Technical and organisational measures
incl. also interesting links to other EU papers (e.g. on cloud)
Sadly from Nov 2016, so with GDPR in mind, but not in force, yet.
Covered technologies include
Web caching mechanisms
HTML5 local storage
“Canvas fingerprinting” and “Evercookies”
I keep going back to this resource, as it has a good set of examples for privacy risks.
But it also has a long catalog of technical and organizational measures (TOM).
Data subjects cannot consent to inadequate technical and organizational measures, in the specific case to unencrypted emails.
Covers various technical and organizational measures (TOM) in context of software development (SDLC)
” This document was prepared by the Commission Nationale Pour la Protection des Données (‘CNPD’) in collaboration with representatives from the audit profession. It contains the criteria for the “GDPR-CARPA” certification mechanism. This document should be read in conjunction with the “GDPR-CARPA” certification mechanism document. These certification criteria are a mandatory requirement to evaluate and report on controls over organizational and technical data protection measures, to be eligible for certification. Evaluation and reporting needs to follow the ISAE 3000 standard. Certification can only be granted by certification bodies that have been accredited by CNPD. “
ENISA and TeleTrusT – IT Security Association Germany have published their guidelines in English.
“The document published on the “state of the art” in IT security provides concrete advice and recommendations for action. These guidelines are intended to provide companies, providers (manufacturers, service providers) alike with assistance in determining the “state of the art” within the meaning of the IT security legislation. The document can serve as a reference for contractual agreements, procurement procedures or the classification of security measures implemented. They are not a replacement for technical, organisational or legal advice or assessment in individual cases. “
CNIL updates to PIA guides (Feb 2018)
incl. recommendations on many organisational and technical controls,
risk sources, etc..
in English, incl.
- Raising user awareness
- Authenticating users
- Access Management
- Logging access and managing incidents
- Securing workstations
- Securing mobile data processing
- Protecting the internal network
- Securing servers
- Securing websites
- Ensuring continuity
- Archiving securely
- Supervising maintenance and data destruction
- Managing data processors
- Securing exchanges with other organisations
- Physical security
- Supervising software development
- Encrypting, guaranteeing integrity and signing
- Assess the security level of the personal data in your organisation