The new data protection regulation requires "privacy by design" to be part of digitization strategies.

Data Protection Regulation: Digital strategy instead of knee-jerk reaction.

The General Data Protection Regulation (GDPR) enters into force in May 2018. Dr. Thomas Kremer, Member of the Board of Management of Deutsche Telekom, on how “privacy by design” can address the dramatic repercussions of the GDPR for organizations and the best way to handle personal data in the future.
Copy: Sven Hansel
Photos: Oliver Krato, plainpicture/Hanka Steidle, Deutsche Telekom

Mr. Kremer, the corporate IT world is investing more energy in the General Data Protection Regulation (GDPR) than in any other issue right now. Is that justified?

Dr. Thomas Kremer
Dr. Thomas Kremer, Vorstand Datenschutz, Recht & Compliance Deutsche Telekom AG
Deutsche Telekom Board member for Data Privacy, Legal Affairs and Compliance
Yes and no. ‘No’ if we’re talking about knee-jerk reactions to new data protection legislation. If an organization has only just realized that it urgently needs to comply with this new law before it takes effect next May, it will struggle to execute a viable response. A clear ‘yes’ if we’re talking about aligning your digitization strategy with the GDPR. That’s a much better approach, in my view.

How so?

Just consider the technology: digitization is and remains driven by the cloud, which is essentially middleware for transformation. Without this foundation, you won’t be able to even get close to implementing industrial IoT scenarios, for example. All the transactions run through the cloud – including a lot of the personal data that the GDPR targets. That’s why this foundation needs to be not only as technologically stable as possible, but also technologically state-of-the-art. And that should be emphasized much more in the GDPR debate.

So what do you recommend?

Clearly, the IT structures that organizations are now putting in place for digitization will dictate their trajectory for years to come. That’s why I advocate “privacy by design.” It doesn’t make any sense to implement, then readjust.

What do you mean?

The old approach was to provide the IT first, then program data protection functions around that IT. Today, responsible organizations demand legal compliance from the start. Essential security standards and data protection mechanisms should preferably be implemented from the very first second of a new project. There should be detailed documentation on how exactly data protection standards were met. And it’s no stretch to say that this is baked into every one of our solutions – as demonstrated by multiple recognized standards and certifications. Organizations who go with us are guaranteed to be on the safe side.

And if they don’t?

…they’d have to go to great lengths to prove that their IT complies with data protection laws, for example. That’s no small thing. Remember: connectivity, databases, sensors and devices in an IoT setting, the services running on them, the downstream applications, the users and the customers – that’s all based on digitization in the cloud. And so it would be a mistake to choose anything but privacy by design.

Further information