Model for data protection officers
from R. Olschewsk
The dual control principle means that important measures should not be the sole responsibility of a single person. The aim is to limit errors and opportunities for misuse, as the probability of one person being compromised is higher than two people working together improperly.
The dual control principle originally comes from quality management and authentication, but is also becoming increasingly important in the area of data protection.
The classic example of this principle is the so-called second opinion in the field of medical decision-making. However, dual control procedures can also be found in banking and public administration.
For the data protection officer, the dual control principle plays a particularly important role in the design of a rights and roles concept, especially with regard to administrator rights and the verification of deletion processes.
The dual control principle can, for example, be stipulated as part of the company's data protection guidelines, so that care is taken to ensure that email archiving can only be accessed when two administrators are logged in. On the other hand, there is a risk of controls being carried out superficially by relying on the other person. For this reason, a hierarchical organizational structure should also be maintained as part of the dual control principle.
Standard software such as SAP has established the dual control principle for changing infotypes, particularly for HR infotypes, by means of so-called lock indicators. This means that a data record exists, but only becomes complete when another rights holder unlocks this data record. The process can be planned in a symmetrical and an asymmetrical variant.
With the asymmetric variant, one user can create, change and delete data records, which are then automatically locked initially. The other user can lock and unlock records in turn. As soon as user B unlocks the records, the other user can no longer change them. This would only be possible again if user B locks them.
In the symmetrical variant, both users have the same rights, but crosswise, i.e. the release cannot be carried out by the person who created the data records.
Companies should examine the possibilities of using the dual control principle for sensitive data processing procedures and implement it where necessary.
Further information:
- bsi.bund.de/ContentBSI/grundschutz/kataloge/m/m04/m04129.html
- bsi.bund.de/SharedDocs/Downloads/DE/BSI/ISRevision/Leitfaden_IS-Revision-v2_pdf.pdf?__blob=publicationFile