Templates Data Protection (GDPR) Templates

Updated December 2, 2022

Template: Technical and Organizational Measures

Sven Piechottka

Template Download

This is a free template, provided by OpenRegulatory.

You can download it as Word (.docx), PDF, Google Docs or Markdown file. Scroll down for a preview!

The template license applies (don't remove the copyright at the bottom).

Tired of copy-pasting? If you want to save time and edit these templates directly, you can use Formwork, our eQMS software. And if you're looking for step-by-step instructions for filling them out, check out our Wizard :)

Don't Miss Updates to This Template

Subscribe to our newsletter and we'll keep you posted on which templates we've changed.

Questions? Still Lost in Regulation?

Good news! Our goal is to provide lots of stuff for free, but we also offer consulting if you need a more hands-on approach. We get stuff done really fast. Have a look!

Template preview

<Product Name> - Technical and Organizational Measures

1. General Considerations

This data protection policy outlines the technical and organizational measures implemented for secure and compliant processing of personal data. It takes into account the rights of data subjects and requirements of the articles 24, 25, and 32 GDPR to the extent applicable.

<enter company name> deals with three general categories of personal data:

  1. (…)
  2. (…)

The following description of technical and organizational measures will be differentiated, where applicable, according to these categories of data.

2. Organization

<enter company name> appointed a data protection officer (DPO) who provides advice on data privacy issues, updates the team about changes in regulations and standards and, if required, supports with reviews and improvement of the measures. The DPO can be reached via <enter email address>.

In the future, the company is going to create data privacy guidelines documented in the form of standard operating procedures (e.g. DPR-SOP) and templates.

Reference here your Information-Security-Management-System (ISMS) in place.

3. Confidentiality

3.1 Entry Control

<enter company name> operates based on office premises that are not freely accessible. They are locked when employees are away. The company implemented the following measures:

<enter company name> does not maintain servers or server rooms. (…)

If you operate your own server rooms, do your best at describing all security policies to prevent unauthorized people from entering here.

If you use a third party cloud provider, their policies here. Typically, they should provide you with loads of material that is helpful for this exercise.

If your users store data locally on their end devices - good for you. In that case, enter some description of that and outline that no data leaves the end device.

3.2 Access Control

The company has implemented the following measures for access to software systems:

(…)

Describe your access restrictions. Those are measures not only to prevent unauthorized people from entering your offices, but also to prevent unauthorized (electronic) access. Some example measures:

  • For every employee, a personally assigned user is set up with a password bound to strict requirements (at least 14 characters long with special characters).
  • Passwords must be unique and may not be used for other accounts. Passwords must be changed annually.
  • Central authentication with username and password, incl. mandatory 2-factor authentication. Every user has to verify the account at least every 30 days.
  • Access is monitored and logged, including unsuccessful login attempts.
  • Access is automatically blocked by the system after XXX failed attempts.
  • Only employees get access to the majority of files and systems and the extent of access can be determined selectively.

3.3 Usage Control

The company has implemented following measures when working within software systems:

(…)

What are your policies when working with your internal systems? Some typical examples:

  • The password rules for access control must also be followed for usage control.
  • Role-based authorization, administrative user profiles are kept to a minimum.
  • User-dependent authentication with username and password.
  • The use of personal data is limited, so that only authorized individuals can use the personal data necessary for their task (De Minimis Principle).
  • Logging of usage and changes.
  • Paperless work by principle and compliant destruction of paper documents with a shredder where applicable.

3.4 Pseudonymization

(…)

This is often an overshoot, but think of scenarios in which identifiable data is really not that necessary. One common example:

  • Customer data is pseudonymized so far as the connection to the individual is not absolutely necessary for the result.

3.5 Separation Control

(…)

This typically applies to companies managing large amounts of data from various customers:

  • Separation of data is ensured for customer data based on software system management, e.g. through data storage in separate folders.

4. Integrity

4.1 Transfer Control

Transfer control shall ensure that only authorized individuals can inspect personal data. Employee mobile devices must be encrypted if personal data is stored on them.

(…)

How do you keep data safe in transmission? Some example measures:

  • The use of single USB flash drives or related data carrier tools is not allowed. Information should only be printed out if absolutely needed. Printed copies must be shredded immediately as soon as they are no longer needed.
  • Home office policies (e.g. connect to VPN)

4.2 Input Control

The company has implemented the following measures for its software systems:

This applies to most cloud working environments (e.g. Google Drive, MS Sharepoint, Confluence, JIRA etc.). Any other measures to add in your context?

4.3 Availability and Reliability

Again, if you are using a large cloud provider, you can add more extensive policies and measures here, such as for example:

  • Cloud provider data centers and server rooms are state of the art (temperature control, fire protection, water penetration, uninterrupted power supply (UPS) ensuring controlled shutdown without any loss of data).

4.4 Product Development

4.4.1 Development Tools

(…)

As before, think about your own organizational setup. How do you ensure safe development? Some examples:

  • Third party applications must be approved prior to use by (…) according to (…) to ensure compliance with quality management and data privacy requirements.
  • Development tools must only be downloaded from secure sources (e.g., the manufacturer’s servers).
  • Where possible, single-sign-on authentication is used for third party applications to allow for a complete and compliant access administration within the organization.
  • Less secure third-party applications are disabled by administrator default configurations.

4.4.2 Privacy-Friendly Settings

(…)

  • Product development must take into account giving users the option of entering only the information necessary for the purpose of processing. Input fields with additional, unnecessary information should be avoided or at least designed as non-mandatory.
  • By default, privacy-friendly settings must be preselected.

4.6 Data Deletion

The company implemented the following concept for automatic data deletion:

Data category Retention period Responsible
User data <This period typically should be specified as part of the informed user consent>  
Customer data - Customer data after termination of contracts
- Lead contact data after 10 years of paused communication
 
Employee data Until end of employment  
Applicant data Until 6 months after hiring decision or longer in case of employment  
Website data Deleted after every session Automated

5. Employee Workplace

The company has implemented the following measures:

6. Procedure for Regular Review, Assessment and Evaluation

Data protection and IT security within the company is reviewed regularly and, based on these assessments, continuously improved. Internal auditing may include data privacy requirements such as:

The company has implemented the following internal measures:


Template Copyright openregulatory.com. See template license.

Please don’t remove this notice even if you’ve modified contents of this template.

Digital Health Jobs No Cookie For You Privacy Policy Imprint
No QMS on this planet will save you from creating crappy software.