Germany’s first GDPR fine: Understanding what is important

It is imperative that all companies must examine in detail in which systems data affected by the legislation is stored.

A unique distinction, but not one to be proud of

It’s been a month since the data protection authority of Baden-Württemberg, Germany, imposed the first fine for violation of the General Data Protection Regulation (GDPR). A fine of Euros 20,000 was imposed against the German social media company Knuddels.de for failing to encrypt users personal data, including user passwords, which led to the compromise of around 808,000 email accounts.

A deeper look

Post hack investigation revealed that the social media company’s users’ credentials (passwords) were stored in unencrypted and plaintext format. The Baden-Württemberg State Commissioner for Data Protection and Freedom of Information (LfDI) had discovered that the company had infringed the obligation to guarantee the security of personal data under Article 32 (1)(A) of the GDPR. The LfDI, in its official press release, states that “By storing the passwords in plain text, the company knowingly violated its obligation to ensure data security pursuant to Art. 32 para. 1 (a) of the EU-GDPR when processing personal data.”

First things first: Understanding what is important

It is imperative that all companies must examine in detail in which systems data affected by the legislation is stored. Subsequently, an in-house audit should clarify to what extent the company is able to reliably track and provide evidence of how this data is used if, for example, it leaves the system.

As a result of the ever-increasing complexity of IT environments, it is a great challenge for companies to track what data is stored in which systems and through which channels it could potentially be shared. ERP systems such as SAP contain and process copious amounts of personal data. Within this controlled IT environment, the specifications of the new data protection guidelines can be implemented as part of the standard process if the applications are equipped with authorization structures and audit logs.

As an SAP user, did you know that…

…the SAP authorization structures no longer apply as soon as data leaves the SAP environment?

That is correct.

There is no way to trace how the data is subsequently used and to what extent it may be misused. Within most companies, such data exports are performed daily without the employees being aware of the consequences. This concerns all commercial sectors.

A prerequisite is the introduction of an audit or logging solution that records who exports and forwards what kind of data and when. If available, an integration into a Governance Risk Compliance solution (GRC) is recommended so that notifications can be sent to the responsible parties in the event of a breach of the rules. Ideally the datasets have already been classified before being exported. In this case, mandatory regulations pertaining to personal data are adhered to for the data sets’ entire lifecycle, and downloads can be evaluated and handled in real time. The export of sensitive data is entirely prohibited, where necessary.

Is there a way to audit data flows and protect intellectual property and sensitive and personal data that is exported from SAP, and, in the process, close a small but critical gap in GDPR compliance? There is.

SECUDE’s HALOCORE complements SAP GRC by covering data out flows. Interested to know more about HALOCORE? You can read more about this unique SAP data security solution here.

Reference

[1] Erste Bußgelder und konkrete Prüfungen nach DSGVO

[2] Germany’s first fine under the GDPR offers enforcement insights

[3] Data Protection Authority Imposes First GDPR Non-Compliance Fine In Germany

Related Reading

[1] Companies realize that they are unprepared for GDPR

[2] GDPR is around the corner. Are companies really prepared?

[3] Number of data breaches has gone up, but data security is still not top priority

[4] Data security in times of SAP S/4HANA