Cross-domain data erasure: Data protection survey shows room for improvement
The new Data Protection Act (NDSG) will come into force next year. Swiss Infosec AG, together with Swiss GRC AG, wanted to find out in a data protection survey whether the prospect of the NDSG coming into force on September 1, 2023, is already having an impact on how data protection is handled in companies.
115 people took part in the Swiss Infosec Heartbeat survey on data protection. Most of them (40%) work in the IT department of their company. However, numerous responses also came from the Legal and HR departments and from the Board of Directors/Executive Management area. The fact that data privacy is perceived as an important topic and taken seriously at board and management level gives the authors of this data privacy survey confidence and speaks in favor of a higher priority for data privacy.
Good report card in terms of internal data protection requirements
83% of the organizations that participated in the data privacy survey have an internal document with data privacy requirements. 12% do not have such a document and the remaining 5% do not know whether there are internal data protection guidelines. The existence of internal data privacy guidelines shows that the organizations are concerned with the topic of data privacy/data protection law and that the handling of data privacy is not arbitrary, but is clearly defined in relation to the company. This creates security and continuity. 66% of the organizations also employ data owners who are responsible for a specific part of the data within the organization.
Only a few companies do not yet have a privacy policy
104 of the 115 respondents, or 90%, confirm that their organization has a privacy statement (DSE). This high figure is encouraging. However, the data protection experts at Swiss Infosec AG ask themselves the question - which was not explicitly asked in the survey - whether these DSEs also cover data processing beyond the website. Experience shows that this is probably not the case everywhere. In view of the new data protection law, however, these data processing activities should be covered by the data protection declarations.
Data protection survey shows room for improvement in regular, cross-divisional data deletion
Not entirely unexpectedly, the greatest potential for optimization is in data deletion. It is true that 39% of the survey participants state that data is deleted regularly and across departments in their organization. However, in 43% of the companies, such data deletion does not take place and the remaining 8% of the respondents have no knowledge of it. Eugen Roesle, Head of Legal and Data Privacy at Swiss Infosec AG, refers in this context to the "last mile of data protection" that many companies still have to go through, even if the NDSG does not change anything in purely legal terms with regard to data deletion. Personal data that is no longer needed because it has fulfilled its purpose must already be deleted under the current law.
Consider data protection governance
A core requirement of data privacy governance is the implementation of a process that checks data privacy compliance for new projects involving personal data. 57% of the participating organizations meet this requirement, 43% do not or rather not. There is a need for action in the area of data privacy governance, especially since timely and, at best, automatic data privacy compliance checks for new projects save time and eliminate uncertainties and unpleasant surprises.
Support through specific tools/software solutions?
Organizations that rely on specific tools/software solutions in the area of data protection are underrepresented according to the survey. After all, 40% of the companies make use of such support, 60% do not (yet). Whether the size of the company or its complexity influence the decision to use tools or whether the corresponding offerings and their tailored solutions are not sufficiently known remains open.
Source: Swiss Infosec
