In the GDPR, which has been in force since May 2018, the regulations of the BDSG regarding the technical and organizational measures (TOM) accepted. However, they are becoming increasingly important in the GDPR. They should define suitable processes and describe how to proceed in the event of data protection violations. Thus, a suitable management for data protection is to be established. Of course, it is also obvious that the more serious the risk of violations (e.g. in the case of very sensitive data), the more detailed and extensive the processes and their descriptions must be. It always makes sense to consult the responsible data protection officer.
What do the technical and organizational measures consist of?
Key point of the technical and organizational measures it is to guarantee the lawful and appropriate processing of personal data. It is therefore important to note who has access and access to the various data. Processes such as restoring data in the event of loss must also be meticulously defined. In general, even under certain circumstances, precautions must be taken to guarantee that data processing is encrypted and pseudonymised and that the integrity and confidential processing of the data is ensured at all times. A distinction is made between the technical and organizational measures therefore between different control categories. These are the access control, the access control, the transfer control, the input control, the order control, the availability control and the disconnection control. Each of these controls has the purpose of being able to seamlessly document and control the data processing. All of this is very similar to the IT security concept, as many TOM components are digitally designed.
What happens if they are disregarded?
As with the other violations, companies are punished with fines. The amount is of course based on the severity of the offense. But the maximum fines are 20 million euros or 4% of annual sales, whichever is the higher. However, since the supervisory authorities expect that the implementation of the technical and organizational measures will take time, it can be assumed that initially only a warning will be issued. This will then include a suitable deadline for implementation.