revDSG: „Privacy by Design“

A completely revised Data Protection Act (revDSG) will come into force in 2022. Central to the revDSG is personally identifiable information (PII), which is used to derive the identity of an individual person. Companies should already be taking steps to implement data protection measures to ensure compliance with the new requirements.

Peter Mätzler, Senior Business Development Manager at DataStore AG for comforte discusses the revDSG in the June 2021 edition of IT-Magazin.

With comforte, DataStore has the right solution in its range
Companies must ensure that personal data is processed lawfully. To this end, it is vital to be able to keep an overview of all data records within the company. The revDSG therefore requires a directory of all data processing (“Directory of Data Processing Activities”). Furthermore, from the planning phase onward, data processing activities must be organized in such a way that the data protection provisions, and in particular the processing principles, are adhered to (Privacy by Design).

In addition, defaults must be configured to ensure that the processing of personal data is limited to only those activities necessary for the specific purpose unless stipulated otherwise by the data subject (Privacy by Default).

How data-related data protection helps
Controllers within the company therefore need to know which data is available and where they can find it (“Processing Directory”) in order to be able to protect personal data effectively. The first step involves identifying and classifying the available data. Then you need to figure out the best way to protect the data. Conventional methods of data protection, e.g. the encryption of storage media, usually fall short here.

An effective measure to protect personal data is to tokenize sensitive data. Tokenization involves disguising sensitive data (e.g. credit card, social insurance, cell phone numbers, etc.) with an algorithm and replacing it with a token. This token has the same format as the original data element and can be used by downstream applications. The token is of no value to hackers.

First steps
Even though the revDSG doesn’t come into force until 2022, all those whose work involves processing personal data are already required to implement the provisions of the revDSG. The first step involves taking an inventory of the data processing activities (personal data) so that you can then determine, as part of a gap analysis, what action is required in terms of data protection legislation.

For more information about the technical solutions available for data protection, please read the brief summary of comforte’s data protection solutions.

Interested? For further questions, please contact:

Peter Mätzler
Senior Business Development Manager