In November 2019, the federal and state data protection authorities agreed on a revised version of the Standard Data Protection Model (SDM).
The purpose of the SDM
On 68 pages, a test method is documented, with which not only data protection officers but also companies and authorities can assess whether their applications process personal data in a data protection-compliant manner.
The working group goes on to detail: “The Standard Data Protection Model (SDM) provides a tool to support the selection and evaluation of technical and organizational measures that ensure and provide evidence that personal data is processed in accordance with the requirements of the GDPR.”
To this end, the SDM first captures the legal requirements of the GDPR and then maps them to the assurance objectives of
- Data minimization
- Non-interconnectivity and
What is new in the updated version now?
The requirements of the GDPR with regard to the above-mentioned objectives are formulated and described more comprehensively
More attention is paid to the management of consent, as well as to the implementation of supervisory orders
the establishment of a data protection management system in compliance with a Plan-Do-Check-Act cycle (PDCA) is described and recommended:
In activeMind’s view, what is really interesting for data protection practice are “the generic measures for the assurance objectives already laid out in the methodology, which are named in Part D. This is because what is named here is likely to be regarded as standard by the supervisory authorities. This is because what is mentioned here is likely to be regarded as standard by the supervisory authorities. A critical examination of the measures listed here is therefore necessary in any case, even if one decides against implementation as a result.”
The more detailed catalogs of generic measures, on the other hand, are not yet available across countries at the moment. Currently, there are only building blocks from individual states for individual goals (e.g., from Mecklenburg-Vorpommern).
It is not (yet) known when these announced catalogs will appear. What is certain, however, is that these catalogs will be very helpful to companies in complying with the minimum standards.
Image: Conference of the Independent Data Protection Authorities of the Federal Government and the Länder (Data Protection Conference)
Note: This is a machine translation. It is neither 100% complete or 100% correct. We can therefore not guarantee the result.