Profound reasons for data protection
Regulations that are supposed to be secure and economical at the same time can be a contradiction in terms. To meet the new technological possibilities, both small businesses and government institutions face legal burdens. Bettina Hübscher, an accomplished lawyer and SNV lecturer, on data protection and security.
By August 2016, the Federal Department of Justice and Police is to enter a preliminary draft for a revision of the DPA (abbreviation: Data Protection Act). The earliest state regulations of this law were formulated in times before the "mobile society". Bettina Hübscher, expert in labour law, public law and data protection law at the Lucerne University of Applied Sciences and Arts (Competence Centre "Management & Law") on security-relevant areas in companies.
Ms. Hübscher, sometimes companies that communicate sensitive data to the outside world via google & Co. end up in legal grey areas. What do you think of company profiles that are too detailed?
As an entrepreneur, I can reach a broad audience cost-effectively through social media and certainly gain a lot of attention from potential customers. However, social media platforms can bring with them a risk in terms of loss of control, for example if opinions on the Internet turn out differently than the company would like.
Such negative voices can certainly have an effect on the image of a company, but at the same time they can be used as an opportunity by taking up these criticisms and bringing about optimizations.
Finally, it also seems important to me that false reports are prevented. I am thinking of the dual control principle and simple disclaimers stating that no liability is accepted for incorrect information and details on the company's website.
If facts were copied and reproduced directly from the Internet for a company presentation, could intellectual property rights possibly be undermined in the process?
Yes, of course, that can also happen. - But first and foremost, it's about not getting lost or bogged down in uncoordinated actionism in the rapid use of social media technologies.
I think that the knowledge that sources have to be cited for extracted information is well spread after all. This is not least due to the plagiarism incidents in the media.
"If all we have to deal with is bureaucracy in data protection, I think we've missed the mark."
It would be even better if employees working in the field of communication were sensitised and trained in this respect.
Cue smartphones in consulting rooms. Could there suddenly be more lawsuits here against the private disclosure of records or personal data?
It is now common practice in innovation companies, for example, for smartphones to be handed over outside the meeting room. I would classify the use of devices in the mobile work area as much more serious. When I see and hear what information is being exchanged aloud on public transport, for example, I am more concerned about this than about the oversight of smartphones in meetings.
For which sectors of the economy do you think regulations for a secure or economical handling of data are essential?
First of all, we must admit to ourselves: Actually, such a regulation, which provides for security and is supposed to be economic at the same time, is already a contradiction in itself. I am of the opinion that a revision of the FADP (abbreviation: Data Protection Act) is necessary, but that the law must not be developed into an "administered" data protection law.
It is essential for sectors such as healthcare that stricter regulations apply here. However, here, too, the weighing up of additional regulations against possible implementation in day-to-day business must be evaluated. If we only have to deal with bureaucracy in data protection, we will probably have missed the target. There is an urgent need here for discussion between "the legislature" and business representatives in order to develop regulations that are both secure and economical.
You advocate an in-house data protection department with a clearly defined, independent point of contact. How could such a staff function in the complex day-to-day work?
Either we have a defined in-house data protection office or then an independent point of contact, with an external specialist, a data protection officer. If the company is subject to strict regulatory requirements because it deals with highly sensitive data, the second option makes perfect sense. In my opinion, however, there is no such thing as "one or the other". Internal resources and available know-how must be differentiated.
In today's dynamic times, how should security managers adapt to the digital business world that communicates everywhere?
They should define the relevant risks and opportunities with the underlying measures (see infobox for guidance). With this, they have taken the most important step. You should ensure that the interfaces between technology, management and law complement each other optimally and that processes bring about adequate solutions. By the way, you need all those involved in the process, because the digital transformation is coming one way or another.
Ultimately, one should adhere to a clear strategy, an entrepreneurial direction. Based on this, they can take further measures and exploit potential.
