GDPR Annoys Me
(German version) Whining of a medium-sized IT service provider. For years, I have annoyed my customers with appeals for the reorganization of access rights, the introduction of password management or two-factor authentication. And as of 2018 the customers are shooting back – “Mr. Theilacker, we still have to make an GDPR agreement”.
That’s the battle cry that often drives me almost to despair. The malaise is best described by the two extreme types of clients:
1) The “I’ve downloaded everything” type,
who will send you 200 pages to check which text describes our business relationship best (for a €25 monthly bill in our service provider business). If you point out that the service provider business is not necessarily a GDPR issue, the following feedback comes: “planet 33 does not take data protection seriously” – fatal! So back to the discussion and convince the customer with 2 hours of individual consideration argumentatively that everything has its correctness here at planet 33. For the last 20 years we follow the telecommunication law, let all employees sign additional agreements and take a reasonable effort for training and sensitization.
2) The customer with a professional data protection officer
with a seemingly unlimited budget – also a time challenge here, the other side is paid in hours. In this case the know-how asymmetry is extreme and painful. An external person who is familiar with all legal requirements and a personal friend of at least 5 public data protection officers, who wants to think his way into the situation of a medium-sized service provider, but “has to implement a minimum at least”. And on our side an chamber of commerce trained data protector, who has to do something else besides GDPR in a company with 25 employees and is supported by me. At least you get a lot of laughs here and can continue to work with the templates and the know-how. Also, it is usually a matter of a relative use of resources, since we often take over more complex tasks with these customers, which are finally thought through here from the data protection point of view (e.g. cooperation hosters (technical service provider), web agency (creative service provider, who administers the application/the CMS) and end customer).
My understanding of order data processing has changed fundamentally in recent years:
Until 2016 I thought, for example, that the tax consultant with his offer of external payroll accounting was a typical external data processor. The customer gives out sensitive data of his employees – there is a need for protection – no question! Wages sensitive, employee names sensitive, entry and exit data sensitive – it makes sense to protect this data.
My original idea: We as an IT service provider who enables customers to leave data in-house should not be affected by this.
At that time, however, my first doubts arose because certain people from the industry pointed out that the term “external data processor” was still to be understood and that actually every employee with administrator access to a computer was already an “external data processor”. Theoretically, this admin has all the prerequisites to attack the applications – of course often only because the customer historically refused to protect his applications with anything other than “start#1234”. Or because generic users with the names “User1” to “User5” are so practical and you don’t have to deal with the administration of the application to create new accounts but you simply pass on the free UserSlot with the old password – it has to be on a Post-it note at the screen obviously! – when changing personnel.
The concept of complete separation of operating system and application is often only understood correctly by large customers. For example, a Windows or SQL administrator cannot gain access to a PasswordSafe instance. Security by design – meanwhile implemented in an astonishing number of programs, if it weren’t for the end users…
Of course, a Windows administrator somehow always has access to the file system and an administrator of a PBX can usually read information about the employees and individual connections – so we need an GDPR agreement – understood!
And that’s actually all sensible in the IT area, where we provide somewhat individual services to our customers. But now to a completely different matter in the service provider business, which is also important for planet 33:
planet 33 is a hybrid – on the one hand we deliver telephone and data lines to customers, on the other hand we provide technical services to the customer. None of our Carrier – Suppliers concludes an GDPR agreement with us only because of provider products (but of course because of other things we do with these providers).
However, some of our customers argue that order data processing is taking place here. When filing the contact person, with the bank account – of course we handle personal data here. Who gets the itemized bill? – you can wake each of my staff at 3 a.m. – they will tell you that only the contact person / email address stored in the customer data is entitled to receive – we already had this under control before GDPR.
So we have a wild mess here – my current state of knowledge (please don’t quote me, because I am a practitioner and like to be corrected if wrong ):
– planet 33 data (data lines) – no GDPR issue – but telecommunications law (TKG)
– planet 33 phone (telephony) – no GDPR issue – but telecommunications law(TKG)
– planet 33 hosting (Webhosting, technical) – GDPR possibly because of access possibilities of the administrators to the system. Actually also a case for separation of application and platform.
– planet 33 phone total (cloud telephony) – maybe AV – not because of telephony (TKG) but because of access to the PBX (employee names, email addresses (UC sends his regards), logins).
Deutsche Telekom usually solves the problem with ‘Supplementary conditions for order processing (ErgB-AV) for (product name) of course no one would want to come up with the idea of an individual GDPR agreement with Deutsche Telekom – there is usually no contact person for this. But at planet 33 – and this is a good thing – the personal relationship of the employees to the customer also leads to the “full meal deal” – also in the GDPR agreement.
Who pays for all this?
The legally prescribed willingness to cooperate turns into hundreds of hours that no one can or wants to account for. One struggles with diverging opinions and paralegal interpretations of all participants. That is total uncertainty here, and I have also received different assessments of our service provider business from Type 2 data protection officers (see above). And in the end, of course, the good service provider rule applies: the customer is king and gets his GDPR agreement if he or she is not convinced by our standardized product conditions. But who will please actively manage these contracts? There are some things in it that overtax both sides in terms of resources:
Examples? Always welcome – directly from the template of the Bavarian Data Protection Agency:
In the area of processing personal data in accordance with the contract, the contractor warrants that all agreed measures will be carried out in accordance with the contract. What does that mean? You need to guarantee that the data processed for the client will be strictly separated from other data. Wow! – logical, physical, geographical?
The data carriers that originate from the client or are used for the client are specially marked. Incoming and outgoing data as well as the current use are documented. Of course – we stamp all floppy disks and tapes and record everything in the logbook at the entrance.
The contractor must carry out the following checks in his area in particular over the entire processing of the service for the client. Gladly – but who pays?
2018 was terrible in terms of paper production. Hundreds of documents were sent back and forth. Things valid in April were out-of-date in August. Gain of knowledge – also on our end – leads to the fact that many previous documents are waste. All this is easy for me if I have to deal with a customer who is really willing to think about data protection. But if someone only wants paper signed and filed, then something is wrong.
Oh by the way, there was no budget left for the introduction of the two-factor authentication solution at a customer this year. The GDPR have strained financial and personnel resources in the IT administration too much…
Does the GDPR annoy you too?
* * *
Do you like this article?
You like topics like this and you want to have more relevant information? Once a month there is ‘planet 33 KNOWLEDGE’. In a very personal email you will get a list with articles, videos or book recommendations on topics that concern us at planet 33 in our daily work, in our spare time and with a strategic view into the future. You can register here:
