Digitalisation and data protection for businessesDigitalisation and data protection for businesses
podcast
In Dialogue with Logistics

Digitalisation and data protection for businesses

Authors:

The master of data

In the podcast, Data Protection Officer Gerhard Friederici talks about the opportunities and challenges of digitalisation and data protection in companies.

Digitisation has been a global megatrend for some time now, and the COVID-19 pandemic, among other things, has caused it to develop rapidly. This applies to all areas of life – and thus not only to individuals but also, and especially, to companies.

Anyone who talks about digitalisation cannot avoid the topic of data protection. The protection of personal data is also becoming increasingly important in a global context. Globally active companies such as the Rhenus Group therefore pay great attention to the protection of sensitive customer data. In his role as Head of Security and Quality at the logistics service provider, Gerhard Friederici is the Data Protection Officer and responsible for the Group’s data protection management. In the podcast, he provides insights into the various areas in which the topic of data protection is essential. He explains what companies need to pay attention to and how they can best protect their sensitive data.

The podcast is also available with English subtitles on YouTube.

Podcast
03.03.2022

Logistics People Talk | Episode 6

Digitalisation is constantly increasing – in all areas of life. In the context of digitalisation as well, there is no getting around the topic of data protection. Gerhard Friederici explains what companies need to bear in mind.

Transcript of our podcast episode

00:00:03
Andrea Goretzki: Welcome to Logistics People Talk. The official Rhenus podcast for everyone who wants to stay up to date on logistics. Presented by Gwen Dünner and Andrea Goretzki. Our guest today: Gerhard Friederici. In his role as Head of Safety and Quality, he is the Data Protection Officer and responsible for data protection management at the Rhenus Group. Our topic today: the opportunities and challenges of data protection and digitalisation.

00:00:39
Gwen Dünner: Hello, Mr Friederici, thank you for taking the time today to give us some insights into this big and important topic of data protection.

00:00:48
Gerhard Friederici: Yes, hello everyone.

00:00:49
Gwen Dünner: To get to know you a little bit first: What makes you an expert in data protection?

00:00:54
Gerhard Friederici: On the one hand, there is certainly the practical experience. After more than 20 years with many discussions with staff from all kinds of departments, with discussions with customers, from many, many projects and joint projects with data protection authorities and other security authorities, you do get to know a lot.

00:01:14
Andrea Goretzki: Mr Friederici, data protection has to contend with many prejudices. Data protection is cumbersome, over-regulated, too complicated and at the same time often far too theoretical. What do you say when someone raises these arguments?

00:01:29
Gerhard Friederici: The road traffic regulations are also over-regulated, far too complicated, and when you get a parking ticket, the passion for these regulations is rather limited for many people. But without road traffic regulations, we would have chaos on our roads. It’s a similar story with data protection. We have data protection laws, such as the European General Data Protection Regulation. The GDPR has so-called opening clauses, which means that the EU member states can regulate certain matters differently from the GDPR. In Germany, for example, we have the new Federal Data Protection Act (BDSG), then specific state data protection laws, then area-specific laws that contain data protection regulations. In addition, there is special law such as church data protection law, which of course has to be differentiated into Protestant and Catholic data protection law. You can see how data protection can be very complex. For certain issues, experts are needed who are familiar with the subject matter. And even in data protection, the fines for violations can be very high. In the worst case, up to four per cent of a company’s previous annual turnover. In addition, there is often bad publicity, which is difficult to influence as a company.

00:02:50
Andrea Goretzki: That sounds quite complicated for someone who doesn’t deal with this topic on a daily basis. Laws, rules, regulations, ordinances, these are all key points that you have just mentioned. So why are you so interested in this topic?

00:03:06
Gerhard Friederici: Here it is not only about showing what is written in the law, but also often about real-life assistance. So the topic is by no means as dry as one might think. And there are many, many topics that have to be dealt with professionally. Cyberbullying, hacker attacks, identity theft, social engineering. My in-laws were victims of skimming a few years ago. This involves fraudulently accessing data at an ATM. When a four-digit sum of money was stolen from their current account, I was asked how something like that could happen and what could be done about it. If someone steals your private data and uses it to make purchases on the Internet, then you are a data subject in terms of data protection. I find the topic of data protection very universal and it affects everyone in their private and professional lives. I also find the topic challenging, insofar as you always have to put yourself in new situations and think about practical possible solutions. So it’s not just the question: What does the law say? But also very often the question: How do I implement this or that?

00:04:14
Gwen Dünner: To go a little further into the topic, a very popular Christmas present was the Apple Air Tags, these RFID chips that are actually also known from logistics, for example, which make it possible to track container pallets or vehicles. And now they are being used in the private sphere, perhaps to tag one’s bag, bicycle or even one’s dog, and then to be able to track one’s current location with one’s mobile phone. But the topic is also a source of debate. What potential dangers lurk there and what does this actually have to do with data protection?

00:04:53
Gerhard Friederici: Invery simplified terms, the Air Tags regularly send Bluetooth signals that the iPhones can receive. Due to their small size and long runtime, Air Tags can also be easily hidden in jackets, backpacks and cars, making it possible to track people without their knowledge. Following criticism from data protectionists, Apple has integrated corresponding security functions, but these can be easily circumvented. It isn’t possible to prevent misuse for the purpose of stalking with these functions. You can cut vegetables and bread with a knife, but you can also misuse a knife for other purposes, for example as a murder tool. And that is basically what data protection is about. Data may only be processed for a specific purpose, the data must be protected and literally must not fall into the wrong hands. The privacy or the rights of those affected must be protected. And this protection was fought for ten years in the EU, with the result that we have had the General Data Protection Regulation since 2018. I have read that it has been the longest and most complicated legislative process in the EU to date.

00:06:04
Gwen Dünner: So digitalisation has brought data protection even more into focus, hasn’t it?

00:06:08
Gerhard Friederici: Oh yes, digitalisation is now evident in almost everyone’s day-to-day life, whether at work or at play. And digital processes produce floods of data, masses of data, very often also personal data, sometimes even information that requires special protection. Think of your health data that you just quickly upload to the cloud.

00:06:34
Andrea Goretzki: Digitalisation is one of the megatrends that is increasingly affecting the logistics sector. It starts with track & trace services and extends to cross-company projects in the open source sector. Can you tell us how this has developed in recent years and where we are now?

00:06:53
Gerhard Friederici: Sure, the development of the increase in the amount of data is gigantic. The size of the global data stock is estimated at 33,000 exabytes in 2021. And data growth continues to rise exponentially. Take cars, for example. Modern cars generate an estimated 600 gigabytes per day. GPS data, sensor data, usage profile data, driving style data and much more. A Tesla has up to eight cameras that are continuously recording. Also you in the vehicle and even pedestrians who just happen to pass by. It is also very often personal data that is being recorded everywhere. Of course, there are some statistics on where Germany stands internationally in terms of digitalisation. The EU Commission, for example, conducts an annual ’Desi‘ survey. This is a kind of digital fitness test. This study evaluates 33 criteria in the areas of human capital, connectivity, integration of digital technology in the economy and public services. Germany is ranked 11th in the EU, which I would say is rather average. But a lot is happening in logistics. Under the term Logistics 4.0, the industry is undergoing rapid digital transformation. This is backed by the networking and integration of logistics processes. The goal is always to create more transparency and increase efficiency in the supply and shipping chains. Some logistics companies are working on a practically digital warehouse, others on new sensor technologies. There is also a lot of activity at Rhenus in these areas, be it in specific customer processes or in connection with internal commercial processes such as the digital personnel file. I think Rhenus is quite well-positioned in this respect. At least we data protection officers are regularly called into such digitalisation projects and asked whether this or that implementation complies with data protection provisions. At Rhenus, tens of terabytes of data are processed, with many millions of pieces of personal data, primarily customer data, of course. Data protection has three essential goals: availability, integrity and confidentiality. The data protection officer has the task of informing, advising and training the company, i.e. the persons responsible and all other parties involved, and of monitoring the processing procedures and providing assistance for data protection impact assessments, i.e. which business processes are good or not so good in the context of data protection.

00:09:37
Gwen Dünner: In youropinion, what are the special challenges with regard to data protection for companies such as Rhenus that are active in the logistics sector? In other words, what special data protection requirements does the logistics sector place on companies?

00:09:52
Gerhard Friederici: According to the BSI Criticality Ordinance, BSI stands for the Federal Office for Information Security, and they have issued an ordinance that deals with critical infrastructures, especially in the area of transport and traffic. This area is essential for the supply of the population. Companies above a certain size are obliged to put state-of-the-art IT security measures in place and report incidents to the Federal Office. So the challenge is not just to have good IT-secure business processes. Data protection requires implementation according to the state of the art. And where do you find that? Often in standards and ISO standards. And Rhenus was once significantly involved in an ISO-DIN standard.

00:10:41
Gwen Dünner: How? Wait a minute. Rhenus co-created a DIN standard? How did that come about?

00:10:47
Gerhard Friederici: Yes, and in 2012 customers asked: ’Dear Rhenus.‘ That was about the business process of data media destruction. ’Please make the process secure.‘ Well, and at that time we looked in an existing old DIN standard, what does it say? Yes, and it only said something about particle sizes, but it didn’t define in any way what a business process must look like in detail. And then we approached the DIN standard, the data protection authorities, and also large customers in the market, and we simply knocked on DIN’s door and asked: Can’t we get together and define a state of the art? We worked together for three years and the result was DIN 66399. Interestingly, this standard then became known worldwide and we even published an ISO standard, ISO 21964, via the DIN committee. This means that the Brazilians, the Japanese and other countries also apply the standard, so if you have a small table shredder like this at home, look at the plate on the back, it says something about a DIN standard. We were significantly involved in that.

00:12:14
Andrea Goretzki: What exactly does this DIN standard mean? So what exactly does it refer to?

00:12:19
Gerhard Friederici: The DIN standard essentially defines protection classes and security levels. The security levels simply show security level 1 to 7, how big a particle must then be. Think of your DIN A4 paper. If you use a table shredder and then cut it into strips, you have a certain particle size and the DIN standard defines seven security levels. So how big is a particle allowed to be? The protection class defines precisely these technical organisational measures. So how many cameras must the service provider have for monitoring? How must the truck be equipped? How must the security containers be equipped? And so on and so forth. And the whole thing has been standardised and behind protection classes 1, 2, 3 there is nothing but a certain specification of technical, organisational measures.

00:13:21
Andrea Goretzki: Okay. That means that it now actually applies across all sectors worldwide, anyone who wants to destroy data media must in principle comply with this standard.

00:13:33
Gerhard Friederici: Exactly! That helps us service providers, us logisticians, a lot. We no longer have to discuss whether the fence has to be 1.80 metres or 1.20 metres, instead the service includes a quality standard that has to be implemented. That means two ticks for safety, once for the protection class and once for the security level. I tell our customers that if the service provider does not understand anything about security levels or protection classes, then they should immediately opt for the next service provider.

00:14:09
Andrea Goretzki: This topic is indeed a very overarching one. So there are also special data protection requirements that really target logistics companies? I mean, are the challenges in this area very specific?

00:14:25
Gerhard Friederici: Generally speaking, optimising a business process is always a good idea. In many cases, providing a specific service oneself just isn’t profitable, be it for lack of one’s own technology or one’s own staff. For many companies, it makes no sense at all to have their own large archive rooms for storing documents or to get special scanners for their own project, for example for digital personnel files, or even to purchase special shredders for destroying files. The data protection requirements for the service provider are always very high. But there is also the desire that it must make economic sense for the client to outsource a certain process.

00:15:06
Gwen Dünner: So that means, on the one hand, it must not be too expensive, so that it would not be an economic loss to οutsource, but at the same time it is an advantage for the customer to outsource because the service provider perhaps also deals with the topic in more detail than if the company has to do it itself, right?

00:15:22
Gerhard Friederici: Absolutely. Here is an example from Rhenus Data Office, the document destruction division. In a joint project with the Fraunhofer Institute and Deutsche Telekom, the digital fill level sensor was developed, the talking file detector, so to speak. The previous analogue process involves many participants with many interfaces, for example the caretaker who checks the container to see if it is full, the commissioned party who initiates the order, the clerk who accepts the service and also releases the invoice. This is exactly the range in which service providers operate. Everything has to be super-secure, but isn’t allowed to cost hardly anything. And it is this challenge that is driving digitalisation projects to design specific solutions. Let’s stay with the example of Rhenus Data Office. The new digital process has been automated. The sensor in the container triggers the ordering process directly. The dispatcher receives the order directly in the system via a web interface and can efficiently dispatch vehicles without any loss of information.

 

00:16:32
Gwen Dünner: What does loss of information mean?

00:16:34
Gerhard Friederici: Just consider the ordering process. The customer calls: ’I want the container to be collected tomorrow.‘ The dispatcher notes it down on a piece of paper and that’s where the potential for human error already lies. If you then have a digitalised process, then you eliminate to a certain extent the incorrect conduct of an employee or human error, as it were, i.e. the errors. And the process also significantly improves as a result. In addition to the operational processes, the commercial processes are also fine-tuned. Likewise, the goal in this case is to implement automation digitally so that the customer has considerably less communication and documentation effort. From my point of view, this will also significantly strengthen data protection. Since there are fewer interfaces and ’human error‘ does not have such an impact. This minimises the data protection risk to a great extent.

00:17:39
Andrea Goretzki: It’slike that now: For about two years now, the Corona pandemic has had the world firmly in its clutches, and in many areas it has turned our lives quite upside down. We have often heard of mishaps with regard to the handling of sensitive data, for example in test centres. Were there any special challenges for companies that the pandemic brought with it in terms of data protection?

00:18:02
Gerhard Friederici: I think the challenges of dealing with the pandemic are still topical and omnipresent for all of us. There were some who said: ’Data protection must step back now. Pandemic management is now the most important thing.‘ I don’t see it that way because we are talking about health data, very personal data that is worth protecting. Health protection does not take precedence over data protection and vice versa. Both apply in parallel. The challenge was and is that the legal framework for health protection changes on a weekly basis. And we must regularly take this into account with data protection law and also regularly adapt it. The pandemic has also clearly shown how fragile some supply chains are. If you look at some of the empty shelves in supermarkets in England because there are simply no more lorry drivers, then data protection issues tend to fade into the background. Nevertheless, I had a phone call: ’Can you please check the application portal from a data protection point of view? We urgently need additional truck drivers.‘ In this respect, when applicants apply to Rhenus, they also expect personal data to be protected. This means that the application process must be checked and approved, even in times of a pandemic, so to sum up: just because we have a pandemic does not mean that we can forgo or undermine the protection of personal data, i.e. the protection of personal rights.

00:19:37
Gwen Dünner: Many companies employ their own data protection teams precisely for such auditing purposes, i.e. for their own systems, tools or processes. But the trend here is clearly moving towards outsourcing. What do companies get out of working with a service provider like Rhenus Office Systems, for example, when it comes to data security?

00:20:00
Gerhard Friederici: Rhenus Office Systems sees itself as a holistic information and document logistics provider. It is backed by about 20 specialised companies that provide a wide range of services in the analogue and digital world. The customer has added value with Rhenus Office, a good specialist service provider, i.e. with outsourcing. Added value in the sense that it makes economic sense, added value also in the sense of data protection, in that the customer is then provided with many advantages such as data risk minimisation. The customer can concentrate on core tasks, has a good, reliable specialist service provider who takes a lot off the customer’s hands and data protection is integrated into the service, so to speak. The only thing the customer has to do is find a good service provider who lives data security not only on paper but also in real life, thus minimising the data protection risk considerably from the customer’s perspective.

00:21:07
Andrea Goretzki: Ultimately, this means that by outsourcing corresponding services in the area of data protection, the customer also relinquishes part of the customer’s own responsibility, so to speak.

00:21:19
Gerhard Friederici: Not quite. The customer remains the main party responsible vis-à-vis the data subjects. The customer then makes an order processing contract, a kind of data protection contract, with the service provider in which all technical and organisational security measures are defined, and the service provider’s work methods should be state of the art. And if the service provider itself violates the contractually defined security requirements, then the service provider will be liable to the data subjects. There is a reversal of the burden of proof and the data subject – and this is what makes data protection really complex and subtle – can claim damages not only from the party responsible but also from the service provider, even damages for immaterial breaches.

00:22:24
Andrea Goretzki: That means?

00:22:26
Gerhard Friederici: That means that if someone reports to the service provider, to us, and says: ’You have done something wrong with my personal data‘, we as the party responsible, i.e. the company, must prove that everything was done properly. This means that if you cannot adequately document that the error does not lie with the body responsible or the service provider, you will also be liable for immaterial damages.

00:22:59
Andrea Goretzki: Inthe end, because this topic is so complex and would tie up a lot of capacity in companies since you would have to take a deep dive into the subject matter, it makes sense to outsource this to specialised companies that have the expertise and fulfil the technical requirements.

00:23:25
Gerhard Friederici: Exactly. As far as I know, the outsourcing rate for the destruction of files and data media in Germany is around 80 per cent. And if there are a lot of service providers, it is wise to rely on standards and thus considerably minimise the risk and the potential dangers. If you are a company, say with 100 employees, and you give the personnel files to the trainee, who is to digitise them, then you would do better to place your trust in a specialised service provider who also maintains confidentiality. In terms of data protection, it often makes sense to entrust certain information to a specialised service provider.

00:24:09
Andrea Goretzki: Finally, Mr Friederici, if we take a look into the future, what do you see as the challenges for data protection and digitalisation that companies will face in the next few years?

00:24:25
Gerhard Friederici: That’s the famous look into the crystal ball. But I’d rather start in the past than in the future, just very briefly. Three and a half thousand years ago, in the Bronze Age, there were already long-distance trade relations. Goods were transported across Europe, and back then the journeys were also dangerous, plagued by highwaymen and bandits. Today, it is data that represents the highest value in a global market. The most valuable companies, i.e. ones like Amazon, Microsoft and Facebook, trade exclusively in personal data. The fair and uniform regulation of trade with data and information in the global market is one of the very big challenges in my view. Another big real-life challenge, in my view, is that the shape of the transatlantic data transfer with the USA will also be defined in the next few years. More and more countries are also developing their own data protection laws along the lines of the General Data Protection Regulation. Why? Because the European market is not entirely insignificant either. In my opinion, data protection should not be understood as a competitive disadvantage, but as a competitive advantage.

00:25:43
Gwen Dünner: You can basically compare it a bit with sustainability in logistics. In the past, it was seen as an add-on, so to speak. Nowadays, sustainability is an advantage and if it is taken into account throughout the entire supply chain, then it is, so to speak, the best basic prerequisite for this logistics product.

00:26:03
Gerhard Friederici: Definitely. So it’s crucial to have good products. And data security and data protection conformity in the products simply have to be taken into account. If you don’t do this, in some cases you may also be at a competitive disadvantage because these products are then no longer approved.

00:26:24
Andrea Goretzki: Thebetter I secure the journey of my data throughout its life cycle, the better equipped I am against all the highwaymen out there.

00:26:37
Gerhard Friederici: Yes, exactly. The crucial thing is to secure the entire process, from creation to deletion. If you then adhere to standards, to ISO and DIN norms, if you have the technical and organisational measures well under control, then the risk of attacks and data misuse is considerably lower. If you can control your data, you can probably also control your business.

00:27:16
Andrea Goretzki: That was really a lot of information and many examples on the topic of data protection and digitalisation. Thank you very much for these really exciting insights, Mr Friederici. Maybe I’ll finish with a little challenge for you. If you had to summarise the topic of data protection in one sentence, what would it be?

00:27:41
Gerhard Friederici: Data protection is like fresh vegetables: a little every day will keep you healthy and fit for the future.

00:27:50
Gwen Dünner: I think we have learned a lot from you today. And whether you are sceptical or very open to the trend towards digitalisation, I think you can’t avoid dealing with the issue of data protection as a private person, within your company. We all have regular training sessions on this because this is the only way we will be able to use the corresponding technologies efficiently in the future and, of course, also work profitably. Thank you again!

00:28:17
Gerhard Friederici: Thank you very much!

00:28:19
Andrea Goretzki: And with that, we would like to say goodbye to our listeners today. That was Logistics People Talk, the podcast of the Rhenus Group. Glad you joined us and if you don’t want to miss any new episodes, subscribe to Logistics People Talk wherever podcasts are available. Take care of yourself. See you soon. Greetings from Gwen Dünner and Andrea Goretzki.

Comments

For this article there are 0 comments

What do you think?

Please log in to like and comment on this article.
Not signed up yet? Register now

Login

Please log in to like and comment on this article.
Not signed up yet? Sign in

arrow_upward