federal Data Protection Act, the basis of technical data protection was primarily Section 9 BDSG, which obliged every body that processes, collects or uses personal data to take protective measures. It was divided into the following areas:
- Transfer control
- Input control
- Order control
- Availability control
- Separation requirement
Even back then, the so-called principle of proportionality was anchored, since technical data protection must always be considered in relation to data processing. The General Data Protection Regulation abandoned the above-mentioned subdivision in favor of the new data protection goals.
Technical data protection according to GDPR
The basis of technical data protection today is primarily Art. 32 GDPR, which stipulates that the person responsible or processor must take technical and organizational measures, taking into account the state of the art, the implementation costs and the type, scope, circumstances and purposes of the Processing as well as the different probability of occurrence and severity of the risk for the rights and freedoms of natural persons in order to guarantee a level of protection appropriate to the risk.
The requirements for technical data protection are clearly more abstract and have been aligned with the terms in Information security.
Additional protection goals, which are data protection-specific, can be read from both the old BDSG and the GDPR. These are also described in the standard data protection model 2.0 of the German data protection supervisory authorities. Technical data protection measures can and must also support the achievement of these protection goals. The individual protection goals are:
Transparency is intended to ensure that both the person responsible for data processing, as well as the person concerned and control bodies, are able to understand the processing carried out and thus establish auditability. This is a major challenge, especially in modern AI applications in the field of deep learning, as it is often not possible to explain and understand how algorithms calculate their outputs.
This is to guarantee that no connection can be established between two different objects. An example of this is the merging of data from a data subject that was collected for different purposes or by different responsible parties.
Intervenability is intended to ensure that data subjects concerned are able to enforce their data subject rights, in particular the correction, deletion and restriction of the processing of their data. Challenges often arise in the area of deleting data records in databases, which is not provided for in many legacy systems. In addition, there are points of friction when using blockchain technology, which “by-design” does not provide for any change (retroactive correction of previous data) or deletion of data.
These can be derived from the principles of “privacy-by-design” and “privacy-by-default” in Art. 25 GDPR as well as from the data protection principles set out in Art.
With suitable settings, technical means can also make an important contribution to data protection on the part of the person concerned. These technologies are also known under the catchphrase “Privacy Enhancing Technologies.
Measures to implement
Many technologies are already available to companies to implement technical data protection. In the following, some essential measures for companies are briefly presented:
Encryption of communication links using TLS
In order to prevent data from being intercepted or manipulated unnoticed on the way, the TLS protocol is normally used nowadays as a technical data protection measure. The current version of the TLS protocol is version 1.3, which also has some other data protection-friendly properties. Among other things, this concerns “Perfect Forward Secrecy”, which means that new keys are negotiated for each new connection between client and server. This ensures that even in the event that a key is compromised, not all of the communication can be decrypted.
Encryption can ensure that personal data or information is protected from unauthorized access. This applies both to the transmission path (in-transit) and during storage (at-rest).
As the performance of computers increases, regular checks must be carried out to determine whether encryption methods can still be considered secure.
The development of quantum computers will also be a major challenge in the field of asymmetric cryptography.
Enforcement of strong passwords or 2-factor authentication
Insecure passwords are often the cause of data protection incidents or are involved at least at one point in a chain of attacks.
With the help of technical means, guidelines for passwords can be enforced in order to prevent users from choosing passwords that can be easily cracked with the help of rainbow tables (linking). This is all the more important because experience shows that users cannot be motivated to make their passwords secure through suggestions and organizational instructions alone.
The data protection authorities have also recognized the importance of secure passwords and issued guidelines for securing telemedia services, which largely deal with the topic of “secure passwords”.
If there is a high need for protection for data in a system, the use and enforcement of 2-factor authentication as a technical data protection measure can significantly increase security. A large selection of technical measures, for example time-based one-time passwords or hardware tokens, is available for this.
Mobile device management
The use of mobile work devices such as tablets and smartphones, but also notebooks, is becoming increasingly popular. However, these devices also represent a special challenge in the area of technical data protection. This can be both operational devices and the use of private devices in a corporate context. The use of so-called mobile device management solutions can technically ensure that private data and company data remain separate from one another.
The MDM can help protect against malware by regulating which applications can be installed on the device. This also prevents employees from installing applications that then pass on company-internal contact data to unauthorized persons (e.g. WhatsApp) – the employees are often not even aware of these processes in the background when installing applications.
To ensure the availability of data, it is necessary to make regular backups. Technical backups should always be accompanied by an organizational concept that regulates how the appropriate backup parameters are to be developed. This is the only way to ensure that technical backup measures can also develop the planned effectiveness if necessary.
Analysis and control of network traffic
The analysis and control of network traffic, including through network separation, can also support compliance with data protection regulations as a technical data protection measure. The division into different security areas ensures that people only have access to the resources that are required for their work.
If necessary, it can also be ensured that different responsible persons can work logically separated from one another in a physical network.
With analysis measures, attacks, but also data leaks, can be detected and prevented by further technical data protection measures. Here, too, it is again important that technical measures are accompanied by organizational measures, since in particular automated analyzes of network traffic can only be effective if it is regulated who evaluates messages and how to proceed.
Identity and access management
With the help of technical data protection measures for identity and access management, the company can ensure that only authorized persons have access to personal data. Identity and access management solutions rely on measures for identification, Authentication and authorization based on the state of the art.