Implementing TOM under GDPR can be so simple!

A significant majority of companies in German-speaking regions have yet to fully implement GDPR, lagging behind in achieving data security and protection goals. We have summarised the key steps needed to comply.

According to a BITKOM study, only 25% of companies in Germany have fully implemented the General Data Protection Regulation (GDPR). A similar situation is observed in Austria and Switzerland. With the unification of penalty guidelines in October, fines running into millions are now possible. It’s high time to act if you haven’t yet introduced appropriate measures for GDPR-compliant communication.

GDPR measures Open to interpretation

Fines resulting from GDPR violations are just one aspect. Most penalties follow incidents such as hacking or other forms of cybercrime, with damages in Germany exceeding €100 billion in the past two years alone. Here’s what you need to know to become GDPR-compliant.

The term "open to interpretation" aptly summarises much of GDPR. Even regarding specific technical and organisational measures, the regulation only provides clarity in two instances. For the rest, ambiguities in scope and definitions persist.

Measures according to article 32 of the GDPR

Article 32 of GDPR outlines measures to ensure data processing security. However, these are not explicit instructions but rather data protection objectives. This lack of specificity often leaves companies uncertain about their legal standing. Moreover, the GDPR allows organisations discretion in determining the type and number of technical and organisational measures they implement – a situation not unlike the old Federal Data Protection Act.

The decisive factor in GDPR compliance is the risk posed by your data processing activities to affected individuals. The greater the risk, the more you must invest in data protection and security. It is therefore advisable to implement as many GDPR measures as possible.

Measures remain a topic of debate

When selecting technical and organisational measures, the law requires organisations to consider the state of the art and the costs of implementation. These somewhat vague terms continue to fuel debates among legal experts, with ongoing discussions about what constitutes appropriateness concerning state-of-the-art practices and proportional implementation costs. Since GDPR’s introduction, legal professionals have been working to clarify these undefined legal terms.

State of the art

The term "state of the art" refers to deploying technologies that are well-established, market-available, proven effective in practice, and provide an adequate security standard.

For example, SSL certificates in e-commerce are now standard practice, ensuring that personal data transmitted via order forms or login pages is encrypted. However, "state of the art" does not include newly developed technologies that have not yet been thoroughly tested in practice.

It is also important to note that the state of the art is not static. As technology evolves rapidly, once-reliable measures may reveal significant weaknesses over time. Examples include the WPA2 security vulnerability in previously robust Wi-Fi encryption and the Meltdown and Spectre processor security flaws.

To maintain the state of the art, outdated security measures must be replaced, regularly reviewed, and adjusted as needed. An IT security check or an IT infrastructure analysis can help you assess the current state of your company’s IT systems.

Implementation costs

Under EU data protection law, the financial cost of implementing and integrating measures must not exceed the improvement in data protection achieved. In practical terms, this means: the higher the risk associated with your data processing activities, the higher the justified implementation costs.

For high-risk data security situations, the argument that a measure is too expensive is invalid.

Sensitive data may require relatively costly measures. However, if a measure is expensive but provides only marginal improvements to data protection and security, it is not necessarily mandatory. Therefore, costs and benefits must be carefully balanced.

Use standards for data protection and security

Your organisation can address the technical and legal uncertainties arising from GDPR by adopting internationally recognised information security standards, such as ISO 27002.

These security standards can guide you in developing appropriate technical and organisational measures. However, standardised criteria must still be tailored to individual cases. At the very least, these standards act as a roadmap, helping you avoid duplicating security measures for the same objective.