Technical and organisational measures to keep data safe

GDPR puts the burden of keeping people’s personal data safe squarely on the shoulders of the companies that collect and store it. That means you! The regulation does not specify exactly what measures you need to do to keep data secure and GDPR ready. Instead, it repeatedly admonishes companies to keep data safe with appropriate technical and organisational measures. These technical and organisational measures are sometimes called TOMs.

GDPR mentions appropriate technical and organisational measures a whopping 92 times across its many articles, but without strictly defining them. This ambiguity in the language around TOMs leaves it up to your company to decide what are the right safety measures for you. In turn, your local data protection agency will have the final say whether your TOMs are adequate.

Certainly, the best ways to keep data safe can vary depending on your company and how you collect and use data. Further, best practices can change quickly as new technologies (and new threats) emerge. That being said, you must not let any uncertainty or confusion keep you from taking action now. While regulators do give you some freedom in this department, they will not tolerate a lack of security and preparation. So, let’s talk about TOMs and how to choose the right ones.

Technical measures include all security you set up using tools, software and hardware. Here are a few common technical measures to keep personal data safe that you can set up as a company:

• Encryption
• Firewalls
• Antivirus software
• Passwords and password managers
• System backups and updates
• Two-factor authentication
• Pseudonymisation of personal data
• Alarms and locks on your office, desk, physical files or devices

First, perform a risk assessment to determine how sophisticated your technical measures need to be. Take into consideration the amounts of personal data you collect and store, how sensitive it is, and long you keep it. Of course, you will also need to take into account your budget. For example, a small carpentry business may only store basic customer information in order to provide them services. Therefore, it will not need (and probably cannot afford) the same tech as large enterprises, medical providers or financial institutions that collect highly sensitive data. However, all companies need security tools that cover the areas above.

Organisational measures include any company policies, practices and procedures that protect data. Here are some organisational measures you can use to protect personal data:

• Employee training
• Updating privacy policies
• Performing risk assessments (DPIAs)
• Drafting and enforcing data retention policies
• Implempenting strong access control policies
• Self-auditing and monitoring of storage and systems
• Habit-based procedures like closing and powering off computers

Note that you may use also technology to schedule, automate and monitor these practices. Likewise, your policies and training should cover how to use and maintain your security software properly. Therefore, it’s fair to say that there is plenty of crossover between which measures are technical and which are organisational.

Together, your technical and organisational measures should cover the following areas to satisfy GDPR and be considered adequate:

• Prevent loss and destruction of personal data.
• Limit the personal data you collect to only what is necessary.
• Keep personal data safe and available to those who need it, and no one else.
• Make personal data unreadable to any unauthorised persons who access it.
• Protect people’s rights (for example, when they make data access requests).
• Restore personal data in the event of a a physical or technical incident.
• Allow you to regularly review, assess and evaluate your own practices.

Make sure your TOMs cover the above areas in a way that is appropriate for your company and your data processing activities. Additionally, you must document the TOMs you use. This demonstrates compliance and it can reduce liability in case you fall victim to a data breach or personal data exposure.

When choosing which technical and organisational measures are right for your company, consider:

• How much personal data you store
• Its level of sensitivity and risk
• How long you store personal data
• Your company’s budget and resources

At Safe Online, we develop GDPR compliance tools that integrate the technical and the organisational aspects of data protection. In essence, they are TOMs that  simplify and automate your most important GDPR tasks, while protecting personal data with the highest level of security, plus documentation to demonstrate compliance. They make it easy to monitor your compliance and keep your policies up to date. At the same time, they raise security awareness across your whole team. They are simple, easy to use, and priced for small businesses.

1. Automate data storage monitoring.
2. Get tools for secure data sharing
3. Get a platform to handle DSARs.

If you have questions about what technical and organisational measures are right for your company, we’d be happy to help you with a free analysis of your company’s needs.