D: Conference of data protection officers calls for security policy
Category: NachrichtenBy: M. Schröder - 2B Advice GmbH - the privacy benchmark
The conference of data protection officers of the Federal Republic of Germany and its states on 18.03.2010 adopted a white paper for a modern data protection law for the 21st Century. In the white paper, the data protection officers made proposals such as strengthening the conceptual safeguard against data protection risks which, in the event of statutory implementation, would mean more requirements to be met by corporations.
The conference of data protection officers of Federal Republic of Germany and its states is held twice annually, and serves as a common working platform for the participating institutions. The white paper adopted by the conference was conceived as a discussion basis for reform of the data protection laws.
The conference works under the assumption that the regulations contained in the annex to § 9 of the Federal Data Protection Act (BDSG) regarding the technical and organizational measures can only be applied with difficulty to current and future data processing systems. Therefore, the conference proposes the establishment of compulsory, technology-neutral protection goals. These protection goals must be simple, understandable, and practically appropriate. The measures to be derived from the protection goals must be able to be implemented easily and flexibly in practice. The conference has designated the following protection goals:
- Availability
- Confidentiality
- Integrity
- Transparency
- Non-interlocking nature (as a technical safeguard for the purpose limitation principle)
- Intervenability (as a technical arrangement for procedures for the exercise of the rights of affected parties)
The implementation of the protection goals must have the conceptual safeguard of an early risk analysis and a security policy. Both the risk analysis and the security policy must be adapted regularly to emerging technical developments and must reflect the current state of the art.
Should the proposals of the conference be heeded by lawmakers, corporations will have to adjust to the possibility of a mandatory documented risk analysis and the obligation to draw up a security architecture. Even now, a regular risk analysis and a state-of-the-art security policy should form part of an effective data protection management system. The proposals of the conference are therefore a good opportunity to reflect on the implementation of regular risk analysis and a corporate security architecture.
Source: www.baden-wuerttemberg.datenschutz.de/service/gem-materialien/modernisierung.pdf
(1147 times viewed)
Konzern-Datenschutzbeauftragte