Practical data security measures for more data protection

If data protection is about the protection of personal dataData security or IT security is intended to protect general data. When protecting the totality of all data of an organization, it is therefore necessary to address both the issue of Data protection and data security on a regular basis.

At best, the IT security officer, together with the data protection officer, regularly analyses the protection of your organisation's data and puts together appropriate practical measures. Often, data protection officers also have certification as IT security officers.

Concrete measures for the technical protection of non-personal data can look very different. For example, technical and organizational measures (TOMs) specify different types of controls. TOMs also play a role in the Basic data protection regulation play an important role and are defined in more detail in the text of the law.

How is the topic of data security integrated into the basic data protection regulation?

The specifications for the "security of processing" can be found in Article 5(1)(f) GDPR, in Article 32 GDPR and in the Recital 78 GDPR. However, in Article 32 GDPR few concrete measures have been identified. More detailed information is provided in Article 32 GDPR on the subject only pseudonymisation and encryption. For this reason, the following answers basic questions about technical security measures for more data protection.

What is two-factor authentication?

With two-factor authentication, often also called two-factor authentication, the user proves his identity by combining two different and independent components. Authentication is only successful if both factors are used together. They must always be transmitted through separate transmission channels. Common examples are bank card plus PIN at ATMs, fingerprint plus access code in buildings and passphrase and TAN in online banking. Other examples of factors are security tokens, physical keys, passwords, iris recognition and voice. For security-critical applications, the BSI (Federal Office for Information Security) recommends two-factor authentication.

How can I determine whether an account or computer has been hacked?

There are many signs that your own account or computer has been hacked. Obvious signs are fake warnings from the virus scanner, new toolbars in the browser, random pop-up windows on websites not known to be hacked, and installation processes that start from scratch. It is also suspicious when a password suddenly changes. In most cases, the user has previously been taken in by a phishing e-mail that asks him to renew his password. Even if the mouse pointer jumps uncontrollably across the screen and performs actions, the computer has been compromised.

IT attacks can also lead to tangible economic disadvantages, so that one notices that one has become a victim of cyber criminals. This applies to the case when money is suddenly missing from your bank account, but also to unexpected reminders for unpaid goods purchased in your name.

How do you create strong passwords and keep them safe?

A secure password should be at least eight characters long and contain letters (upper and lower case), numbers and special characters in the middle like /[(%&§$_:?!+#)]. Avoid rows of numbers or letters. Likewise, names and dates of birth of you or your environment should be taboo. Instead, create individual passwords based, for example, on a personal memo. Furthermore, you must handle login data carefully to prevent data theft. Last but not least: Use a new password for each registration. If one password is cracked, other accesses will then remain protected.

Software can also be helpful: Password generators can generate a password online according to your specifications. As a reminder, safe programs are used to store all your passwords, of which active users easily have dozens. Access is granted by a master password.

You want to minimise your risk and implement data protection automatically and with guidance? Inform yourself about the features of the Robin Data Software or via the order of our qualified Data Protection Officers.

What is the difference between http and https?

A lock in the browser window and https instead of http indicate that the website is https-encrypted and therefore more secure than one based only on http (Hypertext Transfer Protocol). The "s" stands for secure. It is the additional encrypting transport layer TLS between web server and browser. Third parties can then not intercept the traffic on the way from the user to the website. An SSL certificate must be installed on the web server for this purpose.

On the one hand, the general increase in the use of https is to be welcomed; on the other hand, more than half of all phishing sites now show the lock symbol in the browser bar. Anyone who relies on this can therefore become the victim of fraudsters. Many browser manufacturers are therefore now abolishing this symbol. Users must be vigilant themselves to detect phishing sites and other attempts at fraud on the net.

What is end-to-end encryption for email?

With end-to-end encryption, transmitted data is encrypted across all participating transmission stations up to the recipient. It works according to the key-lock principle: the sender's message is provided with a lock and can only be opened by the key of the desired recipient. All other instances, such as the provider of the communications service, telecommunications or the Internet provider, cannot access the message. Therefore the security of this type of encryption is very high, because without the secret key no text can be decrypted. The counterpart to end-to-end encryption is point-to-point encryption or line encryption: Here, the messages can be available in plain text at the transmitting stations and can be viewed by attackers. It is therefore important to make sure that the software and devices used work with end-to-end encryption.

No security system can protect you from the rising tide of cybercrime. Watch out for signs that your computer or data has been compromised. You can prevent much of the damage by keeping your software and security programs up to date, not starting questionable programs, not falling for spam, and regularly validating and optimizing your privacy and data security measures.

Caroline Schwabe
Latest posts by Caroline Schwabe (see all)

This might interest you too:

Data protection impact assessmentPhoto by Adeolu Eletu on Unsplash

Data protection impact assessment

Detailed description of the data protection impact assessment pursuant to Article 35 of the GDPR as well as specifications for the practical implementation of the DSFA
Information obligations of the GDPR

Duty of information of the GDPR

Find out how you fulfil your information obligations and which nine specific points you must observe.
documentation obligationsPhoto by Scott Graham on Unsplash

Documentation requirements of the GDPR

Documentation requirements of the DSGVO: Every company must document data protection measures. But what exactly must be documented?