Everything under control?
The technical-organizational measures (TOMs)
The GDPR now makes a whole series of technical and organizational measures (TOMs) mandatory for every provider and processor of digital services. Not all of them are new; they are often provisions that already existed in national data protection laws. As a rule, these are always control measures that must also be documented and certified. Here are the ten most important TOMs now included in the GDPR specifications:
1. access control: Unauthorized persons must be kept away from all facilities used for data processing.
2. access control: It must be ensured that employees only have access to data that corresponds to their access authorization.
3. data carrier control: It must be ensured that data cannot be read, changed or even deleted without authorization.
4. transportation control: Personal data must also remain confidential and integer during the transmission or transportation of data carriers.
5. storage control: The provider must ensure that no data can be entered, changed or deleted without authorization.
6. user control: Any use of automated processing by unauthorized persons must be excluded.
7. transfer control: For all personal data, it must be ensured that it is only made available to those bodies that are authorized to have knowledge of it.
8. input control: It must also be ensured retrospectively that every user who entered or changed data can be permanently assigned.
9. order control: It must be ensured that data processed on behalf of the client is only processed in accordance with the client's instructions.
10. availability control: Personal data must be securely protected against destruction or loss.
In addition, there are some technical and organizational conditions that relate to the systemic properties of the devices used:
1. recoverability: In the event of a technical failure, it must be possible to reconstruct the data without errors.
2. reliability: All functions of a data processing system must always be available without interruption; any malfunctions that occur must be reported.
3. integrity: It must be ensured that data cannot be altered or damaged by technical malfunctions.
4. separability: The provider must ensure that data collected for different purposes can also be processed separately.
The certified data protection officers at b.r.m. will be happy to assist you with the implementation of the newly required technical and organizational measures (TOMs):