An assessment on TISAX® and data protection
The proven security of data in an organisation is as important as its tax ID: You cannot do without it. This is especially true for the automotive industry. SMBs that want to be a part of major car manufacturers' value chains need to comply with the TISAX® standard – in which data protection constitutes a separate audit objective and an essential component within the assessment for TISAX®. In this article, we provide an overview of the most important questions and their answers.
Why is an assessment on TISAX® so important to SMBs in the automotive industry?
There are several reasons. The most important reason is that the label for an assessment on TISAX® is required to work with German car manufacturers and suppliers. Even though there is no legal obligation to have a certification on TISAX®, more and more companies require their partners to get one. Within the supply chain, even sub-suppliers without direct contact with manufacturers are asked to prove an appropriate level of data protection with a label on TISAX®.
Given the growing industrial espionage in the automotive industry this appears to be a highly understandable request. Good to know: Whoever wants to fulfil the requirements can have a look at the VDA ISA catalogue. There, you not only find the requirements but also learn where TISAX® exceeds and broadens the requirements of ISO 27001.
4 reasons why data protection is key
- Very often, industry spies target prototype data. To protect this kind of information, data protection is essential. Speaking of prototypes: Apart from data protection, another audit objective in the VDA ISA catalogue is prototype protection. If a service provider acts as a data processor, they need to adhere to the provisions given in article 28 EU-GDPR and take appropriate data protection measures.
- Especially in the automotive industry, particular obligations, and provisions regarding the data protection as given in the VDA ISA catalogue must be met.
- In addition, the general legal requirements given in the GDPR also need to be met – they further help to prevent security breaches.
- Data protection in the automotive industry is not only essential for manufacturers and suppliers of physical parts. Also, providers of marketing services and other customer and stakeholder-centred groups need to meet high demands when it comes to data protection.
Which role does data protection play in an assessment on TISAX®?
Alongside information security and prototype protection, data protection is a main audit objective in the VDA ISA catalogue. To clarify: The label that you will receive for a successful assessment on TISAX® can be issued for normal, high and very high protection requirements. Suppose your business partner asks for a normal security level according to TISAX®.
In that case, you need to meet the requirements given in the GDPR – i.e. those requirements you legally have to meet anyway. Good to know in this case: To prove a normal security level according to VDA ISA, you only need to answer a list of questions about your organisation by yourself.
For a high or very high-security level, however, the requirements of assessment level 2 and 3 apply, respectively, and you have to choose “data protection” as your additional audit objective. This might be the case if you act as a data processor according to article 28 GDPR or if your business partner explicitly asks you to set data protection as your additional audit objective. Here, assessment level 2 applies.
If you process personal data of particular categories according to article 9 GDPR, your business partner will demand a very high-security level. Here, assessment level 3 with even higher requirements applies, the adherence to which will be audited on-site by a certifying body.
Find out more about Assessments on TISAX® – What are they, what are the differences?.
How can SMBs manage their data protection to achieve the label on TISAX®?
A good basis is a data or information security management system implemented in your organisation. If you do not have such a system, you should take a closer look at the VDA ISA control questions and the requirements of the data security level you want to reach – before you start implementing a data security management system. Thus, you ensure that you meet the requirements and get the label on TISAX® you need.
PRO TIP: Define clear responsibilities and allocate sufficient resources as a part of the implementation project. Focus on all departments involved, e.g. the legal department and your data protection officer. This will ensure that these departments are well structured and able to take the necessary measures to protect personal data. The latter applies to internal workflows and the documentation of all data processing.
Which quick wins may SMB draw from data protection measures?
- You strengthen your organisation regarding data protection and TISAX® – either in form of external organisational services or internal specialists.
- You stay up to date on data protection and information security.
- You create security awareness and educate your staff on a regular basis.
- You define security zones in your organisation and strengthen the physical security of company premises.
How can DataGuard support you regarding data protection and the assessment on TISAX®?
Our experts at DataGuard support you in meeting the requirements of the VDA ISA catalogue and help your team define and implement the necessary measures. On request, we work closely with your internal data protection officers and – in case these are not fully implemented or defined – point to measures that need to be taken.
On top of that, if DataGuard acts as your external data security officer, we automatically make sure that you meet the TISAX® data protection requirements. Thus, you benefit from our experts’ vast experience and proven best practices.
If you enjoyed reading this, you might also be interested in a checklist for TISAX® and an Implementation Roadmap for the assessment on TISAX®.
Get in touch with our experts to find out more about TISAX®.
TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.