Data security and data protection usually behave like oscillating tubes: An increase in the level of data security simultaneously entails better data protection and vice versa.
Even if the performance goals of data security and data protection are partly identical, trade-offs can still arise.
Data protection and data security performance goals
SIEM – Security Information and Management Systems
The manual monitoring and control of network activities and the detection of possible irregularities via spot checks, inspection of log files, etc., is impossible in larger networks. This can be remedied by SIEM (Security Information and Management) systems, which turn the abundance of unstructured data into structured data that can be analyzed by machine. What appears to make sense from a security point of view (extensive long-term storage and evaluation, including of personal data) may well lead to conflicts with the security goals of data protection in individual cases, especially with the goals of data minimization and transparency (for the data subject). The conflict of different guarantee goals is inherent in the mandate to ensure the fundamental right to informational self-determination.
No SIEM system without DSFA according to Art. 35 DSGVO
The sheer volume of initially unstructured data that accumulates, in conjunction with the possibility of converting it into structured data and feeding it into human and machine evaluation, which can lead, for example, to seamless monitoring of employees, prohibits the introduction of a SIEM system without a prior data protection impact assessment (DSIA) in accordance with Art. 35 DSGVO. The balancing of the (legitimate) interests of the company and those of the data subject may lead to the need to modify and adapt systems in specific individual cases. The situation becomes even more complicated when data worthy of special protection under Article 9 comes into play.
A matter of consideration: legally compliant operation of a SIEM system is possible
The task of the data protection impact assessment is to provide the data controller with assistance in implementing a SIEM system in compliance with the law. Weighing up the guarantee objectives of data protection and data security, technical and organizational measures must be implemented that are suitable for safeguarding the data subject’s right to informational self-determination on the one hand and for meeting the legal and technical necessities of data security on the other. These may include measures of pseudonymization or anonymization, encryption, data minimization, deletability and data portability.
DSFA – Team
The implementation of a data protection impact assessment requires an interdisciplinary team in the company with the participation of the appointed company data protection officer. In the case of data protection impact assessments supported by us, Dr. W. Steinmetz, a fully qualified lawyer and business data processing specialist, is in charge of the DSFA team. If necessary, additional external team members can be brought in. We would be happy to evaluate in a personal meeting which services can be provided in-house and prepare an individual offer for the external support required.
Important to know: If managing directors fail to initiate a DSFA process despite a legal obligation to do so, they may also find themselves in the situation of being liable with their private assets. More information on the liability of managing directors can be found here.
If you are unsure, simply contact us. The initial consultation by phone or video call is free of charge.