Data protection and data security are directly related. One way of analysing the data security of an organisation is to look at the technical and organisational data security measures that have been implemented.
Content
Background
According to Article 32 GDPR, the controller must take appropriate protection measures:
In concrete terms, this means that the data security in the organisation must be analysed and suitable technical and organisational measures must be taken in order to implement data security in practice."Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:"
According to Art. 32, the implementation of data security includes the following measures, among others:
- the use of pseudonymisation of personal data
- the use of encryption in the storage and transmission of personal data
- the use of state-of-the-art technical security measures
- the sensitisation of employees on the subject of data security
In the current version of the Robin Data ComplianceOS®, the analysis can be performed along predefined, industry-specific checkpoints in relation to the technical and organisational measures taken by the organisation.
Manage technical and organisational measures (TOMs)
- In the main menu, click on Compliance: A dropdown menu opens.
- In the dropdown menu, click on Technical-organisational measures (TOM): The table view opens.
Import technical and organisational measures (TOMs)
- In the main menu, click on Compliance: A dropdown menu opens.
- In the dropdown menu, click on Technical-organisational measures: The table view opens.
- Click on the button +TOMs: A slider opens.
- Mark the checkboxes of the TOMs you want to import.
- Click on Import: The TOMs have been imported.
Data areas in the slider
Click to enlarge the image
The slider has the following data areas:
- Industry: Select the industry that applies to your company from over 350 available industries
- Category: Select the category that applies to the TOM you are looking for from the available categories to filter the table
- Search: Use the search to look for TOMs from your company
- Table:
- Checkboxes: In the table, you will find a checkbox in the first column that allows you to select TOMs
- Title: In the column "Title" you will find the TOMs
- Show all / Show non-existent: If you have already imported TOMs, you can you can hide the already imported TOMs from the table by toggling the button to "Show non-existent"
- Import: By clicking on "Import", the TOMs selected via the checkboxes in the table are transferred to your data protection documentation.
You are a Robin Data client and you are missing a TOM in our database?
Robin Data will create missing TOMs on request for clients. In this case, please contact us via support@robin-data.io and briefly describe the missing Technical-Organisational Measure.
Create technical and organisational measures (TOMs)
- In the main menu, click on Compliance: A dropdown menu opens.
- In the dropdown menu, click on Technical-organisational measures: The table view opens.
- Click on the button +Technical-organisational measures: A slider opens.
- In the slider, click on the button +TOMs: A quick start input mask opens in which the title can be recorded.
- Fill out the fields of the quick start input mask.
- Click on Edit: An input mask opens.
- Fill out the input fields in the input mask.
- Click on Save: The TOM is created.
Note
If you select Without edit in the quick start window, the TOM is saved in the table view without any further details, and can be edited at a later time.
Data areas of the input mask
Click to enlarge the image
The left form area has the following data areas:
- Document ID: Assign a document ID to the processing activity, the use of document IDs serves the system-wide unique marking and identification of documents (more information on the help page "Documented Information").
- Data area specification: In this area you will find the checkpoint of the TOM and information about the measure of the TOM.
Data area: Specification
This data area has the following form fields:
- Title: Enter a title for this TOM
- Category: Enter a protection goal to which this TOM is assigned
- Services used: Specify a service that is used in this TOM
- Risk assesment: Assess the risk of this TOM to data security
- Description of measures: Describe the actions you have taken to implement this TOM
Note
The data area "Services used" has been transferred to the Matcher Tab and can be edited there and viewed under Visualisation.
The right form area has the following data areas:
- Matcher Tab: You can use the matcher to link documents (such as activities or technical and organizational measures) and view linked documents. The matcher can be used to create additional documents that can be linked to the open record. For a more detailed explanation, see the article Use the matcher.
- Status Tab: In this tab it is possible to manage the status of a document and to store notes about the erasure class.
- Governance Tab: The Governance Tab is equally available in several documents in the Robin Data ComplianceOS®. It offers the possibility to record various basic parameters for the respective document. a more detailed explanation can be found in the article Manage Governance Content.
- Attachments tab: In this tab you can add related documents by clicking the Add Attachment button.
- External Links Tab: In this tab you can link related information using the Add external link button.
Note
The functions of the former Activities tab have been integrated into the Matcher tab. The Matcher can be used to create activities and link them to records.
Data area: Status & Release
In this data area it is possible to manage the status of a document and to map the release procedure of the document.
- A TOM is usually created by one person, for example the employee of a specialist department
- In addition to this person, another person should check whether this TOM is appropriate. This could be the data protection officer, for example
- At the end of the chain, the TOM must be officially released. This can be done, for example, by the supervisor
This data area has the following form fields:
- Status: Indicate the current processing status of the TOM
- Created by: Indicate the person who created this TOM
- Created on: Enter the date on which the creation of this TOM was completed
- Tested by: Enter the person who reviewed this TOM
- Tested on: Enter the date on which the review of this TOM was completed
- Release of: Enter the person who released this TOM
- Released on: Enter the date this TOM was released for use
- Notes: Make notes about the TOM.
Whitepaper with checklist, samples, templates and examples as PDF
In the whitepaper on Technical Organisational Measures you will find:
- 43 examples for TOMs divided into confidentiality, integrity and other categories
- 12 ready-made examples for your data protection documentation
- Examples of technical AND organisational measures
- Checklist to tick off the TOMs for your company
- References to background information and relevant legal basis
For only 9,00 Euro*
* All prices plus statutory value added tax
Related links
Further questions? - We are here for you.
If you have any questions about the software, please contact our support team. You can reach us at support@robin-data.io.