Data privacy is of major importance for all target employees. As a contractor of project and maintenance services, we come into contact with personal data in many cases. In the terminology of the General Data Protection Regulation (GDPR), this thus makes us processors.
We wish to, and need to, ensure a high degree of data security when processing personal data, in order to preserve the trust placed in us by our customers.
Through regular, mandatory training seminars, all target employees have been sensitised to the topic of “data security”. We are, moreover, subjected, by an independent office, to an annual audit, to check whether the required standards are being met. The provisional audit that took place last time, in July 2019, was positive, and conveyed to us by way of the respective certificate that the requirements were being met.
Among the topics audited were the technical organisational measures detailed for the sub-fields of admission and entry control, access control, data carrier control, user control, transmission control and input control, availability, integrity, assignment control and encryption.
In consultation with our Data Protection Officers, measures were established for each of the sub-fields of data security mentioned, and these were then implemented. Here are one or two examples: all monitors are switched over to a dark screen when work is interrupted; in sensitive areas they have been equipped with privacy film. A password policy has been implemented. Admission control is carried out via a role-based admission authorisation system. Comprehensive directories of procedures define procedural content, authorisations and erasure deadlines in the individual case. All data on laptops and mobile data carriers is encrypted using Bitlocker. The use of access to customer systems is strictly regulated: A dedicated login is available to each authorised project participant, so as to guarantee access control, user control and input control.
The measures are, as per the GDPR, always to be adapted to the state of the art. The topic of “data security” is therefore constantly on the agenda at target. A new measure has already been implemented since the last audit. In the field of access control, we have introduced multiple factor authentication. To access the system, in addition to entering their user name and password employees now also need to grant consent in the authenticator app on their smartphone.
Further measures have been identified, and have already been drafted. Precisely in line with our motto, “... and we continue to give of our best”, these are continually being implemented in the run-up to the next audit.