Users of the standard data protection model will be able to try out the first modules of a comprehensive catalogue of measures related to topics such as storage, erasure, recording, etc. in practice.
The data protection supervisory authorities of the German states and the federal government use the term Standard Data Protection Model (SDM) to describe a model (DSK – Data Protection Conference) that allows to systematically verify compliance with statutory requirements relating to the handling of personal data and their appropriate implementation. The method is based on key warranty objectives such as availability, confidentiality, integrity, transparency, etc. that are implemented via technical and organizational measures. The SDM is aimed in particular at controllers for them to use the SDM to systematically plan, implement, and continually monitor the necessary functions and protective measures.
A catalogue of measures with specific requirements to ensure that these objectives are met is a key element of the standard data protection model. The catalogue (Chapter 7 of the SDM) consists of various modules on issues relating to data protection law. The first modules were now published by the relevant working group. The Hessian Commissioner for Data Protection and Freedom of Information, the State Commissioner for Data Protection and Freedom of Information of Mecklenburg-Western Pomerania, the Saxon Commissioner for Data Protection, the independent State Centre for Data Protection of Schleswig-Holstein, and the Commissioner for Data Protection of the Protestant Church in Germany participated in developing modules.
The following modules were published (in German):
- Data Protection Management
- Planning / Specifications
- Erasing and Destroying
The modules contain specific technical and organizational reference measures to ensure the appropriate data protection objectives such as confidentiality, integrity, data minimization, etc., depending on the relevant topic. The individual options for action are assigned to certain categories, depending on whether the respective measure must be taken at data, system, or process level. In addition to a detailed description of the individual measures to be taken, the modules also contain summaries in the form of lists and references to additional documents such as statements by the Federal Office for Information Security (BSI) or the DSK, DIN, and ISO standards.
The authors of the newly developed modules expressly point out that the modules have not yet been agreed in the DSK. The aim of this first publication is to give users specific recommendations for measures that they can try out. The supervisory authorities recommend for users to share their experiences with the authors during implementation of the modules so as to contribute to the continued development of methods and measures.
Tip for companies in practice:
Even if the modules have not been coordinated with DSK, they have nevertheless been drafted by four data protection supervisory authorities and thus reflect the provisional opinion of the supervisory authorities on the respective issues. For this reason, it is advisable to apply the SDM catalogue of measures and to review the technical and organizational measures taken by the company against the recommendations set out in the SDM and to adapt them where necessary. In addition, companies should monitor the publication of the other modules of the catalogue of measures.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.