Within the framework of the GDPR, both direct and indirect data protection goals are formulated. In order to achieve these protection goals, the existing data processing processes must be analyzed and, if necessary, measures must be taken to ensure that the data protection goals are achieved.
In this context, the term "TOM" is known - written out technical and organizational measures.
Technical data protection refers to all measures that can be "physically" implemented.
Delimited from this are organizational measures, such as employee training or the creation of concepts and processes, such as segregation of duties, the 4-eyes principle or work instructions.
In the old Federal Data Protection Act, technical data protection was primarily based on §9 BDSG, which obliged every body that processes, collects or uses personal data to take protective measures. It was divided into the following areas:
The so-called principle of proportionality was already anchored at that time, according to which technical data protection must always be considered in relation to data processing. The General Data Protection Regulation abandoned the above-mentioned subdivision in favor of the new data protection goals.
The basis of technical data protection today is primarily Art. 32 GDPR, which stipulates that the person responsible or processor must take technical and organizational measures, taking into account the state of the art, the implementation costs and the type, scope, circumstances and purposes of the processing as well as the different probability of occurrence and severity of the risk for the rights and freedoms of natural persons in order to ensure a level of protection appropriate to the risk.
The requirements for technical data protection are formulated in a much more abstract manner and have been adapted to the terminology in the Information security aligned.
Additional protection goals that are specific to data protection can be read from both the old BDSG and the GDPR. These are also described in the standard data protection model 2.0 of the German data protection supervisory authorities. Technical data protection measures can and must also support the achievement of these protection goals. The protection goals are in detail:
This is to guarantee that no connection can be established between two different objects. An example of this is the merging of data from a data subject collected for different purposes or by different controllers.
The intervenability is intended to ensure that data subjects are able to enforce their data subject rights, in particular the correction, deletion and restriction of the processing of their data. There are often challenges here in the area of deleting data records in databases, which is not provided for in many legacy systems. In addition, there are friction points when using blockchain technology, which "by design" does not provide for any change (retrospective correction of previous data) or deletion of data.
These can be derived, among other things, from the principles of "privacy-by-design" and "privacy-by-default" in Art. 25 GDPR and from the data protection principles set out in Art. 5.
Technical means can also make an important contribution to data protection by means of suitable settings on the part of the person concerned. These technologies are also known under the keyword "Privacy Enhancing Technologies".
Many technologies are already available to companies today to implement technical data protection. Some essential measures for companies are briefly presented below:
Encryption can be used to ensure that personal data or information is protected from unauthorized access. This applies both to the transmission path (in-transit) and during storage (at-rest).
As computers become more powerful, it is necessary to check regularly whether encryption methods can still be considered secure.
A major challenge in the field of asymmetric cryptography will also be the development of quantum computers.
Weak passwords are often the cause of data breaches or are involved at least at one point in an attack chain.
Password policies can be enforced by technical means to prevent users from choosing passwords that can be easily cracked using or rainbow tables (link). This is all the more important as experience shows that users cannot be motivated to make their passwords secure by suggestions and organizational instructions alone.
The data protection authorities have also recognized the importance of secure passwords and have issued guidelines for securing telemedia services, which largely deal with the topic of "secure passwords".
If there is a high need for protection for data in a system, security can be significantly increased again by using and enforcing 2-factor authentication as a technical data protection measure. A large selection of technical measures, such as time-based one-time passwords or hardware tokens, are available for this purpose.
The use of mobile work devices such as tablets and smartphones, but also notebooks, is becoming increasingly popular. However, these devices also pose a particular challenge in the area of technical data protection. These can be company devices, but also private devices used in a company context. By using so-called mobile device management solutions, it can be technically ensured that private data and company data remain separate from each other.
The MDM can help to protect against malware by being able to regulate which applications can be installed on the device at all. This also prevents employees from installing applications that then pass on company-internal contact data to unauthorized persons (e.g. WhatsApp) - employees are often not even aware of these processes in the background when installing applications.
In order to ensure the availability of data, it is necessary to make regular backups. Technical backups should always be accompanied by an organizational concept that regulates how the appropriate backup parameters are to be developed. This is the only way to ensure that technical backup measures can develop the planned effectiveness if necessary.
The analysis and control of network traffic, including through a network separation, can support compliance with data protection regulations as a technical data protection measure. The division into different security areas can ensure that people only have access to the resources that are required for the work.
If necessary, it can also be ensured that different persons responsible in a physical network can work logically separately from one another.
With analysis measures, additional attacks, but also data leaks can be detected and prevented by further technical data protection measures. Here, too, it is important that technical measures are accompanied by organizational measures, since automated analyzes of network traffic in particular can only be effective if it is regulated who evaluates reports and how to proceed.
