What is the Standard Data Protection Model (SDM)?

The Standard Data Protection Model (SDM) is a framework for systematically implementing the requirements of the GDPR in technical and organizational measures (TOM).
Categories:

The Standard data protection model (SDM) is a methodical framework developed by the German data protection supervisory authorities for the systematic implementation of the requirements of the GDPR in Technical and organizational measures (TOM). It was last revised in version 3.1a and is an indispensable tool for data protection officers, IT managers and compliance managers in particular.

Objectives of the SDM

The SDM supports the data protection-compliant design of processing activities. It helps to select suitable TOMs and check their effectiveness. Central tasks are

  • Risk-oriented selection of suitable measures

  • Proof of the legality of the Processing

  • Compliance with the principles of Art. 5 and 25 GDPR

  • Support with data protection impact assessments (DPIA)

Reading tip: When must a data protection impact assessment be carried out?

The seven SDM warranty objectives

A core element of the SDM is the derivation of data protection requirements into so-called guarantee targets, which act as a bridge between law and technology.

1. Data minimization: Personal data may only be processed to the extent necessary for the respective purpose. Data collection for retention or on suspicion contradicts this objective.

2. AvailabilityData must be available when it is needed. This applies not only to technical safeguards such as backups and failure systems, but also to organizational aspects such as role and substitution rules.

3. IntegrityThe integrity of data must be ensured. Technical protective measures must prevent manipulation or unintentional changes or at least make them traceable.

4. Confidentiality: Access to personal data may only be possible for authorized persons. This includes access rights, Encryptionfirewalls and training courses.

5. non-linkingThe aim is to prevent profiles or comprehensive personal images from being created from various data sets that could Privacy of the data subjects. Data links must be justified and limited.

6. Transparency: Affected parties and supervisory authorities must be able to understand how data is processed. Documentation, Duty to inform and internal procedure directories are key instruments for this.

7. intervenability: Affected parties must exercise their rights such as information, Correction, Deletion and Contradiction effectively. Processes must be created and maintained for this.

These seven warranty targets are directly linked to the requirements of the GDPR and help to systematically implement specific protective measures.

The SDM cube: modeling processing activities

A central methodological concept is the SDM cube, which combines three dimensions:

  1. Levels of the Processing:

    • Specialist procedures (e.g. business processes)

    • Specialist applications (e.g. software solutions)

    • Technical infrastructure (e.g. Networksdatabases)

  2. Phases of the data life cycle:

    • Collecting, saving, editing, transmitting, deleting, etc.

  3. Warranty targets:

    • See above

The SDM cube enables a structured and in-depth analysis of each processing activity with regard to compliance with data protection regulations. The model combines the three central dimensions (processing phases, processing levels and guarantee objectives) into a clear and systematic assessment grid.

This link makes it possible to consider each sub-component of a processing activity in its entire life cycle: from collection to processing to deletion of the data. At the same time, the various technical and organizational levels (e.g. processes, applications, infrastructures) and their contribution to achieving the data protection guarantee objectives are made verifiable.

The resulting three-dimensional model helps data protection officers to systematically identify risks, plan appropriate protective measures, document their implementation and continuously evaluate their effectiveness. In this way, the SDM cube not only contributes to the optimization of existing processing activities, but is also a strategic tool for designing new processes and systems in compliance with data protection regulations.

Practical application: from the DPIA to certification

The SDM is not just a theoretical model. It serves as a methodical guide for a large number of specific use cases, particularly in the context of data protection management, IT security and Compliance.

  • Data protection impact assessment (DSFA, Art. 35 GDPR)For planned processing activities with a high risk to the rights and freedoms of data subjects, the SDM provides a structured approach to identifying, analyzing and assessing these risks. It helps to define appropriate technical and organizational measures that adequately mitigate these risks. In particular, the warranty objectives serve as guidelines for the systematic assessment of the impact on the Data protection.

  • Auditing and controlOrganizations can use the SDM to analyze their existing processing activities and compare them with a target state resulting from the requirements of the GDPR and the respective warranty objectives. The catalog of reference measures that accompanies the SDM supports the systematic review of technical and organizational protective measures. This allows not only weak points to be identified, but also targeted improvement measures to be derived.

  • Preparation for data protection certifications (Art. 42 GDPR)The SDM can serve as a basis for assessing data protection compliance and facilitate preparation for recognized certifications. The objectifiable criteria, which are based on the warranty objectives and risk considerations, enable a comprehensible Documentation of the data protection strategy and create trust among business partners, customers and supervisory authorities.

  • Communication with supervisory authoritiesThe SDM represents a common reference model that is understood and used by both data controllers and data protection supervisory authorities. This makes it easier to argue and Documentation as part of control procedures or when reporting data protection violations.

  • Integration into existing management systemsThe structured methodology of SDM is ideally suited for embedding in already established management systems such as the IT baseline protection of the German Federal Office for Information Security (BSI) or ISO/IEC 27001. This creates a consistent line between data protection, information security and risk management.


Overall, the SDM not only provides a theoretical foundation, but also tried-and-tested tools for designing, evaluating and optimizing data protection-compliant processes.

Advantages for data protection officers

The SDM offers considerable advantages for company and official data protection officers:

  • Systematic and comprehensible the selection of measures

  • Facilitating accountability (Art. 5 para. 2 GDPR)

  • Harmonization with standards such as the BSI IT baseline protection

  • Optimized communication between specialist departments, IT and supervisory authorities

  • Transparency during inspections and audits

Conclusion: SDM as a bridge between law and technology

The Standard data protection model (SDM) has established itself as an indispensable tool for the practical implementation of the General Data Protection Regulation. It closes the often lamented gap between the legal requirements of the GDPR and the specific technical and organizational conditions in companies and public institutions.

Thanks to the systematic structure with the seven assurance objectives, the SDM cube and the catalog of reference measures, the model provides a reliable basis for analyzing, evaluating and improving data protection processes in a targeted manner. The focus is not only on compliance with legal requirements, but also on establishing a sustainable data protection culture that creates trust among customers, partners and supervisory authorities.

For data protection officers, the SDM acts as a methodical tool that provides guidance both in the design of new processing activities and in the optimization of existing processes. It makes it easier to present arguments to management, to communicate with IT departments and to proceed with audits or inspections.

In addition, the SDM supports the continuous improvement of data protection measures in the sense of a living data protection management system. It is therefore not just a testing or verification instrument, but a strategic tool for data protection-friendly organizational development.

Source: The standard data protection model (version 3.1a)

Contact us
Tags:
, , , , , ,
Share this post :

Popular categories

Newsletter

Subscribe to our data protection newsletter to receive the latest updates, tips and insights straight to your inbox.
Subscribe

Latest posts