ESG is not very common yet, but it is becoming increasingly popular in Germany as well.
Environmental, Social & Corporate Governance (ESG) is not very common yet, but it is becoming increasingly popular in Germany as well. It´s a relatively new approach to assessing the extent to which companies are committed to goals that go beyond maximizing profits for their shareholders, owners, stakeholders, etc. These goals include, for example, certain environmental targets, support for certain social movements, and whether the company is managed in a way that promotes diversity, equality, and inclusion. ESG requirements also place important demands on the handling of data. Accordingly, companies are also measured by how carefully they handle sensitive data of their employees, clients and partners. But what should companies look for to ensure that they meet the data protection aspect of ESG?
Trade Secret Protection Act (GeschGehG)
Good guidance is provided by the German Trade Secret Protection Act (German: Geschäftsgeheimnisschutzgesetz (GeschGehG)) which has been transposing corresponding EU directives into German law since 2019 and for the first time legally defines what constitutes a trade secret. Among other things, the definition includes the provision that a trade secret only exists if the company has taken appropriate confidentiality measures. Thus, if a court judges the secrecy measures to be inadequate in the event of data theft, a company has no claim to criminal prosecution because the information is then not a trade secret in the legal sense. If trade secrets, finally as data, are not sufficiently secured against criminal access, there is a risk of financial loss as well as damage to the company's image.
In addition to the Trade Secret Protection Act, the now best-known legal requirements for careful handling of data result from the General Data Protection Regulation (GDPR) together with the Schrems II judgement. According to this, companies are only allowed to transfer personal data to non-European cloud services if they take appropriate technical measures to protect this data from unauthorized access by third parties. This primarily refers to unauthorized access by non-European countries. The European Data Protection Authority (EDPA) becomes even more specific, citing the encryption or pseudonymization of data before it is transferred to the cloud as an adequate measure to achieve GDPR compliance.
Data Encryption helps
Encrypting and/or pseudonymizing data before it leaves the protected corporate environment is proving to be the best way to avoid penalties for a GDPR breach. Because it is the strongest technical measure for protecting data, encryption is also the means of choice when it comes to protecting oneself under the Trade Secret Protection Act and complying with the ESG requirements for data protection. The last are becoming increasingly important for German companies as well.Any halfway realistic IT security strategy must acknowledge that there can be no absolute protection against unauthorized access to data. Even technically extremely advanced companies can become headline-grabbing victims of cyberattacks, especially since criminals are increasingly exploiting human weaknesses to gain access to IT systems. The only technical measure that also arms a company against human weaknesses is cryptography. Even encryption cannot prevent sensitive data from falling into the wrong hands. But it does ensure that the stolen data is worthless to criminals and foreign states because it is unreadable.
Finally, the ESG trend does not place any new demands on data protection, but merely provides one more reason to encrypt sensitive data. As the strongest technical measure for data protection, encryption also offers future security. In other words: One can't do more than that!
Insofar as this document contains legal explanations, recommendations and advice, these represent non-binding information without any guarantee for completeness and correctness. In this respect, it does not constitute legal advice and Eperi GmbH does not claim to represent or even replace such legal advice.