Stefan Hessel, Rechtsanwalt I Attorney-at-Law, reuschlaw Legal Consultants
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Hael can you hear me? Perfect Morning. I can hear you very well. Perfect. Thank you for joining our session a few minutes earlier. So without any further introduction, I would hand over to you. Thank you very much. Thank you very much. So my topic today is what CSO needs to know about GDPR, about the general data protection regulation. But before I will present my agenda will introduce myself a bit. So I'm attorney at law and have an additional degree master degree in it and law. And I'm co of the digital business unit here at VO legal consultant in booking, we are Germany.
We are dealing with all questions around data protection, cyber security, and it law from, from a legal perspective. And I'm very happy to introduce you a bit to the legal world and to the legal questions regarding, or the data protection questions regarding cyber security in the next few minutes. So what we will do, we will, I will give you short introduction about the GDPR. What is this kind of regulation? What's what is scope of the GDPR?
And then we will discuss what the C needs to know from just big data protection or privacy regulation in Europe, and discuss a bit the topic of strategic implementation at the end. So what is the GDPR? The GDPR has the goal to build Europe-wide harmonized legal framework for the processing of personal data. And that's the first very important point when it comes to a discussion about data protection law or about the GDPR E GDPR is only applicable. If you process personal data, personal data, if any information relating to identified or identifiable natural person.
So always you have always personal data. If you haven't connection between the data and the national person, is there no connection, the whole data protection law isn't applicable and you don't have to consider the GDPR. That's a very, very important point. It's not always simple to service personal data.
If you have wind from in the vehicle context, if you have an IP and the cyber security or in the information technology context, there are always discussions about is this personal data in this context or is not personal data, but if it's not personal data, you don't have to consider all these GDPR questions. And another important term is in the context of data processing is the controller.
The controller is according to article four, number seven, GDPR, the person who determines the purposes and means of the processing, those, the person who owns the whole data processing or the whole data processing, the GDPR has some very important principles. So first principle, according to five, one literary a GDPR is data processing is forbidden. If you have not legal, special legal basis, the legal basises are laid down in article six, one, GDPR. It could be the consent. It could be the full firm and dock contract.
It could be legitimate interest, but you always have to have legal basis for data processing. If you have no legal basis, data processing, isn't allowed. According to DGR, there is a principle of purpose, limitation and determination. You have always to lay down and think about the purposes and means for processing at the time you start the processing not afterwards. So if you process data for cybersecurity purposes, you are not allowed to switch the purpose later. Or if you want to switch the purpose later, there are strong limitations if it's allowed or not.
So if you process data for cybersecurity purposes, you are not allowed to use this data afterwards for marketing purposes, for example. So that's also an important, important principle of the GDPR. We have the principle of data minimization. You are always allowed. You are just allowed to process the data which are necessary for, to purposes of the processing. So if you are for cyber security, purpose only needs the peer address of natural person.
Or if you only need ANP address to prefer this, to prefer this purpose, you are not allowed to process more data like the name of the data subject, et cetera. So that's also point to consider when it comes to data protection questions, we have a few more data protection principles in the GDPR accuracy. You are not allowed to store false data about someone that correction a person affected by data processing can ask for correction if data is wrong or for, so that's also an important, important principle. You have the principle of storage limitation.
You are only allowed to store data, as long as it's nurses for the purpose. You see this connection with data minimization and storage limitations, or there's a strong connection between these purposes or principles with between the principles. And of course, and you see directly these cybersecurity connection of the GDPR controller has to ensure security of the personal data has to take measures to protect the data from unauthorized access by third parties.
And, and that's also an important principle of the GDPR. That's an accountability of the controller in article five, two GDPR. The controller has to prove to the authorities, to the data protection authorities that he's compliant with all the principles and with the GDPR in, in the rest. So it's data protection is a big topic for, for companies and compliance is always, always also big data protection compliance, also big topic.
And this the co, because if you don't are compliant with the GDPR or data protection loss and your country, you will have, you will have fine or damage damage request by, by data subject. So we come to the main, main part of my talk, what C needs to know about GDPR. We will discuss three different smaller topics in this, in this field.
So first, what are the cyber security requirements of GDPR when data processing for cybersecurity process allowed and what is the personal data and what do you have to, if you cybersecurity requirements, all these cybersecurity environments are limited to processing of personal data, which I said at the beginning. So both the following, the following things that tell you relate only to the processing of personal data, if it's not personal data, you don't have to consider optical certainly to one GDPR and also not article 25 1 GDPR. So what's the, the content of these both articles.
So according to article 22, 1 GDPR, the controller has to ensure level of security and take appropriate technical measures to ensure cybersecurity in regard, in, in relation to the processing of personal data. So when the benchmark is first, the state of the art, second, the cost of the implementation. So you have, don't have to take very high cost cybersecurity measure. If this is not, this is under economic or conditions, not useful or helpful.
And you have to take into account in nature, scope, contact to purposes of processing, and also the risk under the de under the risk under the processing, the de processing of personal data can be problematic. So you have to do some kind of risk intimidation and think about the whole data processing in this context of the risk, which derives from data processing under cyber security aspect.
So, and this is you have to consider article 32, 1 when de processing is running or processing is starting and in article five, one, GDPR, this determinations of the means for processing and whole, the whole cybersecurity questions related for this is some kind of starting before the actual processing of personal data. So you have to think about cybersecurity measure at the time of determination. So it's a bit earlier before the start of the processing of personal data. So that's the main regulation on cybersecurity requirements from GDPR perspective.
So it's at your firsthand really, really open. You have to have only to take proper technical or organiz analysis, no heart regulation for you have to Doru detection system. You have to do a back in every hour. So this is also just all these questions have to be unanswered by, by the controller in the, yeah, in this risk assessment and the evaluation of the appropriate technical and organiz measures. So if it comes to data processing for cybersecurity purposes, we are always talking about employee monitoring. Why are we talking about employee monitoring?
So employees are one of the greatest dangers, for example, for cyber security in the most companies, employees are difficult to control you. You always don't know if someone opening in email, someone really aware of all this cybersecurity questions for this purpose.
Of course, companies have cybersecurity awareness, programs and trainings, but it's difficult. It's a difficult field. So for their own protection and for the protection of your own company, you have to do some kind of scans or security measures to prevent you from intentional or unintentional employee misconduct and all those type of security questions. And you need to prevent your employees from opening bats or scam scam emails, etcetera, as an, as an example.
So, but on the other hand, employees have privacy rights, which have also to consider, so you are not allowed to strictly monitor your employees and your company, and as camera in every, in every office to, or stand behind your employee and looks what he's doing at the screen all the time. So that's that problem or conflict on the one hand, you need to have some employee monitoring for cyber security purposes. Under on the other hand, you are not allowed to have an surveillance of your employees 24 7 and follow every step, say, do in the internet, for example.
So the GDPR step in framework for the processing of personal data in article eight, GDPR, and you have to do an balancing of interest between your legitimate interest in processing and protecting your business from cyber security, from the cyber security perspective. And on the other, on the other hand, the privacy right of your employee, what does this, what does this mean?
Firstly, employees should receive some information about the monitoring before it takes place. And if you stricter your measures are the more you have to think about the concerns, according to article one literature, a GDPR, and this, but some kind of some kind of problematic because legal basis for as an consent regarding to GDPR has to be freely. And in a situation where you as an S employer, go to us company, go to the, your employee and say, Hey, write this, write, write this consent to this data processing, underline, underline here.
It's some kind of some kind of problematic because you always have this discussion is this really freely company comes to an employee and, and safe sign here. So the German data protection authorities, and as well as other European data protection authorities are a bit strict about the, the sweetness of, of consent in this context. So it's better to think about legitimate interest, according to article six, one literature F GDPR, and do this balancing of, of interest. But you have to think about some how far and how strict you are monitoring of employees as possible.
That's of course, of course, a balancing process you have to do in each individual context and always think about how hard privacy of the employees targeted. So we come to another interesting point, the data processing for security reasons and problems relating to this. And I decided to present this in the context of protection and denial of service, denial of service attack to prevent you from denial of service attack. You can think about using a content delivery Renet with CDN to distribute your data worldwide and use caching techniques to use the webpage loads.
When it's, when it comes to DDO, DDO tech, what is, of course the problem in the case, you transfer your website to other servers and build. And if you are building a worldwide network of servers, you transfer data to other countries. If you transfer the data outside to European economic area or EU, this is, this could be in third country, according to the GDPR. And you have to think about this. This is allowed.
So, and if you transfer data to the us, it's after the France two decision of the European kind of justice in the last summer, really, really hard to transfer data to the us. You have to do risk assessment transfer, impact assessments, and think about is this allowed and each field.
And we, in case in Porwal where the ESE data protection authority come to come to the statistical authority and Portugal, and that you are not allowed to use CloudFlare because there's illegal transfer to sort countries under the GTP. So it's not some kind of solve.
It's, it's a real, it's a real problem in the case of content delivery network, that you have to spread your data all over the world. And we have to strong limitations on certain country transfers coming from different to decision of European court of justice. And that's only one example where data protection and cybersecurity are in, are in a bit of conflict. So it's not always one way. It could be a conflicting way on one side cyber security on the other side, data protection.
So not everything you do for cybersecurity is allowed and has the same, has the same purpose and the same direction as data protection. So you always have to do some data protection assessment in decay of cyber security measures. When these cyber security measures have something to do with the processing of, of personal data.
So last topic, the personal data breach a personal data breach is according to article four, number 12, GDPR approach of security leading to the accidental or unlawful destruction loss, aeration disclosure of, or access to personal data transmitted start by otherwise process. First, not every cyber attack is a personal data breach. Only if it's related to personal data, you have some personal data breach that's important data. And the other thing is data breaches also include incident and processor.
So if you give your data processing to a third party in, in to processor and the processor loses your personal data, you are responsible for this data breach add to process. So of course it's not a cyber attack on your company. What are the legal consequences? You have documentation obligation. According to article five articles that three, five GDPR there is risk independent. We have an notification obligation tore to the data protection authority. According to article study three, one, GDPR, if you can not exclude and risk to the right of freedoms of a natural person.
And if, if it's really bad, you have to notify the data subject. According to article 30 for one GDPR, we have, you have to think about the right to compensation for data subject and about find also last slide. What do you do to comply with GDPR? First? You have challenges. There are legalities and high dynamics.
Of course, the two decision of European cotton justice is a good example. And in addition, GDPR is an important topic. A CSO needs to take, but a CSO has to take other route also into account. What do you do to implement cyber security compliance or data protection compliance? You have to have management system identify the applicable regulations, UMUC this regulation to concrete requirements to risk assessments. Good example is article two GDPR article only two GDPR. This risk assessment for the technical and organiz measures.
You have to implement these measures in a process and, and incorporate corporate infrastructure. And you have to control, monitor this whole topic continuously. So it's always simple. It's it always makes sense to implement cyber security and data protection requirements from the legal perspective as early as possible. So thank you very much.