Bosch Thermotechnology employs more than 14,000 people and operates 18 production sites around the globe. How does a deeply interconnected Global Player succeed in digitizing processes while ensuring data and information security? We asked Sven Harbach about it.
Sven Harbach started out with a vocational training as energy electronics technician in 1998 – back then at Buderus Heiztechnik GmbH. After that, he studied business information systems. In 2020, he began working as Data Protection and Information Security Officer at Bosch Thermotechnology. We met him to talk about digitization and data protection.
W3+: Mr. Harbach, your field of activity sounds like high-tech and cyberspace – and then we find you sitting totally relaxed at your desk in your home office. You have just completely disillusioned us.
Sven Harbach: (laughs) I am really sorry about that but all I need for my work is a computer and a reliable Wi-Fi connection. To be honest, since the beginning of the pandemic, I have spent most of my time working from home. There aren’t any reasons against it and the results speak for themselves.
W3+: That means, data protection and information security don’t require a setting as it is known from, for instance, “The Matrix”?
Sven Harbach: No, absolutely not. I am interconnected with our global facilities from here and I coordinate matters with our team of 17 people all over Germany on a regular basis. This is totally prosaic and unexciting.
W3+: Could you please explain what you do in a nutshell?
Sven Harbach: I am responsible for the effectuation of data protection directives and the implementation of information security in all corporate facilities and business units at Bosch Thermotechnology. Basically, I see myself as a translator who renders internal and external requirements into specific provisions for the respective person in charge of IT and processing. This concerns all processes and communication channels within the company but also with respect to customers and suppliers.
W3+: Why do you have to translate it?
Sven Harbach: Hyperbolically, one could say: Legislature doesn’t know any IT but specifies a mandatory framework for the protection of data which then has to be implemented from a technical point of view by the companies. Concerning the internal requirements, Bosch has defined minimum standards which apply across the corporation and – depending on the location – have to be adapted to the specific country’s regulations.
W3+: How important is this issue for Bosch Thermotechnology?
Sven Harbach: Data protection and information security are significant and, in some cases, rather complex. That’s why Bosch established a structure and organizational arrangement to that effect which applies throughout the group of companies. Our sector, however, is not responsible for the operative side but for counseling the operative units.
W3+: Where do you see the greatest challenges?
Sven Harbach: Data protection is mainly about personal information about customers and business partners but also about employees. We have thousands of databases. For those, we use a PDCA (Plan-Do-Check-Act) control cycle to check if that which was initially defined is still valid and if it corresponds with applicable laws and regulations. Depending on the changes made in legislature, we have to check all implementations and, if necessary, bring them up to date. In addition to that, information security requires us to make sure that our data is protected against any access from outside. As a matter of principle, we are guided by ISO27000 throughout the Bosch group.
»Data protection and information security are significant and, in some cases, rather complex. That’s why Bosch established a structure and organizational arrangement which applies throughout the group of companies.«
W3+: To what extent is it possible to simplify your work by digitizing any processes?
Sven Harbach: Let me explain how it works with a specific example. The obligations to provide information about data processing are also part of the GDPR, in the same way as the data subject rights, that means the right of information, rectification, erasure, restriction of processing, objection, and data portability. The period allowed for processing inquiries until a response has to be given is 30 days. That means inquiries from data subjects must be processed in a timely manner to keep the deadline. This is aggravated by the fact that inquiries from data subjects may come in through entirely different channels – i.e., by e-mail, on the phone, directly from the person concerned, etc. Thanks to the intelligent interlinkage of all IT activities and operations, our processes are digitized and optimized in such a way that inquiries are processed effectively, quickly, and without requiring many resources within the set time frame.
W3+: Aside from the protection of personal information, your work is also about safety aspects in the interconnected network: How safe is my communication through which channels? How can I provide secure data communication between machines as part of Industry 4.0?
Sven Harbach: The question of digital sovereignty has been with us in our private lives but also in our professional lives on a daily basis at least since the pandemic: Which commercial tools and platforms may I use in good conscience without having to fear that somebody might read along or listen in? Needless to say that the same also applies to our employees with regards to business communication. From a purely technical point of view, our own platforms or commercial tools which, in some cases, were specifically customized to us provide us with the best equipment for that purpose. What is more important in this context is sensitizing the employees in handling the technology.
Concerning your second question, we are in the middle of a rapid development. Industry 4.0 means, in essence, an increase in the digitization of industrial production. In fact, however, this goes hand in hand with an interconnectedness that reaches much farther: Machines are communicating with machines; production data is exchanged; customers are able to track the manufacturing process of their products; information about maintenance or wear of machinery and products is transmitted directly to the service departments. As a result, you get completely new business models, and not only in our industrial branch.
W3+: This sounds very promising – but only, if data and networks are secure.
Sven Harbach: Exactly. Every device and every digital system is equipped with an intelligence that is potentially at risk of being attacked through the network. The protection of servers and server data is therefore essential. Even cloud-based concepts may not always be the ultimate solution in this regard.
W3+: What may small and medium-sized companies learn from a Global Player like Bosch Thermotechnology?
Sven Harbach: Far be it from me to lecture anybody. It is obvious that the statutory provisions apply for both big and small companies in equal measure. The damage arising from a negligence to observe the data protection directives or from a lack of information security can be quite substantial, even for small companies. Of course, the issue is more complex the more global you operate and the more people, sites, or subcontractors are involved. But it will be of help in any case to create structures to that effect and to develop the corresponding skills and competencies – so that you are not only technically up to date but so that your employees are also sensitized to handling information in a secure manner.