In today’s digital age in particular, it is important that companies take sufficient technical and organizational measures to protect personal data in accordance with GDPR.
From a factual point of view, absolute protection must be rejected. Nevertheless, there are measures that almost certainly prevent personal data from reaching unauthorized persons unhindered. In this blog article, we answer how protection is to be guaranteed.
According to Article 32 GDPR, technical, organizational measures are prescribed measures to ensure the security of the processing of personal data.
But what exactly are technical and organizational measures, “TOMs” for short?
To this end, we draw a line between technical and organizational measures:
These are all measures that can usually be physically implemented. But software measures such as anti-virus software, encryption, etc. are also included.
Examples of this are installed alarm systems, securing doors and windows, fencing off a site, etc.
Here the question of “how” is to implement the data protection measures is answered. These are, for example, instructions, procedures and procedures.
Above all, the four-eyes principle, work instructions for dealing with faulty print products should be examples for the specific design of organizational measures. In organizational theory, the four-eyes principle represents a preventive control in which certain process sections, workflows, work processes , Work processes, etc. must be carried out by at least two people.
The GDPR does not prescribe any specific measures, but only the safeguarding of the highest protection goals, such as confidentiality, availability, integrity and resilience of personal data. Various measures are necessary depending on the company in order to be able to comply with the protection goals. For comprehensive protection of personal data through technical and organizational measures, the following points must therefore be implemented in the company:
With regard to personal data, access controls are intended to prevent unauthorized persons from gaining physical access to data processing systems.
Specifically, this can happen, for example, through an alarm system or a security service. Video surveillance, the use of code locks and chip card readers are also recommended. We advise against e.g. fingerprint scanners with outdated technology, as these can be bypassed more easily and often do not work if the finger required for authentication is dirty.
This is understood to mean measures that are suitable for preventing unauthorized persons from accessing data processing systems (e.g. computers). When assigning passwords, biometric access identifications, etc., access by unauthorized persons can be prevented. When designing passwords, attention must be paid to the state of the art, which is specified by the Federal Office for Information Security. The password should not be less than 8 characters. In this case, the longer the password, and the higher the complexity, the more secure it. It must not be passwords that can be found out by the simplest algorithms, but rather those that are not related to the specific person.
The access control is intended to ensure that only authorized persons can access data so that unauthorized persons cannot read, change, copy or remove them.
Possible solutions for companies include, for example, certificate-based access authorization, the creation of an authorization concept, secure interfaces, etc.
In addition, the separation requirement must be observed. This ensures that personal data collected for different purposes can be processed separately from one another.
This is primarily about the electronic transfer of personal data. Here, too, it is important to prevent unauthorized third parties from reading, copying, changing or removing the data during transport or storage on a data carrier. The use of encryption techniques and the virtual private network are two examples for the secure transfer of data. Even if information is passed on via USB sticks, for example, it can be protected by a password. Only authorized persons have access.
If access is controlled, it can later be proven who unlawfully interfered with the data transmission. It still has to be clarified who has authorization or access to change the protocol.
Personal data must be passed on in accordance with the client’s instructions. You can check this, for example, through random sampling. The person responsible and the processor have the task of taking measures to ensure that personal data is only processed on instruction. The organizational measure consists in the conception and subsequent signing of order processing contracts in accordance with Article 28 GDPR, which in particular have to contain the content requirements in accordance with Article 28 Paragraph 3 GDPR.
Availability and resilience
Measures are intended to ensure that personal data is protected against accidental destruction or loss.
Availability refers, among other things, to the uninterrupted power supply. This can be ensured, for example, by means of a diesel generator, which acts as an emergency power generator and supplies the electricity required. The use of an uninterruptible power supply (UPS) with lithium-ion batteries is more environmentally friendly.
If the systems are used excessively, data peaks can be outsourced via a suitable software contract. The service provider used should comply with the applicable data protection regulations at a data protection level in accordance with the requirements of the GDPR.
Appropriate virus protection, which corresponds to the state of the art, is absolutely necessary in order to ward off hacker attacks. Hacker attacks can paralyze the entire IT, causing immense material damage and even reputational damage.
You should choose a suitable, lockable location for the storage of physical data media. The key for this must only be accessible to very few people, which must be recorded in writing. When it comes to the disposal of personal data, data bins are good alternatives to special shredders. An external service provider takes care of the disposal of the contents of the data bins.
Redundancy is very important in critical IT systems and technical and organizational measures must therefore be taken for this.
Procedures for periodic review, assessment and evaluation
A traffic light system can serve as a recommendation for action, which checks the stage at which the measures mentioned are and which ones urgently need to be improved. Even an Excel table that lists insufficient technical and organizational measures can be a useful aid. It is essential to regularly review and update or adapt these assessment systems accordingly.
Pseudonymization refers to the processing of data, which means that a specific personal reference can only be established with additional information (Article 4, No. 5 GDPR). Pseudonymization is not always necessary. Therefore, you should observe the requirements of the GDPR for this. In this way, the pseudonyms can be achieved by the “trusted third party”. This is a third party that two parties trust. TTPs collect the data as pseudonyms, store them and make them accessible if necessary. This means that personal data can also be restored after a technical incident.
When personal data is deleted, either complete destruction or anonymization is required, as these can usually no longer be restored and therefore no longer fall under the GDPR, as they no longer have any personal reference. In the case of anonymization, personal data are changed in such a way that they can no longer be identified or determined by a natural person or only with a disproportionately large amount of time, money and manpower.
Encryption offers a middle way between pseudonymization and anonymization. There is a key here to restore the original data, but no pseudonyms are used. In concrete terms, this means that the encrypted data is no longer meaningful without the key, since the text has been transformed into illegible character strings. For example, you can make data on a shared computer unreadable for other users. Various information that is stored on mobile devices does not fall into the wrong hands, or if the mobile storage medium is lost, the encrypted data is unusable. The encryption is achieved through monoalphabetic substitution, in which the letters of the text to be encrypted are exchanged for other letters according to a replacement table.
This system is out of date and also not secure, so there is a second option and that is the more modern or more common method, which is referred to as the “Advanced Encryption Standard (AES)”. There are also other options that are considered safe.
When implementing the TOMs, the advice of an expert should always be consulted because, for example, with the monitoring devices, especially video monitoring devices, the data protection requirements and the possible co-determination of the works council must be observed.
Finally, it should be noted that a so-called principle of proportionality applies to the technical and organizational measures according to Article 32 GDPR. This means that personal data must be adequately protected. It should be clear that there cannot be absolute protection. Protective measures can only minimize problems, but not eliminate them.
You have not yet implemented any technical and organizational measures in your company or need support with documentation? We gladly support you. Simply contact us using our contact form.
Thomas Greiner ist Informationssicherheitsmanager & Auditor nach ISO 27001 (TÜV Austria) und absolvierte sein Studium für „Sichere Informationssysteme“. Thomas Greiner bringt mehrere Jahre IT-Erfahrung aus national und international agierenden Unternehmen und Konzernen mit.
Nun unterstützt er unsere Kunden in allen Themen aus dem Bereich der IT-Sicherheit, Cyber-Angriffe oder IT-Risk Management sowie in allen technischen und organisatorischen Angelegenheiten der Informations- und IT-Sicherheit. Als TÜV-zertifizierter TISAX®-Berater führt er unsere Kunden aus der Automobilbranche als Consultant im Vorfeld zum erfolgreichen TISAX®-Audit.
This post is also available in: German