 This is Kerstin and Chris and they will introduce themselves somewhere, so I leave this out But they will speak about how to connect data protection and cyber security who often fired against each other in a lot of situations In the reality, but they show us how to connect them well So the data is protected better than if they work Alone have fun with pre-jit don't breach it cyber security and data protection as partner in crime Hi So yeah, hi, it's me. It's Chris. I'm at the techie side of this talk. So Yeah, I'm working with emergency response teams for like over seven years in large enterprises namely for Siemens and now for SAP So I've seen all the attacks from ransomware APT's to really like stupid stuff like Bitcoin miners and stuff being installed on server So I've seen it on from the technical side But what is actually new since two and a half years for me is like this close collaboration with lawyers like Kerstin Because we are now kind of approaching an area where yeah cloud security You have a lot of data from people in there and suddenly things that are non-technical get interesting And then you sit there as a techie and like what? The lawyers want me to what for why okay? And this is why we decided to also kind of have this talk together to kind of highlight what we do and The collaboration between those two fields and yeah, I'm a techie side of things Thanks Chris. Yeah, and I'm the legal side of things. So um as was already mentioned at the beginning It's mostly a love-hate relationship. So and even we fight sometimes when I just remember two weeks ago We just were fighting about email access. Yeah, because it's not not only about kind of personal data breaches It's about how you prepare to mitigate How you then execute the whole thing if something really goes down the drain and how do you clean everything up? Because sometimes cybersecurity is quite greedy specifically with regards to log files and what they want to scan and we are the opposite We say like protecting the people data minimization principle all this kind of stuff So it gets definitely interesting. Yeah, the most easy the easy Challenge for for example everybody of us understands like fishing like you receive phone fishing email If you receive one and you know about one you can bet your butt on it that there are thousands more that didn't report it So how to get them without accessing the email in boxes of people exactly super hard And then you're interesting. Yo, you're accessing the email things. What about Facebook? What about oh God? Yeah Here we go. Yeah, or if you're working in a company where private usage is allowed so it's completely fine if you serve during your working hours or if you use your Company email address for doing kind of day-to-day stuff. Yeah, then it gets even more complicated Yeah, and I think for me I'm working for I think seven years now as well with data protection privacy. I'm a lawyer studied in Germany and Sweden and But I really like it and I haven't seen it all by now I would say there's still something out there. I haven't seen so still interesting Yeah, that's basically a problem statement that like what are we talking about? Why is it important? We want to kind of touch like the basics of Present data preachers and risk assessment stuff and also like like show a bit of how we work with an Incident response like this firefighting stuff. How does that work in companies like a little really large? Because they're not doing it in a random space We are actually following a pattern in if it seems random from the outside sometimes but there's actually plan behind it and there is like links to cyber to legal Teams all the time in every phase of our reaction as a company to cyber threats And yes, it's not hopefully not that boring as it sounds at the beginning Yep, yeah now it's like a riddle you get presented a quite Exciting case which sometimes is horrific and you have to solve it under time pressure You just need every information you can get to do the legal assessment to do the technical assessment to contain it To get the bad guys out and all this kind of stuff. So we have a process which is definitely otherwise is chaos But I think there's a lot of freestyle still and you have to like it if you working under pressure and all this kind of stuff Otherwise you will burn out, you notice it storms on social media that hits the investigation teams as well Because sometimes investigation teams don't know more than the initial start as well But there is no time people are kind of completely crashing the communication from like there's a big flood of communication going on And we have to kind of present stuff, but you have no idea what actually happened so yeah So is everybody familiar what personal data is here just Okay, that's good But I mean I'm just speaking from the European perspective now So in Europe personal data is quite a lot When I talked to my US colleagues for example there was like it's only the business email address. Come on. Is this really personal? Yes, it is personal data. I'm really sorry. Yes an IP address could be personal data your number of your company Mobile phone is Personalized because it traces back to you So it's everything where you can really identify somebody directly or indirectly So for example here in this room if you say okay a woman With I would say a bit larger trousers and light blue in this room I would be identified by that so it really depends on the context now So here you have to be specifically if you're working on a in a global context be very very precise Because sometimes people really don't understand what we are talking about and the same goes for the definition of a personal data breach So it's of course a breach of security But what does this mean and I have two examples afterwards which will showcase what this actually is which leads to unlawful accidental destruction that's clear loss alteration Disclosure and access even looking at data is access. It's not like grabbing the data and doing something with the data No, it's really looking at it because the processing definition at least energy PR is super broad I always get asked. Yeah, but they only access the data. They didn't do anything. It's still processing Yeah, so it's so fun falls under the definition so that's kind of the baseline we are operating on and according to these definitions and specifically in Europe you have Notification requirements sometimes to the data protection authorities or to you as individuals For example, if your credit card data gets leaked or your health data or anything about your sexual preference Or your political beliefs which are really heavy stuff for some people and why because data protection is about protecting you Not the data. It's about the person behind the data Next slide and Here this is how we do it at least energy PR. So Depending on the risk There are different notification requirements. Sometimes something happens. We say, okay There is a very low medium risk. We mitigate it fine. We can close the case We just have to document it but if there's really a high risk or a very high risk for you behind the data then we have to take additional actions and How do we define or make the legal assessment if some something is high risk? So just imagine you have different categories of data like your email address your personal email address your business email address Your home address Credit card data or the stuff I mentioned before political beliefs sexual orientation These fall into different buckets of criticality and Depending on what kind of data categories are affected. We make this assessment and then of course it makes a difference if It was malicious So if we have outside attackers who are saying like I just want to crack the system and look at everybody's data And just want to sell it on the dark web Or I want to make the most I will inflict the most harm possible on all the people here Or if it was an internal researcher who has no other hobbies then hacking into solutions just to crack all the little security Gaps which are there and then diligently tell us okay here something went wrong. Could you please fix it? It really makes a difference for the risk assessment and then of course is the data publicly available so if you post Specific categories about yourself for everybody available in the internet It's less critical than if we are talking about your health data which resides with your doctor so it really makes a difference and If you combine different data and if you have more data categories in one incident it makes it of course more critical and If you have a high risk we go to the data protection authority and just say okay This happens mitigation measures blah blah blah and if it's a very high risk Then we have to tell you and why because sometimes that so-called data controller So the entity was responsible for the data processing who's setting the purpose and the means Cannot help I Cannot block your credit card. It's on you you can block your credit card You have to take action and that's the reason behind it's all about the person behind the data Next slide, please Just I think that's a very good example. It's a bit older. So gpr was not yet in force, but the fine was They they got fined when gpr was in force afterwards and the UK was still a part of the I Think that's really cool because I really had in-depth discussion with my security colleagues if a programming bug is really a security breach Because normally you say okay, I don't know the door was open Or you didn't follow the this and that protocol state of the art is security blah blah blah no But really is software bug could be a security breach because it was not developed in a proper way it was not tested in a proper way and In the company we are working we have a secure development life cycle with specific product requirements and they have to test it Yeah, so I think it makes sense if a programming bug really is a security breach and here And I think really interesting example There was a programming bug which and which really rendered Private profiles public and you all know Twitter for some people this could be a life and death decision Specifically if you are working in very critical areas, etc. Etc. It makes sense to keep your circle very small and Yeah, they didn't mitigated it They did not take this really seriously and that's the reason why they got fined and they failed to notify the breach on time I don't know. They took I think several months to tell the data protection authority, which is not okay Yeah, so that's the first example and the second one. That's a really good one as well Yeah, that's a bank and There was one employee of the bank who still had access to all the data despite no longer working for the bank And they really like the attitude of Santander bank like we don't care. We just don't care We won't notify we did not notify we will never know why and so they got fined as well And I mean here it was of course a major intrusion for the data subjects affected because this guy was able to manipulate the financial data And they just didn't take it seriously. So Yeah Two fun cases Yeah, I know about a techie part of it That's the scary part with all the fines and stuff and why end up was really take it serious By now that like you have to notify and you have to understand what happened what happens that also puts us in the firefighting units in the emergency response seems on a more pressure because like the clock is ticking The shit storm is approaching and we have to kind of deal with all the stuff We have to dealt maybe dealt with before but now under like the looking glass and the board You usually kind of ringing the phone every hour. Is there any news? Is there any news? What happens? We need to kind of file it. We need to understand. Oh god. Yeah, so it's like yeah burning us a bit out Firefighting got more intense with that. So what happens if something gets detected in a large enterprise is always the same It's not it may seem random because you always start with a little puzzle piece, right? There's a document posting claiming that your database got popped Yeah, which one of those five hundred thousands that we have, you know You always start with these little puzzle pieces and that's the scheme We kind of usually it apply when kind of following up the preparation phase is the first one That's pretty easy. That's this that that's when nothing happens. You just prepare yourself for emergencies You like the firefighters would probably polish their cars and you know look at all the maintenance stuff They have to do the same as it for emergency response teams in the cyber world It's us updating the ticket systems ensuring that our life cycle works during tabletops, you know Stuff that you do when there is no crisis mode Then it gets into detection analysis. So in the ideal case We would love to detect stuff before it's get posted in the dark web, right? We want to kind of see stuff before it happens before somebody else knows about it We want to kind of be able to stop it immediately ASAP So you've heard about seams and stuff like a big vacuum cleaners that kind of suck up every log in the company Crunch it together and you have like rules that you detect stuff on like the most easiest would be or look that Database servers only kind of serving one gigabyte per day. Now. It's five. That's odd Let's have a look right. That's the most simple thing you can think of But it also gets more complex like with your stock snap right you're doing passive DNS and stuff But there you also see the link to casting if I have passive DNS I know who kind of browse to which website pretty much like who resolved which domain name in the company That's also kind of stuff imagine medicine actually at all these like little sites that you don't want your colleagues to know that you are serving on them Not nice So the next phase is the containment a reduction recovery phase. That's the actual firefighting. That's like, oh, we know what what happened Okay, let's kind of got to the action plan. Let's pull out the plugs of that server. Let's do this Let's yeah get the back ups that scan them Let's set it up again that kind of that phase is there to kind of put everything back to normal from the firefighting From the fire actually to putting the fire out. That's probably the best analogy here And then the post event activity. That's the stuff that happens When you just kind of you know everything kind of come back to a normal mode and you sit down take a breath And like what worked? Oh God those guys from data privacy. We had a big fight To our calls and it was still not clear what to do and who kind of yeah What we have to do and what we delivered was not worth Yeah was not for them to take in and stuff So we also sit down and that's the most important phase after every crisis We also sit down and kind of work and kind of get tasks for the preparation phase Like we have to get them access. We have to write the reports. Probably we have to do this and that We forgot to lock to unbought locks from data center in whatever in Wonder video in South America We should damn we should get these locks in so with next time we can have react quicker. That's usually a stuff that happens there Preparation as I said, it's the most important phase The meme is not kidding. That's how it starts right there was some post somebody claimed something somewhere That's usually how it starts and then you kind of start digging like okay What's the data which server what is it all about is it true is somebody just trolling around do we have a problem? Was that person just kind of bullshitting people you never know it happens all? Yeah, and for us like the most important learnings here working with the lawyer side is like They have we have to get them access to that to everything we have case notes and stuff, right? So we have like a ticketing system you can call it where all the investigation stuff forensics Everything kind of is in there right you open the case and you have everything the company knows about that particular case a timeline locks that are relevant everything and For us a big learning was those guys who need access to it and like fully transparent way They need to kind of deep dive, but we don't get it. That was our problem. I mean we are not technical people I would say I understand quite a lot, but not I mean I'm not the expert definitely not so you had to translate quite quite a bit and Yeah, this was fun at the beginning because we just did not understand each other at all Super simple things right so for us It's clear that there's a quad shop and what it is and stuff and there's a log and yeah, well, that's the HTTP log It's easy. That's refer. That's super easy. That's IP. That's because it's a behind-the-load balancer super trill stuff Yalla yalla hard to translate for glorious So far, it was really a learning that we have like what you really teach our people is like We have to write high-level Kindergarten summaries. That's also good because we also We also push it up to the board day if the same level sometimes rate They need really easy understandable stories when they kind of get approached by the press You can't tell them about low balances reverse broken They don't need to know about that You have to write it in a way they can ingest and understand what happened and how bad it is and in which context it Happened and this is for us like the lessons learned like we have to be able to do this translation so at the very top of these cases you will find a little summary like with Six or seven sentences most Describing the case in a really kindergarten manner like no technical phrases at all at the beginning and then we are torturing you as well Because we need very specific information what we have to put in our legal assessment like Timeline and other stuff. I showed you at the beginning with assessing the criticality like data categories and here I think we are still in the kind of yeah Development of a better privacy culture so that the people really understand what's relevant or what is really personal data Like I mentioned before business email address. I think your US colleagues like you know biggie. What's the problem? Yeah, I have a problem. It's personal because yeah, it depends on GDPR or not and which country was relevant Like was it you as persons being affected in the US US friction then business email address is not a big part Is it Europeans? It's different GDPR hitting in so at the context really matters and for us that was also big learning We had to kind of suddenly kind of deal with all this like whose effect that where did it happen? That's that gets relevance now and don't get extra or if you dump So if you have a data dump, please not the whole apartment was 100 people accessing the data dump Two are enough to doing the analysis because that is a bit critical from a DPP perspective And then what we also did is tabletops We really kind of sat down and played a blade a bit of like Exercises to kind of understand. Okay, if I now shovel that stuff over Does it work and they are and that kind of helps you to kind of you know Take a laugh and stuff and have a sip of coffee with your colleagues without all this crisis mode That kind of the panic that happens around you and the fire that kind of helps who kind of you know Develop the process a bit so you have like a try one you can laugh at mistakes because it's funny, you know We taught them about IPs. They had no idea what we are talking about ha ha. Yeah Then you can fix it without pressure. That was super helpful and Also like one of our biggest challenges, but that's not a side DPP related either privacy related That's a standard thing if for all the incident response teams You have to know you're kidding kingdom if there's some databases or some servers that nobody told you about and there's an Inventory or something you are pretty much blind and that bike kind of delays your response by at least days if If it's really bad month or weeks Because there was some server that nobody told you about nobody's access They kind of rented something somewhere, but it still like belongs to the company and you're responsible But nobody's any clue about it because the person kind of rented it wasn't like Parentally for two months. They are cool and something happened on the server. Nice That's yeah, one of the most important lectures in incident response at all you have to know the kingdom you're protecting and That's something I tell my younger colleagues when they are coming in and want to learn something about kind of mitigating personal data breaches Keep your expectations low It will build up over time. Yeah, specifically the the information we get for our case assessment It won't be there at day one. It will take sometimes a week sometimes more It's still the investigation phase. Yeah, so keep your expectations low You can tell them 100 things you need but they are doing their best and it's just we are a team and We should not fight each other in such kind of a situation. It's just we can only do it together. So Keep your expectations just low Yeah That's what we had so yeah Actually this quote here I have in my Microsoft Teams profile because I think it's so compelling Yeah in sufficient facts always invites danger We need the real facts to assess the case and if you don't give me the full picture I cannot give you a proper legal analysis and everything what I will do is wrong so I need from my friends from cyber security precise information and It of course it can change over time But when I do the assessment when we file report when we reach out to our people who are potentially affected They want to know the truth. So we really need the facts and only the facts Yeah, that's basically us also kind of not taking data privacy super, you know super important our plate when I look at like our Socks like the secure operations enter teams. They have detections and stuff We talk about like and he did start and and he did yes that did and stuff That's the funny part. That's the techie part. We understand that but we often lack these detections for Yeah privacy data privacy cases like Like the standard stuff like is there abnormal amount is there like traffic that we kind of didn't expect from from service Because somebody kind of probably kind of dumped the whole database or the whole stuff That's stuff. We are always like I always see as a big gap in our Detection of stuff as well in our detections because we always focus on the techie parts and being the stuff that we understand but we never focus on this meta data stuff meter level and The coolest thing I've seen so far is like canary tokens in in personal and Identify identifiable in information like you have probably a user That isn't used at all but that user is unique per database So when you see a dump in the dark net and you get the dump you see which data they base it belongs and you know like oh Freaking heck that's production database and that's actually that shit. We have to hit the red button now Without even analyzing and analyzing it further. So that's the coolest stuff. I've seen we are not there as well That's light years from from from us at the moment But that's what what with the advanced players kind of do they kind of drop in little water marks You could so to say to these important data Blocks and when they see the water mark somewhere they can identify like oh, that's bad And we know it's bad because that database that the water mark is only unknown to us those canaries Yeah, and Yeah, once we know what happened actually like the analysis phase is done We kind of identify what happened whatever there's a database injection a squirrel injection whatever somebody dumped the database and now it's out there and We can identify the stuff we have to kind of what our learnings from the techie side was we have to understand We have to kind of get them the visibility on the content of the data right usually kind of for us It doesn't matter. It's like database work Doesn't matter what it's what it holds right? It's the same technical stuff It's a database and somebody kind of downloaded everything with a select star boring stuff but For lawyers, it's important to know the fields here Like was it was it your health data was it like was it genders in there was it just email addresses? Was it like somebody ordering raspberry pies or somebody getting his paycheck with the little bank details attached to it and stuff? That gets relevant and we have to translate those SQL stuff also to our colleagues from cyberleague It's not good enough to tell them look there's the table do whatever you like. That's the SQL table have fun I'm out. Yeah Yeah, we have to translate it and we also have to help it So what we also do is like we also prepare examples like war data and show them like look This is how it looks like don't get scared. This is what it means That's the telephone number. We kind of read it a few tests I think that's the I account name because that's a unique one per row and that's so you kind of explain the data Bits, but it's additional work for the incident response team to translate that from technical side to a human readable side And sometimes you often also do like a bit of vetting So for example when there are email addresses and it's your company email addresses We often can also kind of one additional checks like is it old like are those email addresses still existing? That's easy. It's LW right it's for us It's not a hard thing to kind of script a little script that kind of goes there and kind of ticks everything that is Not existing anymore, but that helps our Legal parts to kind of get the context of is it something that was scrambled together by putting all data together and kind of making It look interesting or is it actually something we send with 99% of these email addresses still existing or 60% of email address are gone But reachable anymore. It's all data. Yes Yeah, not that critical not who cares, but not that critical at least No true and don't forget the product side We have talked about a lot of data dumps and access But if you have a problem in your products and for example your data fields are scrambled and there's a mix of Crises in my data. So I get Chris's salary or or vice versa Yeah, this is a problem as well because this could qualify as well as a personal data breach So it's not only about disclosure. It's about deletion. So if my Bank account details are deleted before my paycheck run. I don't get my money And who pays my rent? I cannot I don't have money in my bank account. So it's not only Accessing dumping data. It's much more Unfortunately and one thing I remember doing us often is also like going the extra mile sometimes for the lawyers like Also looking for stuff that didn't usually in the responses we activate something happened You jump on it you put the fire out fine. That's it But often you have like for example if there's a squirrel injection, right somebody played with it We kind of we look for data dumps But if like we could also kind of go the extra mile sometimes and see if like okay technically that with that vulnerability You could also kind of alter the data and edit stuff Are we sure nobody did this and that's the guy who reported is the first time kind of seeing it So that's often also the extra mile that we go is in this walking with with the data privacy guys because we are kind of you know, usually this is a response stuff is like When ability closed thing handled, that's it But often we kind of go the extra mile there and kind of like ensure that nothing happened and we can safely say This is the case and nothing else happened But would you say that your job has changed over the last four years five years? Yeah, but yeah, so that comes from more techie to like get get rid of my problems your techie guys in the basement to Tell us what happened at board level meeting is at that's the invite Yeah, and I think the video aspects definitely as well because what we see is that the privacy landscape changes We have more and more laws upcoming right now and many of them are just mimicking the GPR So if you look for example at China the law is completely different but with regards to the scope They have the same extra territorial scope as GPR. Yeah, so they are really copying pasting and the laws So it's not only like Europe is the hot topic, but we have similar laws and APJ with even personal liability sometimes of people responsible for the data processing and Yeah, so I think it will even change more in the future. I hope not, but yeah, let's see So the post incident post event activity. Yeah, as I said hiccups happen Ultimately if Lee important like the really important thing is that you trust each other and don't start fighting because you always ever fight Usually the panic going on you have to you know this meme where there's one guy sitting at the table drinking coffee and everything is burning around him That's usually how it looks an incident response You have to be calm and if you fight in the teams in the company or also it kind of it goes to hell Like you have to trust each other and trust rely on each other and don't kind of take a breath sometimes things get a few a Bit emotional at times when they've been people under under pressure that happens But it's super important that you establish trust and that you drink a beer if your lawyers and stuff and that you can you know That you kind of work together and collaborate even in these tense times because yeah, that's really really important And hiccups happen every time there is no process or no relationship that works every time It's perfectly normal to fail even in this like panic situation don't kind of you know Like talk about the failures in the incident response time in the incident response. That's like when that's for after Right focus is kind of getting the emergency done Getting all the information together Getting back to normal work times work hours and then we can talk about what weren't rent wrong and what kind of completely rent off The track that's true and don't forget. I mean I Would say our groups are very different from the characters working in there. So this is something as well Just how you present yourself how you talk to each other. It is different So I think there it's a learning process and if you're ever working in cyber security or Lawyer want to work closer with security. I think it's fun. I really like it, but my colleagues sometimes like Strange again, but this is how it is if you work with different teams. Not everybody is yeah a lawyer It's just just how it is Really different every other Yes, and that's incident response post event activities from a DPP perspective So what I always say to cause like delete the stuff, please It's not my precious you want to keep it delete it you need a purpose You need a legal basis to keep it you need to define a retention periods for your logs You need to you must delete the stuff after I don't know five years when the case is really close There are no legal claims. Please delete it. Yeah, and they are also data subject rights So all of you can ask a data controller give me information about what data do processing about me Yeah, a full list a full copy. It's your right. It's in the law No problem, but we have a problem if we have too much data lying around there because Then we have a lot of work to answering all these requests And this is a love-hate relationship really because I think here we are clashing a bit Yeah, of course I want to keep that stuff because when the guy comes back I want to know what happened before because he might act the same way people repeat itself I want to kind of understand like how do we find out that was that like that IP address the last time? How was it again? So I really want to go back to these cases usually I want to kind of read up what we did because I forget about it like a Year later. I have no idea how we like in detail did it Yeah, so there was a clash of things here But you have to find a balance and I always say like data protection is not black and white It's a risk-based approach and you have a lot of gray That's it Yeah, and I think that's our last slide I'm not suffering from post-incident blues not at all I don't know why our cyber security colleagues are suffering from it But I am hell really relieved when it's over because I have deadlines like 72 hours without undue delay And I really enjoy my weekends without any crazy cases. Yeah, I mean I like you and your team But sometimes I have definitely enough One thing that we have probably to mention what you need to mention is like and if you ever see the companies reacting slow The the time clock starts ticking at the moment an enterprise understands the data privacy violation So we can tell like this is actually data privacy violation coming aware of exactly Yeah, it doesn't start with the posting in the dark net and stuff So that's really important to understand So because like somebody posted it like it might be that I get hold of it like a week later because that Port is closed and not easily reachable and somebody has to tell me about it and stuff So yeah, just in case the next shit some is approaching and people like enterprise are reacting slow That's probably because of it like we you need to give the teams a bit of time to kind of understand What happened before we tell you anything because like otherwise we would tell you a lie and that would be worse Exactly because there's this kind of notification fatigue as well Just imagine you get five emails and a week saying like your data was breached and Every time it was like not really critical something was like you can handle this by yourself and sometimes you just you will delete this emails For sure after a year or so when you're getting five per week Yeah, and it's a so-called investigation phase and it's also in the law that you have a bit of time just to understand What happened? Yeah, that's it. I guess Then I'll take the other one again Yeah, first of all, thank you Chris and Kerstin Me I had a lot of fun because I actually have both a legal as well as an IT background But that should be the most in the audience, I don't think it went that way Have your questions Thanks for the talk. I Have a question in at the moment in Cyber security the most important thing is to collect data Very long in history in order to come over when the incident happens So this is of course a conflict. I think to the data protection side. How you handle it? We have data retention times right that we agreed on so but that also goes hand-in-hand with with a statement saying like We can only tell you that nothing happened during the last three years two years Whatever your data retention time is if something happened before I maybe I don't know so that's like Same side of the thing, right? Same thing of the metal and I mean now everybody asked. Yeah, okay retention times How long five years ten years? That's a problem because the law says nothing It says as long as there's a purpose and as long as you have a legal basis And I always say like okay. Do we have for example any like NIST? Do we have a standard an industry practice which really helps us? Do we have specific technical measures to secure the data like hot storage cold storage access concepts? Can we maybe pseudonymize the data hash it properly? Is it even possible to anonymize it? I mean you don't need I don't know every single data category which is personal Maybe you need I don't know server logs without any personal data in it So it really depends. I think you find workarounds, but you have to look yours Yeah, you have to look your partner in the eye and say, okay, let's let's be real But you really need what makes sense and just find middle ground. It's not easy And it really depends where your headquartered as well. Yeah, so I think a US company is different Than a European based company Don't forget that. Yeah The question was who makes the decision for when it's data retention How long it's start usually it's us kind of proposing the standard and DPP has to sign it off So the data privacy lawyers kind of sign it off or refuse to sign it Then we kind of fight again and kind of load the retention time But like it's us in the techniques I kind of putting the stories like for email for example because of the phishing going on and The the big threat and yeah, yeah for all the for all the enterprise We have a really easy way to kind of like tell a tell cast like look we've had five hundred sixty eight cases Two thousand five hundred sixty affected employees. We need to keep that data for five years or something right? So it's us building the story and then kind of convincing her that this is okay Yeah, but I mean and on the other hand you just have to spin a very good story to be honest It's all about documentation and data protection law documented properly have good arguments Have it properly secured with technical and organizational measures I mean if such kind of data leaks is not ideal now But if you say like the whole process is there you have a good story. It's documented I really don't see a data protection authority coming in and raiding your building and just like deleted No, I mean they have you to understand it and if you have a proper story It's in my opinion. It must be fine. Otherwise, how should enterprises protect themselves? Not possible There's an probably also the actually legal side that you could actually make a case before a court about it Yeah, yeah, I mean oops It depends if there was really a case with people affected customers affected, etc You have to keep the data of course as evidence proof that you acted correctly now How about the classical case of my long-term tape backup of the email server? I cannot tell anybody we have deleted your old email your private data, but it is in the tape Nobody should access it, but in case of emergency That works, but it's the same story. It doesn't matter how you access it So yeah, there are logs like that for like that are not easily reachable and searchable for us We keep them somewhere else because we don't need them very often, right? So we know we need them in real emergencies like when that when it settled that category But it doesn't matter right like legally wise. It doesn't matter where to keep them on tape or not It's completely irrelevant for the for the privacy side They are there and therefore you can access it. It might take you a week to kind of get your hands on it But it doesn't matter if it takes you one hour If someone a former employee tells me to delete all mail I can't it's in the backup. Yeah Okay, then you're talking about data subject rights again the deletion and then it depends on the work relationship is there for Example litigation case pending before the labor court this kind of stuff Yeah, I mean there might be reasons why you have to keep the data if you only have the reasons like I cannot reach it Because our technical setup sucks not a good reason As easy as that unfortunately There was not a question I've just a small question. Thanks for the talk at first How do you rate the services like a External assert for small to medium-sized businesses, which may do not have a proper documentation and Varying experts on the topic which aren't that deep within your company processes How we rate them in general it's better than nothing, but of course I'm working like in-house. So I think that's Well, who would say different right? I think it's worth the money because like but it's also expensive, right? But you understand like the pros of tech you have this like company background You can easily I talked you can easily talk to people you are sitting there You know who's working rare and you know why things are happening that way Which that knowledge kind of there is no way you have that knowledge as an external out as an external vendor, right? You there was one customer and there were like 50 of them and Well, you don't have the time to kind of you know deep dive into each and every company and kind of assess like stuff like that So what we have these backup solutions on tapes house that like Yeah, well external vendors don't care. It's one service, but it's Better than nothing right better having something that is there for you to help than nothing at all That's the first kind of situation No answer from the legal side Any more questions This is the last question I take I was wondering if you came up with a four-step process yourselves Or is that something or where did you get the inspiration for it? Incidents something happened and we knew that this was actually kind of something We should talk with the privacy guys about it and then it started so there there was no process at all at the beginning It just kind of came out was we had the case in front of us. We were like freaking heck what to do now Yeah, and I think for example the NISA the European Cyber Security Agency that's more less industry standard these four steps I would say isn't it and it's a response stuff Yeah, but that's what we are talking about is like additionally to this standard like incident response always like a technical thing It was always a technical thing to kind of this incident response teams They're always like get me rid get rid of the fire put it back to normal That's it and now we are kind of having all these critical infrastructure data privacy stuff coming on top of it Where it where it's not good enough to just put out the fire you have to kind of tell people what happened in language They kind of understand and stuff so yeah So if your lawyer can understand it the people can probably also understand it true No, but otherwise. Yeah, I think but it really depends in what company or what institution we are working for So what kind of data you are protecting? It really differs. I would say I mean our company is a bit special I would say If you are working for a manufacturing company with which is not handling huge amount of data Only kind of your your customers data your suppliers data, and maybe your employees. That's a different story But I think for a software company it will even change more in the future. I'm quite convinced Yeah Okay No more time for questions. Thank you Chris and Kerstin