In the DSGVO, which has been valid since May 2018, the regulations of the BDSG regarding technical and organizational measures were adopted. In the DSGVO, however, they are becoming increasingly important. They are intended to define suitable processes and describe how to proceed in the event of data protection violations. This is intended to establish a suitable management system for data protection. Of course, it is also obvious that the more serious the risk of violations (e.g. in the case of very sensitive data), the more detailed and extensive the processes and their descriptions must be. It is always advisable to consult the responsible data protection officer.
What do the technical and organizational measures consist of?
The core of the technical and organizational measures is to guarantee the lawful and appropriate processing of personal data. Therefore it is important to note who has access and access to the various data. Processes such as the recovery of data in case of loss must also be meticulously defined. In general, precautions must also be taken in certain circumstances to guarantee that data processing is encrypted and pseudonymized and that the integrity and confidentiality of the data is guaranteed at all times. A distinction is therefore made between different control categories in terms of technical and organizational measures. These are the access, entry, access, transfer, input, order, availability and separation control. The purpose of each of these controls is to be able to completely document and control data processing. All this is very similar to the IT security concept, as many TOM components are digitally designed.
What happens if you disregard it?
As with the other infringements, companies are fined. The amount is, of course, based on the seriousness of the offense. But the maximum penalties are 20 million euros or 4% of annual turnover, whichever is the higher. However, as the supervisory authorities expect that the implementation of the technical and organizational measures will take time, it can be assumed that initially only a warning will be issued. This will then include a suitable deadline for implementation.