Data protection and privacy are terms that have been ever-present in the media and our everyday lives for many years now. With the number of ways of exchanging information rising all the time and technological progress accelerating at breakneck speed, both subjects are now a major international priority.

The importance of personal data as a sensitive area was formally recognised on 28 January 1981 when the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data was opened for signature by the Council of Europe. Since 2007, European Data Protection Day has been celebrated on this date, featuring annual events with national and international data protection experts, governments and parliamentary authorities working together to raise awareness of the topic and advance data protection among the wider population. Today, 28 January is no longer just observed in Europe, but celebrated the world over as Data Privacy Day.

We took this special day as our cue to talk to some of our colleagues whose work at nic.at revolves around data protection.

Wolfgang Rosenkranz – Head of CERT.at

Practical experience shows that the terms ‘data protection’ and ‘data security’ are often – wrongly – used interchangeably. But what is the real relationship between these two areas?
Data security and data protection often get mixed up or simply lumped together. Like siblings, they have various things in common, but they should definitely be treated separately. While data protection is all about protecting the data of natural persons and, by extension, their basic rights and freedoms, data security is concerned with all types of data and how to prevent them from being lost, changed or disseminated without permission. For IT/OT/cybersecurity experts the focus is primarily on data security, with data protection seen as more of an auxiliary operational or legal matter. A topic that generates additional work and has the potential to stand in the way of certain technical measures.

Like siblings, data protection and data security stand together as a family. We can no longer afford to ignore one or the other, if we want to make use of digitalisation now and in the future without sustaining damage. Although this family can be an annoyance at times, costing time and money and leading to the odd difference of opinions, without it, digitalisation would buckle under the weight of chaos and cybercrime – so all of us need to make sure that we do our bit to lend a hand.

What impact does the GDPR have on data security?
It is easy to overlook how important data protection in general and, specifically, the GDPR has been and continues to be for data security. This starts with the realisation of just how valuable data are, and that their loss or theft can result in significant damage. But there’s much more to it than that, because the GDPR was responsible for putting the technical security measures needed to protect data firmly on the radar of senior management. And this is precisely the level at which the GDPR and penalties and fines provided a clear incentive for improvements in data security. After all, technical measures that protect data also protect top managers.

Michael Zach – Head of Information Security Management

What challenges do you see at the company in terms of data protection?
Data protection is only ever as good as its practical implementation – which at a company is always conditional on other measures, such as those put in place to guarantee information security. Many of these additional procedures were originally implemented with a view to reducing general business risks and now can be extended and reused as an effective way to meet data protection requirements. An example is existing documentation, processes and systems, which can be expanded to a data processing directory through the addition of further attributes and a different view. In operational risk management, too, established procedures are already in place which can be used immediately to assess the consequences of a data protection breach simply by shifting perspective from the company’s standpoint to that of those affected.

In the face of the heavy fines and penalties introduced under the General Data Protection Regulation, companies are no longer in a position to simply ignore or weigh up the possible consequences of data protection breaches as a cost of doing business. In fact, awareness of these risks has now reached the very highest level of management – precisely the people who have to address them. And that is exactly as it should be, because at some point sooner or later every single one of us will find ourselves among those affected.

International certification programmes are available for many areas and processes – what’s the situation regarding data protection?
Six years after the GDPR was enacted by the European Parliament, there is still not a single accredited certification body that can issue a GDPR compliance certificate. Numerous companies might claim to be GDPR-compliant while displaying attractive-looking quality seals and fancy certificates, but legally watertight proof can only be provided by a certification process, where an independent and officially authorised body conducts an audit to monitor compliance with the criteria set out in the GDPR. I hope that this gap will be closed this year and that all of the companies that take data protection seriously and have integrated it into their operational processes will be more readily identifiable.

Barbara Schloßbauer – Head of the Legal Department

Barbara, you were head of the project to implement the GDPR at nic.at. What experiences remained with you, or continue to trouble you to this day?
At a company like nic.at, which handles large volumes of data day in, day out by nature of its core business, implementing the GDPR was a massive challenge. Lots of open questions had to be cleared up, processes examined and reconfigured. For example Whois, the query used to find out who owns a domain, was a much-used service on our website. All of a sudden, a distinction had to be made between private and legal entities when it came to publication of data. This was a major headache for us as we have no way at all of knowing how many of the queries made before the introduction of the GDPR represented a legitimate interest and how many people were using our database to access other information or for other reasons. We were worried about the prospect of a flood of enquiries that the Legal Department just wouldn’t be able to process. Fortunately, this scenario didn’t materialise and the volume of inquiries remained at a manageable level.

In all, we were able to implement the necessary measures highly successfully. More than anything else, the fact that nic.at and its sister companies have been certified according to ISO 27001 for many years helped us enormously. We had a solid foundation of security structures and verification levels in place – a good basis to launch the project from. But to this day, we continue to encounter hurdles where the GDPR is coming up against limits, and legal frameworks and practicalities collide. Time and again, email management and data archiving in particular are the source of internal discussions. The history of a .at domain cannot simply be deleted as it may be needed for queries or for legal reasons. And, honestly, who knows whether certain pieces of information might not take on historical significance at some point in the future.

What data protection topics are you currently working on in the Legal Department?
One compelling question definitely surrounds the aftermath of Schrems II, the judgement of the EU Court of Justice in which it declared the EU-US Privacy Shield framework invalid. While it might sound quite straightforward in theory, in practical terms it is fraught with challenges and stumbling blocks. As a registry we have lots of international contractual relationships with registrars and local providers for our RcodeZero DNS Anycast service, all of which will have to be looked at in detail so that the necessary measures can be put in place. These are just two of countless examples that beautifully illustrate that legal wishful thinking and real-life implementation are often poles apart, so we won’t run out of things to do in the Legal Department any time soon.