News Legislation

Regulations: strengthening data security

With increasing digitalisation and connectivity, the risk of cyberattacks leading to data loss, data misuse or even production downtime is also rising for manufacturers and formulators of paints and coatings. By Bettina Huck and Jürgen Knopp, QUMsult

How can paint companies protect their data? Source: Koto Amatsukami - stock.adobe.com

They must protect themselves, among other things, against unauthorised access to formulation data, while customers require evidence that their data is secure. Since May 2018, the General Data Protection Regulation (GDPR) has governed when, how and on what basis personal data may be processed, what rights data subjects have, and which obligations data-processing entities must fulfil.

The internationally recognised standard

ISO 27001 helps companies to manage information security in a structured manner, minimise risks and meet legal requirements. Companies must decide how they wish to implement information security.

Management system for information security

When processing personal data, companies must identify and implement the requirements of the GDPR. A management system, such as one based on ISO 27001, enables a structured approach and builds trust among customers and business partners.
DIN EN ISO/IEC 27001:2024-01 “Information security, cybersecurity and privacy protection – Information security management systems – Requirements” defines both the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), as well as the assessment and treatment of information security risks.

The main reasons for introducing a management system according to ISO 27001 include:

  • Compliance with legal requirements: Compliance demands such as GDPR and industry-specific regulations, including the requirement to provide evidence of data security.

  • Protection of sensitive information: Structured processes and measures ensure confidentiality, integrity and availability of data. Risks such as data loss or misuse can be minimised.

  • Systematic risk management: Companies can identify and assess potential security vulnerabilities at an early stage and act preventively.

  • Reduced liability risks: A functioning ISMS lowers liability risks (organisational negligence).

  • More efficient processes: Documented procedures ensure legally compliant operations, saving companies time and money.

  • Continuous improvement: Regular review and adjustment of processes increase the company’s level of protection and awareness of information security.

  • Increased trust among customers and business partners as a competitive advantage: Certification serves as proof to customers and authorities; for many clients it is a prerequisite for doing business.

TISAX may be required when customers from the automotive industry impose specific requirements for the protection of sensitive data.

If a company does not wish to establish a full ISMS at the outset, SMEs can:

  • prioritise critical protection needs, e.g. formulations, customer data, production processes

  • use pragmatic, modular protective measures instead of comprehensive certification processes

  • implement documentation and process control that can be realised with minimal resources

  • integrate product safety requirements

Information on this can be found, for example, in the BSI brochure “Cybersecurity for SMEs”, including links to BSI IT-Grundschutz as well as industry-specific recommendations and checklists for information security.

Cybersecurity for industrial installations

Cybersecurity for industrial installations is becoming increasingly important due to digitalisation and networking – particularly for installations requiring monitoring, such as lifts, pressure systems, equipment in potentially explosive atmospheres, as well as petrol stations and gas filling stations. Key requirements and obligations are defined in TRBS 1115 Part 1 “Cybersecurity for safety-related measuring, control and regulation equipment”. Operators must prevent hazards to employees and other persons arising from cyberthreats such as software errors or hacker attacks.

The main responsibilities include:

  • Assessing hazards arising from cyberthreats (§§ 3, 4 BetrSichV): Qualified personnel must determine whether cyber risks exist for installations and evaluate them. Guiding question: Which safety-related measuring, control and regulation (MSR) devices are in place, and are they protected against cyberthreats?

  • Defining cybersecurity requirements and deriving measures, e.g. network segmentation, access and admission controls, and emergency management

  • Verifying the effectiveness of the measures

  • Inspection prior to commissioning and recommissioning after modifications requiring inspection (§§ 4, 14, 15 BetrSichV)

  • Periodic inspection (§§ 14, 16 BetrSichV) by competent persons or approved inspection bodies (ZÜS), which assess cyberthreats and the measures implemented. Failure to demonstrate compliance with TRBS 1115 Part 1 may result not only in fines, but also criminal consequences and possibly even the prohibition of operating the affected installation.

  • Operation, maintenance and regular checking of the functionality of cybersecurity measures

  • Documentation: “Documentation available as part of cybersecurity management in accordance with Annex 1 TRBS 1115 Part 1 fulfils the documentation obligations for safety-related MSR equipment under § 3(8) BetrSichV.”

Legal compliance and legal registers

Employers must comply with applicable legal requirements. These arise from external regulations and internal codes of conduct. Legal compliance means that organisations fulfil all relevant laws and have established procedures to maintain compliance and implement new or amended requirements. Codes of conduct may relate, for example, to dealings with business partners, handling gifts and invitations, or responsibilities relating to environmental protection.

As a first step, companies determine in a compliance audit which regulations are relevant to them. Necessary measures must be defined and implemented. The result is generally an individual legal register, which may include legal provisions, internal rules of conduct and required permits. Managing applicable regulations is not a one-off task but a continuous process.

Requirements for a suitable legal register include, above all, that the update status is always visible, the relevance of changes for the company is assessed, obligations are derived, measures are implemented and monitored, and archiving is ensured. One provider of a web-based solution is QUMsult.

Conclusion

Companies must protect themselves against cyberthreats and ensure data security. A management system based on ISO 27001 enables a structured approach, and cybersecurity management for safety-related measuring, control and regulation equipment (MSR) can be integrated.