Data protection as an integral part of your information security
Data protection and information security are treated as separate disciplines in many organizations, yet they are closely intertwined. The GDPR requires technical and organizational measures to protect personal data, and these very measures are also a core component of every ISMS. When you build your information security management system, you automatically cover a large portion of GDPR requirements. This topic page helps you systematically fulfill data protection-specific obligations and make optimal use of the synergies between GDPR and ISMS.
The records of processing activities: your data protection map
The records of processing activities (RoPA) is mandatory under Art. 30 GDPR for nearly every organization. It documents which personal data you process for which purpose, who has access, to whom the data is disclosed, and how long it is retained. This sounds like a lot of effort, but in practice it is an enormously useful tool — because the RoPA gives you, for the first time, a complete overview of all data flows in your organization.
A good RoPA is not created at the desk of the legal department, but in dialogue with the business units. Who processes which data in daily operations? Which software is used? Where does the data flow? These questions can only be answered by talking to the people who work with the data every day. Our article on the RoPA shows you a pragmatic approach that gets you to the goal without external consultants.
TOMs: technical and organizational measures
Art. 32 GDPR requires you to implement "appropriate technical and organizational measures" to protect personal data. These TOMs are the link between data protection and information security. Encryption, access controls, pseudonymization, regular security testing — all of these are TOMs within the meaning of the GDPR and simultaneously core components of your ISMS.
The challenge lies less in implementation than in documentation. Supervisory authorities expect you to demonstrate which measures you have implemented and why they are appropriate. "Appropriate" is the key term here: the GDPR does not demand absolute security, but measures that are appropriate given the state of the art, the cost of implementation and the risk to data subjects. Our article on TOM documentation helps you maintain this evidence in a structured and audit-ready manner.
Data processing agreements and vendor assessment
Hardly any company processes personal data entirely on its own. Cloud services, external payroll processing, newsletter tools, hosting providers — wherever an external service provider processes personal data on your behalf, you need a data processing agreement (DPA) under Art. 28 GDPR. But a signed contract alone is not enough. You also need to verify that the service provider actually complies with the agreed protective measures.
Things become particularly sensitive with international data transfers. Since the Schrems II ruling and the EU-US Data Privacy Framework, companies must carefully assess whether the legal basis for data transfers to third countries is sound. Our article on international data transfers explains the current legal situation and which instruments are available for lawful transfers.
Data subject rights and deletion concept
The GDPR grants data subjects extensive rights: access, rectification, erasure, restriction of processing, data portability and objection. Your organization must be able to fulfill these rights within the statutory deadlines. This requires clear processes and the technical capability to identify and, where necessary, delete personal data across all systems.
The deletion concept deserves special attention because it affects virtually every system in your organization. You need defined retention periods for each data category, automated or at least regularly executed deletion routines, and documentation proving that data is actually deleted on schedule. Our articles guide you step by step through setting up a practical deletion concept that accounts for both GDPR requirements and commercial and tax law retention obligations.
