Security

The more complex clients‘ projects get – like in the eCommerce sector – the more important it is to get informed about factors such as data protection. With byte5 as a partner, clients are well equipped due to the support of our data protection representative, Sandra Dury, and an individualised data processing agreement. The latter was specifically designed for our working environment as a cooperative partner in .NET development with Umbraco as well as hosting via Microsoft Azure. The contract already has the legal framework which will come into force in spring 2018. But let’s let the expert herself explain why this topic is of such relevance.

Which role does data protection play in 2017 and how did this role change over the last years?

We live in a time where data is accessible digitally almost everywhere, a development which makes a lot of things easier, but also more dangerous. As soon as data exists digitally, it is free to be copied and can rarely be fetched back. This aspect is making data protection increasingly important. Data is often described as the new oil and considered the fuel of economy, the gold of the 21^st century. Data has an enormous impact on the success and the further development of a company. Thus, it is extremely important to protect this data. Furthermore, the client company wants to be informed about what happens to its data in order to give permission to or, alternatively, to contradict data processing. Consequently, data protection is about ensuring everybody can decide for his or herself which personalised data will be available to whom and when. Hence, every company’s aim has to be the fully extensive organisational, technical and legal protection of all personalised data such as clients’ data. If such a protection is not given, loss of a company’s image or loss of clients and fines can be the consequence.

Which position do you have as a data protection representative?

As a data protection representative, I am an independent person within the company, a person for employees and affected people to contact when needed. In this role, I am not dependent on instructions and I am bound to secrecy. My scope of tasks is vast and starts with finding out whether keeping and working with personalised data in the used software is done in a legally compliant form and making suggestions for a better handling if necessary. Additionally, I sensitise for the topic of data protection. I try to make it clear to both management and employees why data protection is important for them personally and why it is worth paying close attention to it.

Why did you advise byte5 to train its employees?

byte5’s daily routine takes place in the digital world. As a digital company especially, employees need to take a good look at the basics of data protection. One of the related aspects is that employees need to know what they are allowed to discuss openly – with clients and colleagues – and what they need to keep to themselves. Another aspect is avoiding malware. Computer viruses – as you could see with the GoldenEye trojan this year – are getting more and more professionally wrapped. Only a well trained eye can prevent work devices from suffering attacks like this one.

You and your team at Rechtsanwaltsbüro Dury just crafted a data processing agreement specifically tailored for byte5. What is this about?

When byte5 cooperates with other companies to fulfil tasks for its clients, there need to be certain principles in place about whether and how clients’ data is exchanged and whether it can be looked at – or not. Responsibility for a data processing agreement, which, to put it simply, is subject to instructions when it comes to data processing, lies with the client only. This means that byte5 needs to guarantee the usage of its clients’ data in accordance with the regulations when an external electronic data processing company does maintenance work. It is enough to ensure the possibility to look at the data.

In the concrete case of the byte5 data processing agreement, the latter clearly defines the technical and organisational means byte5 needs to adopt to protect their client’s data, e.g. when personalised data from a client’s stock are being processed and saved while working on a web project – such as one in eCommerce. The technical and organisational means are in accordance with the security and protection requests laid out by the federal data protection law. The contract also refers to cloud hosting with Microsoft Azure. It is aligned with the most recent legal basis and the EU general data protection regulation which will come into force in May 2018.

Which advantages does this contract offer to clients?

The clients gain a transparent insight into the work style of byte5 and get a clear signal that data protection plays an important role in every day work and is taken very seriously in the company in general. Ideally, this contract or the hiring of a data protection representative does not change anything in the operative quality when the importance of data protection was already high beforehand.