The General Data Protection Regulation (GDPR) came into force on May 25, 2016 and applies throughout Europe after a two-year transition period. In doing so, the regulation contains provisions for the protection of natural persons in the processing of their personal data. To protect personal data, the GDPR requires appropriate safeguards in the form of technical and organizational measures to mitigate the risk to data subjects. In addition to this mitigation, the GDPR requires a process for regular review, assessment and evaluation of the effectiveness of the technical and organizational measures.

In order to take these requirements into account, the Conference of Independent Data Protection Authorities of the Federal Government and the Länder adopted a fundamentally revised version of the SDM, version 2.0b, on April 17, 2020. This means that the legal requirements of the GDPR are now fully covered by the SDM and systematized with the help of the assurance objectives. With the SDM, the Conference provides a tool to support the risk-adequate selection and legal assessment of the technical and organizational measures required by the GDPR.

The Standard Data Protection Model (SDM) is intended to lead to nationally coordinated, transparent and comprehensible consulting and auditing activities by the data protection authorities and to provide companies with a tool that will enable them to set up and operate personal processes themselves in compliance with data protection requirements. The SDM is intended to make it possible to systematically verify compliance with the legal requirements for handling personal data and the corresponding implementation of these requirements.

The SDM bundles and structures the abstract legal requirements of the GDPR into assurance objectives. The performance objectives support the transformation of the legal requirements into concrete technical and organizational measures.
The performance objectives are based on the principles of Article 5 (1) (a) – (f) of the GDPR, whereby the proven protection objectives from information security can be found again. It should be noted that the protection goals are not to be viewed from the perspective of the company organization, but always focus on the perspective of the data subject and the implementation of the data protection requirements for the processing of personal data.

The SDM is based on the following seven protection goals:

The SDM structures the data protection requirements and relates them to the defined performance targets. Corresponding reference measures are thus named and described for each of the seven performance objectives. In total, the SDM defines 65 generic, technical and organizational measures that have been tried and tested in the practice of data protection supervisory authorities for many years. The assignment of measures to the performance objectives enables a meaningful structuring of data protection requirements and systematic implementation.
In addition, there are further generic building blocks which are to be successively released by the data protection conference. These modules specify individual data privacy issues and explain how they are implemented. The existing building blocks on data protection management (80), planning/specification (41), documentation (42), logging (43), separation (50), deletion and destruction (60), and retention (11) were developed and published by the “SDM Building Blocks” sub-working group, consisting of the supervisory authorities from Hesse, Mecklenburg-Western Pomerania, Saxony, Schleswig-Holstein, and the Evangelical Church of Germany, to test the SDM method. It should be emphasized in this context that these building blocks are not publications of the “Conference of Independent Data Protection Authorities of the Federation and the Länder”.
The building blocks already published have an almost identical structure. First, for each building block, the reference to the affected assurance goals of the SDM is presented. This is followed by a description of the purpose of the building block and specific measures for data protection-compliant implementation. The respective building blocks contain measures that must be implemented in the event of a high need for protection. In addition to the SDM reference measures, the building blocks contain a topic-specific methodology for processing personal data in compliance with data protection requirements.

The SDM requires that the technical and organizational measures are not a one-time review. Rather, they are to be reviewed at regular intervals with regard to their appropriateness. The SDM thus provides for a cyclical process in the sense of a PDCA cycle. The PDCA cycle can be divided into the following four phases.

With our proven and individually adaptable process model, a build-up or review of the SDM is guaranteed in high quality and within the budget of the project. The seamless integration of the results with downstream processes such as threshold analysis, DSFA and risk management is also ensured.

The following figure shows an excerpt of the Q_PERIOR tool:

The following figure shows an excerpt of the SDM checklist:

We are happy to support you with the implementation or audit of the SDM. An audit-proof review by Q_PERIOR represents an important added value for the company. The results of the reviews can then be used as a basis for the further development of a Data Protection Management System (DPMS) within the company.

The IT-Grundschutz developed by the German Federal Office for Information Security in Information Technology (BSI) provides a solid basis for information security within companies. This is all the more important as the importance of information security for future business operations and risk management continues to grow as a result of advancing digitization. The IT-Grundschutz compendium published by the BSI provides companies with a comprehensive set of rules for deriving technical and organizational measures. Q_PERIOR has developed a tool for this purpose that reflects all requirements of the 96 IT-Grundschutz modules. This not only enables companies to identify the relevant requirements, but also provides them with solid support for the actual implementation of the described security measures of an organizational, personnel, infrastructural and technical nature.

As already indicated in the above remarks on SDM, the topic of data privacy and information security is currently undergoing major change. Progressive digitization is leading to an adaptation of business processes, procedures, and sales channels, as well as to a wide range of technologies that can be used. However, this change offers more than just opportunities for companies. The increasing networking of business processes and procedures also harbors new risks. The inadequate implementation of necessary security measures offers cyber criminals a gateway into the corporate network. Such cyber attacks can lead to the theft/loss/misuse of valuable information and data, reputational damage, fines/penalties, and customer churn.

Alongside international standards such as ISO/IEC 2700X, IT-Grundschutz is a recognized methodology for establishing a security concept. In doing so, the BSI distinguishes between a large number of elements. In the meantime, the IT baseline protection has been fundamentally modernized so that it addresses the many innovations resulting from advancing digitization in greater detail. The BSI standards of the 100 series and the IT-Grundschutz catalog have been completely revised. The only exception is BSI Standard 100-4. The standard for emergency management is currently still in the modernization phase and it can be assumed that the modernized standard will also be published by 2021 at the latest. In principle, a distinction can be made between various elements.

These include, for example:

In the following, the focus is on a brief presentation of the BSI standards. These include a description of the methodology and procedure to be applied. The following table provides a clear presentation of the BSI standards and their contents:

The interaction of the various BSI standards with the IT-Grundschutz compendium provides companies with a holistic concept for establishing a security concept. The BSI focuses on different approaches in order to generate the broadest possible field of application. IT-Grundschutz distinguishes between basic, standard and core security.

Basic and core protection can generally be regarded as good entry-level procedures. While basic protection enables basic initial protection, core protection aims to provide primary protection for a company’s critical systems and processes. Basic IT protection refers to the so-called “crown jewels” of a company. However, full protection of a company’s information assets is only guaranteed by standard protection. This enables a high level of information security to be achieved within the company.

The long-term goal should therefore always be the implementation of standard protection. Particularly noteworthy is the fact that the IT-Grundschutz compendium in particular is updated annually, thus providing companies with a constantly updated repertoire of security requirements for the best possible protection. The respective approaches differ in terms of the associated effort and are characterized by different advantages and disadvantages. The identification of the appropriate approach for the respective company should therefore take place at an early stage, taking into account the company-specific characteristics and any legal or regulatory framework conditions.

The IT-Grundschutz Compendium is a comprehensive work on the subject of information security and, in the current edition, consists of 96 different IT-Grundschutz modules. These modules follow an identical structure and contain a brief description of the topic, objectives, delimitation, risk situation, and concrete security requirements of an organizational, personnel, infrastructural, and technical nature. These requirements are primarily directed at business processes, systems, applications and communication links and are aimed at securing these accordingly.

The requirements are categorized as follows:

The categorization can be derived from the respective requirement titles. As already mentioned, the BSI also provides so-called implementation notes. These are available for many of the IT-Grundschutz modules. The implementation notes can be used as best-practice recommendations for implementing the requirements from the respective module. Overall, both the security requirements described and the measures described in the implementation notes are ideal for deriving technical and organizational measures in the area of data protection and information security.

Our experience from consulting practice shows that small and medium-sized enterprises in particular have difficulties in implementing the extensive requirements from the IT-Grundschutz Compendium. To address this practical problem, Q_PERIOR has developed a tool for the IT-Grundschutz CKompendium 2020. This is structured as follows:

The following figure shows an excerpt of the Q_PERIOR tool:

However, the Q_PERIOR tool is not only excellently suited for implementing the requirements of the IT-Grundschutz Compendium. Rather, the tool can also be used as a comprehensive reference work and tracking tool for the identification and implementation support of technical and organizational measures of an organizational, personnel, infrastructural and technical nature.

The above discussion has shown that both the SDM and the combination of IT-Grundschutz and the IT-Grundschutz Compendium can provide companies with solid support in deriving technical and organizational measures. Companies should therefore address both topics at an early stage to ensure that technical and organizational measures are implemented in compliance with legal and regulatory requirements. The solutions developed by Q_PERIOR in the form of tried-and-tested tools can provide you with good assistance in this regard.