tom – Privacy Design®

July 11, 2019

France: TOM by ANSSI

Technical and organisational measures

https://www.ssi.gouv.fr/administration/reglementation/rgpd-renforcer-la-securite-des-donnees-a-caractere-personnel/

May 30, 2019

CNIL Privacy Impact Assessment Knowledge Bases

https://www.cnil.fr/sites/default/files/atoms/files/cnil-pia-3-en-knowledgebases.pdf

I keep going back to this resource, as it has a good set of examples for privacy risks.

But it also has a long catalog of technical and organizational measures (TOM).

May 26, 2019May 26, 2019

Austria: Patient cannot consent to inadequate TOMs

Data subjects cannot consent to inadequate technical and organizational measures, in the specific case to unencrypted emails.

https://www.dataprotect.at/2019/04/16/datensicherheitsma%C3%9Fnahmen-sind-nicht-disponibel/

May 26, 2019

CNIL – Toolkit for software developers

https://www.cnil.fr/fr/kit-developpeur

Covers various technical and organizational measures (TOM) in context of software development (SDLC)

May 26, 2019

State of the art – Guidelines by ENISA and TeleTrusT

ENISA and TeleTrusT – IT Security Association Germany have published their guidelines in English.

“The document published on the “state of the art” in IT security provides concrete advice and recommendations for action. These guidelines are intended to provide companies, providers (manufacturers, service providers) alike with assistance in determining the “state of the art” within the meaning of the IT security legislation. The document can serve as a reference for contractual agreements, procurement procedures or the classification of security measures implemented. They are not a replacement for technical, organisational or legal advice or assessment in individual cases. “

https://www.enisa.europa.eu/news/enisa-news/what-is-state-of-the-art-in-it-security

April 30, 2018May 26, 2019

CNIL updates to PIA guides (Feb 2018)

CNIL updates to PIA guides (Feb 2018)
https://www.cnil.fr/en/cnil-publishes-update-its-pia-guides

Knowledge base
incl. recommendations on many organisational and technical controls,
risk sources, etc..
https://www.cnil.fr/sites/default/files/atoms/files/cnil-pia-3-en-knowledgebases.pdf

February 25, 2018

[Presentation] Andreas Sachs (BayLDA): „Vorgaben zur IT-Sicherheit in der DS-GVO“

Andreas Sachs (BayLDA): „Vorgaben zur IT-Sicherheit in der DS-GVO“

2017

https://fg-secmgt.gi.de/fileadmin/gliederungen/fb-sec/Workshops_neu/WS_2017-03-10_EU-DSGVO/3_Sachs_gi_informatik_dsgvo_sec.pdf