Wie wichtig ist es DSGVO konform zu handeln und welche Folgen kann eine Vernachlässigung herbeiführen? Immer mehr Unternehmen sind von Cyberangriffen betroffen, doch wie kann man sich davor schützen und was hat das mit DSGVO zu tun? Diese und noch viele weitere Fragen haben wir in dem folgenden Interview mit Ralph Günther, CEO der exali AG, gestellt.
Time and again, reports of data misuse and cyberattacks on corporations and entire countries are in the news. Does this topic also affect SMEs and the self-employed? How important is cybersecurity in your opinion?
A cyber loss is certainly to be considered a high risk and therefore it is enormously important to deal with it in the context of a risk management. This applies not only to large companies, but also to small and medium-sized enterprises and freelancers - across all industries. For example, we already had the case of a law firm whose entire server was turned into a Bitcoin mine by cyber criminals. Or then there was the solo self-employed person who ran a small online portal and had his wallet emptied by a cyber attack.
If we bother with the statistics, we unfortunately have to conclude that cybercrime was on the rise in 2021: For example, a cyber disaster was declared in Germany for the first time ever, a ransomware attack paralyzed an entire supermarket chain, and security vulnerabilities in operating systems were mercilessly exploited. Overall, the Verizon Business 2021 Data Breach Investigations Report (DBIR) recorded a third more security breaches than in 2020.
Since the new 2018 regulations, the entire internet community has been alarmed when it comes to data storage. How often do you as an insurance company have to deal with violations of the GDPR?
We notice it every day. DSGVO-compliant work and secure systems are a hot topic that actually moves many self-employed people and companies. Due to the complexity of the topic and the frequent legal changes, many entrepreneurs also only dare to approach this area with the support of external specialists.
The damages we get on the table are as complex as the regulations themselves and sometimes surprising for us. Some are minor offenses that lead to damage, such as an "open" e-mail distribution list, a real estate exposé uploaded on the Internet in which the name and address of the owner and the architect were published without permission on a picture, or a contact on a career platform that was made without the express consent of the person contacted. However, we also see larger issues when, for example, an SME has unauthorizedly collected certain data without being able to prove a legitimate interest in storing it, and is then also technically unable to delete this data again. Some claims are so protracted that the costs of the proceedings end up being more expensive than the actual claim. These cases are now all part of our claims practice.
These GDPR breaches seem to be a hot topic. What are the consequences for companies and self-employed persons in the event of a breach of the GDPR?
This can have very different consequences. A common one is certainly a warning with a penalty-based cease-and-desist declaration and, of course, a corresponding cost note from the lawyer. In recent years, there have been contradictory decisions in the courts as to whether data protection violations can in principle be subject to a warning, but only recently did the Higher Regional Court of Hamburg again affirm this in a supreme court decision. Therefore, this risk remains undiminished.
Another consequence is that a data subject may claim damages under Art. 82 GDPR. In the meantime, there are also enough judgments from cases where the parties did not agree on this. If larger data sets are affected, there may of course be several claims for damages, which can accumulate unpleasantly.
The biggest sword of Damocles is certainly the regulatory fines. After initial restraint on the part of the German supervisory authorities, fines in the millions are no longer a surprise. However, this does not only affect Germany, but is now the practice throughout the EU. By that I mean: It's not just us Germans who are strict here.
However, I would also like to take some of the fear out of the discussion. The fines imposed by the data protection authorities must be based on revenue, or rather on global revenue, and take into account factors relating to the seriousness of the offense and the cooperation of the accused in the investigation. They may not exceed the threshold of 4 percent of global annual sales, which can nevertheless be a considerable blow to the bottom line, depending on the margins in the business.
How can companies best act to prevent a GDPR breach?
I think it's difficult to answer this question for everyone in general. Companies are too different for that, and data protection is too complex. However, I would like to provide at least some food for thought: From my perspective as CEO, it is important to understand the topic of data protection as an ongoing process that affects all employees and all departments - not just the appointed data protection officer. At exali, for example, we hold regular training sessions on data protection and IT security with all employees as a preventive measure.
In addition, I always find it useful to have an outside perspective. A professional data protection audit is a good way to put the current level of data protection to the test and, if necessary, identify potential for improvement. It also protects against "operational blindness. You don't ask yourself some questions, and that can lead to dangerous gaps.
Zu guter Letzt spielt natürlich auch die Technik – sowohl die Software als auch die Hardware – eine wichtige Rolle bei der Prävention. Datenschutz sollte nicht nur auf dem Papier stattfinden, durch Datenschutzerklärungen, Auftragsverarbeitungsverträge und Verfahrensverzeichnisse, sondern eben auch in der IT-Abteilung eines Unternehmens. Wir haben beispielsweise im Zuge des vermehrten Arbeitens aus dem Home-Office eine Citrix-Lösung eingeführt. Davor hatten wir Geld in neue Firewalls und ein aktives Monitoring investiert. Am Ende ist für mich, wie bereits erwähnt, die Prävention im Datenschutz ein Zusammenspiel der beschriebenen Maßnahmen in einem Regelkreislauf, der sich im Unternehmen, also in den Köpfen aller Mitarbeiter, verankern muss. Wir werden nie den perfekten Zustand erreichen, deshalb müssen wir uns als Unternehmen ständig weiterentwickeln.
Cyberattacks also have devastating consequences - especially on a large scale. What can be the consequences of a cyberattack on companies and the self-employed?
I have to say it so harshly: The consequences can really threaten the existence of a company. Data is the "gold of the 21st century" and usually the most important asset in a company. Here, too, the consequences are complex. Let's take the web store that is crippled by malware during the Christmas season (this is exactly what happened to about 2,000 web stores that worked with Magento in 1 1/2 years). The law firm that no longer has access to electronic files and deadline control due to an encryption Trojan. Or the law firm that is blackmailed by hackers with the threat that the files of prominent clients will be published on the Internet. Or a company whose production is paralyzed by hackers for weeks.
The cases are very different, but in the end they all have one thing in common: they result in considerable financial losses for the companies or the self-employed and in significant additional costs, for example, for the removal of malware, data recovery, additional IT services, and so on.
Here's a little tip: It is precisely these financial consequences and additional costs that the self-employed and companies can protect themselves against with cyber insurance. This is often not as expensive as many people think.
How do the GDPR and cybersecurity interact in your eyes?
Since digitalization has taken hold in almost all business areas, the GDPR and cybersecurity are inextricably linked. Due to the networking of our systems, there is always the risk of a data breach, as well as unauthorized access to data from the outside. Today, I can no longer ensure data protection only through appropriate contracts, directories and processes, I must also think data protection and data access technically. This starts with adequate authorization management, through the selection of software and hardware according to data protection aspects (in the development of software according to "Privacy by Design and Default" principles), to suitable IT security measures. Today, data protection and data security must go hand in hand.