Implement technical and organizational measures in compliance with the law

What is meant by technical and organizational measures, what function do they have and what must be taken into account when implementing them?

A central requirement of the GDPR is the implementation of security measures. The law distinguishes between technical and organizational measures.

Technical measures include measures that prevent unauthorized access to rooms and unauthorized access to systems as well as access to data on them (e.g. password protection with an authorization concept). In addition to such measures aimed at protecting the confidentiality of data, the control of data input (logging) serves to protect data integrity, i.e. the prevention of unnoticed manipulation. A further protection purpose - the availability of data - is fulfilled with the help of backups, among other things. Finally, the resilience of systems and services is ensured by means of defensive measures, for example against DoS attacks.

In addition to technical measures, the GDPR requires organizational security measures. This includes the allocation of responsibilities with regard to the implementation and maintenance of technical measures, but also the sensitization of employees and their commitment to data protection.

Both technical and organizational measures must take into account the individual risk posed by data processing. It is therefore not enough to work through a “standard catalog” of measures. Rather, risk-adequate measures must be defined and implemented on a case-by-case basis, taking into account the state of the art and the implementation costs.

What is the specific procedure for implementing the measures and the associated obligations?

1

Risk Identification
All internal and external data protection risks to personal information have to be identified in order to determine as to whether sufficient technical and organizational security measures have been implemented.

2

Concept for establishing and maintaining appropriate data security
It should be defined which technical and / or organizational measures must be implemented under which circumstances.

3

Implementation and maintanance of appropriate security safeguards
The controller must implement appropriate technical and organizational measures to ensure a level of security appropriate to the detected data protection risks.

4

Definition and documentation of process for access right allocation
According to the "need-to-know-principle", the access rights of a particular position in the company must be limited to the extend necessary for the fulfillment of the position's tasks. It must be defined by whom and under which conditions access rights are being allocated. The process could be defined in a data security directive.

5

Process for monitoring effectiveness of implemented security measures
Once implemented, the effectiveness of the safeguards must be verified regularly and, where required, updated in response to new risks or deficiencies.