020 7831 0101

Technical & organisational measures for GDPR compliance

Technical & organisational measures for GDPR compliance

Many have published their own take on how to make businesses “GDPR ready”. Yancho Yanchev at Cubism Law, explains so called technical and organisational measures ("ToMs") and provides a quick and easy checklist for organisations on their journey towards compliance.

One of the biggest challenges with data protection law is the ambiguity of the language. One example of where it can get confusing is the so called technical and organisational measures ("ToMs") which are an integral part of any compliance effort. ToMs have long been part of the vernacular used by the data protection professionals. But what are ToMs and how important are they?

In an effort to tighten up corporate practices across Europe the 1995 Data Protection Directive required EU Member States to introduce legislation making it mandatory for organisations to implement ToMs in order to guarantee the security of personal data processing. ToMs are essentially data protection controls, processes and solutions that need to be implemented in order to make compliance possible. ToMs relating to data security were incorporated in the 1998 UK Data Protection Act as the "Seventh Data Protection Principle". No other instances of the law required implementation of ToMs as such. The GDPR envisages reliance on ToMs to guarantee not just security, but also a number of other compliance attributes.

  • The new law (Art 24) asks organisations to use and put in place ToMs that will enable them to ensure and to be able to demonstrate compliance with data protection law. Thus, ToMs are no longer limited to security only but also extend to overall compliance and accountability. The legislation further hints that this can be achieved by, among others, “data protection policies”.
  • The GDPR (Art 25) invites firms to use ToMs in order to formulate their goods or service offerings with data protection not only in mind, but front and centre of their priorities, plans and concerns. This is referred to as “privacy by design” and “by default”.
  • The Regulation (Art 28) further requires firms to only subcontract to those suppliers of services who provide a firm (contractual) guarantee they will implement ToMs in such a way that they will comply with their own new direct responsibilities under the law and they will safeguard the rights of the individual.  
  • Furthermore, if the suppliers wish to be “controlled”, then they need to provide further guarantees that any data “sub-processing” they undertake will itself comply with the law. This new provision (Art 28.4) requires the whole supply chain to adopt ToMs and ensure the letter of the law is being followed. This is probably one of the biggest changes from the previous data protection regime in the EU.
  • ToMs for information security (Art 32) are preserved in the GDPR rules. All organisations are required to implement ToMs in order to achieve security for their personal data processing.  

Finally, where it gets very serious is when the GDPR makes it clear that the ToMs which organisations implement will be taken into consideration when calculating fines for non-compliance with the law (Art 83).

For those of us who live and breathe data protection as part of our day to day client work there are some basic, but fundamental key ideas we like to impart with all our clients as they face the prospect dealing and managing today’s data protection requirements:

  • Compliance is not a box-ticking exercise.
  • Data protection compliance is not a “project” with a deadline on the 25th of May.

Instead, data protection compliance is about involving the entire organisation to put processes, contracts and notices in place that guarantee the organisation is transparent, responsible and accountable for its use of individuals’ personal data. 




Cubism Law's Checklist for Compliance

Various organisations have published their take on how to make businesses “GDPR ready”. Below is a 4 point high-level checklist that Cubism Law has produced to guide your organisation on its road to compliance. The list assumes compliance with current data protection law and whilst the list is not exhaustive it also does not constitute legal advice.

1. Information Audit and Risk Assessment

  • Map the personal data that goes through your organisation and highlight the activities that appear most risky.
  • What personal data do you process and for what purpose do you process it?
  • Where does it come from and who does it go to?

2. Policies and procedures

  • Having mapped the data flows throughout your organisation you should now be in a position to address those in your internal and external policies, in accordance with the GDPR requirements.

Internal policies: 

    • consider putting in place an internal data protection policy to address how your employees should handle personal data.
    • consider putting in place an internal data breach policy to address data breach response.

External policies:

    • consider the requirements for a fair and transparent client-facing privacy policy.
    • consider the personal data you collect from the web, including via your website.

3. Contracts

  • Any contract that involves the sharing of or access to any personal data with any client or any supplier must be reviewed for GDPR compliance.
  • Client and employee contracts: consider including privacy notices/policies.
  • Supplier contracts: a written contract must be put in place if there is no such at the moment which must be GDPR-compliant and enforceable against sub-processors.

4. Operations

  • The above considerations are the absolute minimum for data protection compliance.  However, it is more likely than not that after you implement the technical and organisational measures above you will notice there are additional things to consider:
    • Do I process any of the special categories of personal data, or child data?
    • What lawful basis for processing do I use, in particular for marketing?
    • Do I or any of my suppliers transfer personal data outside of the EEA?
    • Do I need to maintain records of processing activities?
    • Do I need to undertake a Data Protection Impact Assessment?
    • Do I need to appoint a data protection officer?
    • Should I sit down and read the GDPR itself
  • And finally. Don't forget to document everything on your journey to compliance in accordance with the new "accountability" principle.