Intro: What is meant by technical and organizational measures, what function do they have and what must be taken into account when implementing them?
To-Dos: What is the specific procedure for implementing the measures and the associated obligations?
Statements: What guidance have the data protection supervisory authorities published on the subject of technical and organizational measures?
A central requirement of the GDPR is the implementation of protective measures. The law distinguishes between technical and organizational measures.
Technical measures include measures that prevent unauthorized access to rooms and unauthorized access to systems as well as access to data on them (e.g. password protection with an authorization concept). In addition to such measures aimed at protecting the confidentiality of data, the control of data input (logging) also serves to protect integrity, i.e. to ensure that data cannot be manipulated unnoticed. Another protection purpose - the availability of data - is fulfilled with the help of backups, among other things. Finally, the resilience of systems and services can be ensured with the help of appropriate attack protection, for example against DoS attacks.
In addition to technical measures, the GDPR requires organizational protective measures. This includes the allocation of responsibilities with regard to the implementation and maintenance of technical measures, but also the sensitization of employees and their commitment to data protection.
Both technical and organizational measures must take into account the individual risk posed by data processing. It is therefore not enough to work through a “standard catalog” of measures; rather, risk-adequate measures must be defined and implemented on a case-by-case basis, taking into account the state of the art and the implementation costs.
Risk Identification: All internal and external data protection risks to personal information have to be identified in order to determine as to whether sufficient technical and organizational security measures have been implemented.
Concept for establishing and maintaining appropriate data security: It should be defined which technical and / or organizational measures must be implemented under which circumstances.
Implementation and maintanance of appropriate security safeguards: The controller must implement appropriate technical and organisational measures to ensure a level of security appropriate to the detected data protection risks.
Process for monitoring effectiveness of implemented security measures: Once implemented, the effectiveness of the safeguards must be verified regularly and, where required, updated in response to new risks or deficiencies.
Definition and documentation of process for access right allocation: According to the "need-to-know-principle", the access rights of a particular position in the company must be limited to the extend necessary for the fulfillment of the position's tasks. It must be defined by whom and under which conditions access rights are being allocated. The process could be defined in a data security directive.
>> Find out which other data protection obligations have to be considered with respect to European data protection law.
familiar with the characteristics of small and large companies
experienced in communicating with data protection authorities
active in data protection for over 10 years.
.png){kind=small}
.png){kind=small}
.png){kind=small}
.png){kind=small}
