Measures are intended to ensure that personal data is protected against accidental destruction or loss.
Availability refers, among other things, to the uninterrupted power supply. This can be ensured, for example, by means of a diesel generator, which acts as an emergency power generator and supplies the electricity required. The use of an uninterruptible power supply (UPS) with lithium-ion batteries is more environmentally friendly.
If the systems are used excessively, data peaks can be outsourced via a suitable software contract. The service provider used should comply with the applicable data protection regulations at a data protection level in accordance with the requirements of the GDPR.
Appropriate virus protection, which corresponds to the state of the art, is absolutely necessary in order to ward off hacker attacks. Hacker attacks can paralyze the entire IT, causing immense material damage and even reputational damage.
You should choose a suitable, lockable location for the storage of physical data media. The key for this must only be accessible to very few people, which must be recorded in writing. When it comes to the disposal of personal data, data bins are good alternatives to special shredders. An external service provider takes care of the disposal of the contents of the data bins.
Redundancy is very important in critical IT systems and technical and organizational measures must therefore be taken for this.
Procedures for periodic review, assessment and evaluation
A traffic light system can serve as a recommendation for action, which checks the stage at which the measures mentioned are and which ones urgently need to be improved. Even an Excel table that lists insufficient technical and organizational measures can be a useful aid. It is essential to regularly review and update or adapt these assessment systems accordingly.
Pseudonymization refers to the processing of data, which means that a specific personal reference can only be established with additional information (Article 4, No. 5 GDPR). Pseudonymization is not always necessary. Therefore, you should observe the requirements of the GDPR for this. In this way, the pseudonyms can be achieved by the “trusted third party”. This is a third party that two parties trust. TTPs collect the data as pseudonyms, store them and make them accessible if necessary. This means that personal data can also be restored after a technical incident.
When personal data is deleted, either complete destruction or anonymization is required, as these can usually no longer be restored and therefore no longer fall under the GDPR, as they no longer have any personal reference. In the case of anonymization, personal data are changed in such a way that they can no longer be identified or determined by a natural person or only with a disproportionately large amount of time, money and manpower.