π‘ If you haven't implemented TOMs yet, feel free to use Secfix template and tailor it according to your organization. You'll find the template under your Shared Drive or ask your Customer Success Manager.
The European Union's General Data Protection Regulation (GDPR) mandates organizations to fortify data security and guarantee optimal data privacy.
According to Art. 32 GDPR, companies must take technical and organisational measures (TOMs) to ensure an adequate level of protection, taking into account the state of the art, the costs of implementation, the purposes of the processing and the likelihood or severity of the risks to the data subjects.
What's included in TOMs?
For Confidentiality:
Access control 1: Limit data access to necessary personnel.
Access control 2: Secure areas processing personal data.
User control: Ensure system users authenticate, preventing unauthorized usage.
For Availability & Integrity:
Data carrier & memory control: Guard against unauthorized access and modifications.
Transport control: Secure data during transfers.
Recovery: Restore data post incidents.
Availability & reliability: Ensure data's consistent availability, prompt malfunction reporting, and data safeguarding against system errors.
System security: Maintain up-to-date software and address vulnerabilities.
For Traceability:
Input control: Monitor data entries and modifications.
Disclosure control: Track shared data and its recipients.
Detection & elimination of data security breaches: Promptly detect and address data security breaches.
How to implement TOMs
When implementing TOMs, you should conduct a risk analysis to determine the protection level and decide which measures to prioritize.
Steps to Implement TOMs:
Appoint a coordinator, like a data protection advisor.
Assess vulnerabilities using the suggested measures, ensuring adherence to the Privacy by Default principle.
Collaborate with IT and relevant departments to enhance data security through technical (like encryption) and organizational measures (like training).
Prioritize and oversee the measure implementation.
Periodically review and update TOMs.
Striving for continuous data security enhancement is more crucial than achieving an elusive perfect protection. While criminal sanctions are unclear, it's vital to demonstrate an ongoing commitment to data security enhancement to address potential complaints.