Selection and operation of software – in accordance with the GDPR

When choosing software, what is important from the entrepreneur’s point of view is which processes can be mapped and designed more efficiently and, last but not least, which costs are incurred. From a data protection point of view, there are additional criteria. Among other things, it should be noted where the processing of personal data takes place and whether it may be transferred to insecure third countries. Technical requirements such as secure interfaces and current security standards must also be met.

You shouldn’t lose sight of data protection not only when selecting the software, but also during operation. Operation that is as data protection compliant as possible also includes appropriate technical and organizational measures and their regular checking and adjustment. The appropriateness of this is based on the need for protection of the processed data. In addition to the protective measures taken internally, the manufacturer’s security updates must also be imported as soon as possible after they have been published. With modern cloud solutions, security gaps (e.g. Microsoft 365) are discovered again and again, in which the manufacturers themselves offer timely measures to close the gaps.

The implementation of the measures begins with the introduction of the software and ends … never? As long as the software is in use, it must be checked at regular intervals whether it is first of all still compliant with data protection, whether the software has been further developed and thus complies with the current security standards and, last but not least, whether it is reliably imported internally. An alternative must be found at the latest when the software manufacturer itself no longer provides security updates. In the fast-moving IT environment, it is essential to avoid possible security gaps by continuously developing the software solutions used.

Outdated software that is no longer state-of-the-art not only entails security risks, but also harbors a risk of fines. The data protection supervisory authority of Lower Saxony recently imposed a fine of 65,000 euros on the operator of a web shop because its outdated software enabled attackers to read user access data with simple means. An incident like this is not only damaging to a company from a financial point of view, it is also damaging to customers’ external perception.

Do you have an overview of which software is in use in your company and whether it still complies with the current standards from a security point of view? We would be happy to support you in the selection and evaluation of your software solutions. Simply use our contact form. You can also call us at the headquarters in Hutthurm on +49 (0) 8505 91 927 – 0 or in our Munich branch on +49 (0) 89 413 2943 – 0.