German Standard Data Protection Model (SDM)
The SDM is designed to assist DPAs in conducting “more transparent and upright reviews of technical and organizational data protection measures” in an effort to ensure that “transparent, plausible, [and] reliable judgments” are reached. In addition, it provides companies with “a methodology for assessing the efficacy of data protection measures required by data protection regulations” and guidance on how to “systematically plan, implement and continuously monitor” those measures.
Scope of the SDM
The SDM aims at systematizing mandatory as well as optional, procedural as well as cross-procedural data protection measures and facilitating their respective assessment. The SDM can be used by states and federal DPAs, as well as by controllers for the planning and operation of procedures for the processing of personal data.
In addition to the SDM, data protection authorities in Germany also published modules to achieve the Protection Goals established in the SDM. These modules contain specific technical and organizational measures to ensure the appropriate Protection Goals depending on the relevant topic. In addition to a detailed description of the individual measures to be taken, the modules also contain summaries in the form of lists and references to additional documents such as statements by the Federal Office for Information Security (BSI) or the DSK, German Institution for Standardization (DIN), and ISO standards.
** Germany’s Conference of Independent Federal and State Data Protection Authorities is commonly referred to as the DSK or “Datenschutzkonferenz” (Data Protection Conference). The DSK is composed of Germany’s Federal DPA as well as all 17 state-run DPAs responsible for private-sector and public-sector controllers.
Currently, seven modules have been published (in German):
Data Protection Management
The Data Protection Management (the “DSM”) module addresses all Protection Goals. The DSM is an essential prerequisite for data processing. The DSM covers an entire life cycle of data processing. Appropriate technical and organizational measures should be taken according to the risk level of the processing activities. Implementation of these measures should be evaluated when necessary for future improvements. The module introduces four steps to establish a DSM system: plan, check, judge, improve – the “PDCA” circle and refers to ISO 9000, ISO 14000, ISO/IEC 20000 and ISO/IEC 27001.
Planning / Specifications
Planning ensures the Protection Goal of transparency. Data protection by design and by default is required as well as a mandatory data protection impact assessment (DPIA) in the case of risky processing (it is unclear about the risk level). The module provides processing aspects to be planned. Some key aspects are:
- Description of data processing
- Identification and documentation of the parties involved in the processing (Organizations/actors and the persons concerned)
- Development of use cases
- Risk for the rights and freedoms affected by the processing
- The elaboration of a suitable form of documentation
- Determination and documentation of technical and organizational measures
- Create a report from the above documents
- Phase of implementation of the processing processes and the technical and organizational measures
Documentation ensures the Protection Goal of transparency. Documentation is part of the DSM to check and verify the proper operation of processing. It is used to ensure transparency of database, the transformations between data, the use functions and interfaces, the processing within IT system and decision making. Requirements for documentation are
- Documentation should be complete.
- Paper printout or electronic version should be available.
- Documentation should be adequate to comply with the existing data protection legislations.
- Documentation should be verifiable.
- Documentation must be regularly updated.
Recording ensures the Protection Goal of transparency. Recording serves the inspection ability for a processing in the past. Recording, planning and documentation are bases for making judgement in a PDCA circle. A record must include time component (when), instance (who), activity or event (what) as well as storage instance (source, i.e. recording by who/what).
Separation ensures the Protection Goals of unlinkability, data minimization, integrity and confidentiality. It is important to guarantee that data collected are processed for their specific purpose. In order to do so, there should be sufficient separation measures in place to prevent clients’ data mingling and being processed for unpermitted purposes. This module provides a seven-step test to assess whether a separation is sufficient.
Erasing and Destroying
Erasing and destroying module address the Protection Goals of confidentiality, unlinkability, and intervenability. It also introduces a new goal of data economy.
Safekeeping ensures the Protection Goals of availability, integrity, intervenability and transparency.
Although these newly developed modules have not yet been agreed in the DSK, DPAs encourage controllers to try out these modules and share their experiences with the drafting DPAs to contribute to the continued development of measures.
Transparency and Free Access
The GDPR provides rights of information, notification and access for the data subject. The controller must create the necessary conditions for granting these rights both at organizational and, if necessary, at technical level. Measures provided in the DSM include documentation of processing activities, documentation of consent and objects, etc.
Purpose specification, Use Limitation and Suitability
GDPR Article 5 (1) (b) sets purpose limitation as a principle of processing. The obligation to process data only for the purposes for which they were collected is to be found, in particular, in the individual legal basis for processing (Article 6 GDPR) that make the business purposes, the research purposes, etc. a yardstick. In the case of data processing on the basis of consent, it is derived from Article 7 (4) GDPR that consent can be invalid if the data is not necessary to fulfill the purpose.
A typical measure for unlinkability is, for example, pseudonymization as mentioned in Article 40 (2) (d) GDPR. Other measures provided in the DSM include restriction of processing, utilization and transfer rights as well as regulative provisions to prohibit backdoors, etc.
Data Minimisation, Storage Limitation and Accuracy
The GDPR data minimisation principle derives from the principle of necessity, the latter being the central statutory criterion for legitimacy of processing. Measures provided in the DSM include reduction of collected attributes of the data subject, and reduction of possibilities to gain knowledge of existing data, etc.
Security & Prevention
The obligation to maintain confidentiality results, in particular, from Article 5 (1) (f) GDPR, from Article 32 (1) (b) GDPR and Article 38 (5) GDPR (secrecy obligation of the data protection officer) and Article 28 (3) (b) GDPR (secrecy obligation of the data processor) respectively. It ensures the protection against unauthorized and unlawful processing. A violation of confidentiality in general constitutes a data processing without a legal basis.
Measures provided in the DSM include implementation of a secure authentication process, limitation of authorized personnel to those who are verifiably responsible (locally, professionally), qualified, reliable (if necessary with security clearance) and formally approved, and with whom no conflict of interests may arise in the exercise of their duties, etc.
The protection goal of integrity is mentioned in Article 5 (1) (f) GDPR as a principle for the processing of data and in Article 32 (1) (b) GDPR as a prerequisite for the security of data processing. It shall ensure protection against unauthorized modifications and deletions.
Measures provided in the DSM include restriction of writing and modification permissions, use of checksums, electronic seals and signatures in data processing in accordance with a cryptographic concept, documented assignment of rights and roles, etc.
The principle of availability is explicitly included in Article 32 (1) (b) and (c) in the context of security of data processing. It is also anchored in Article 5 (1) (e) GDPR as a prerequisite for data processing, ensuring the availability of the data for the respective purpose as long as this purpose remains valid. The principle applies to the obligations to provide information and access to the data subject (Articles 13 and 15 GDPR). This goal is also a basic prerequisite for the right to data portability (Article 20 GDPR).
Measures provided in the DSM include preparation of data backups, protection against external influences (malware, sabotage, force majeure), implementation of repair strategies and alternative processes, etc.
Data Subject Rights
The data subject’s rights to intervene are explicitly derived from the provisions on rectification, restriction, erasure, and the right to objection (Articles 16, 17, 18, 19, 21 GDPR). They may also result from a weighting of interests within the framework of statutory criteria for lawful processing. The controller must, pursuant to Article 5 (1) (d) GDPR, provide the prerequisite for guaranteeing such rights, both at organizational and, where required, at technical level.
Measures provided in the SDM include providing differentiated options for consent, withdrawal and objection, creating necessary data fields, e.g., for notifications, consents and objections, documenting handling of malfunctions and problem-solving methods, etc.
Standards and Frameworks
German Standard Data Protection Model (SDM)
In Germany, the Standard Data Protection Model (the “SDM”) is used by data protection authorities (DPAs) to describe a model for organisations to systematically verify compliance with personal data protection law.
It is based on seven data protection goals: data minimization, availability, integrity, confidentiality, unlinkability, transparency, and intervenability (the “Protection Goals”). The SDM uses these data protection goals to transfer legal requirements into a catalogue of technical and organisational measures. The SDM incorporates the data protection requirements found in German data protection law as well as GDPR.
Last Updated: July 30, 2019
OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit OneTrust.com or connect on LinkedIn, Twitter and Facebook.