On January 23, 2024, the Federal Data Protection and Information Commissioner (FDPIC) released its Guide to Technical and Organizational Data Protection Measures (TOM) (the guide), designed to aid in the implementation of appropriate measures to ensure protection of personal data, taking into consideration current regulations and standards.

The FDPIC noted that the guide is primarily intended for private individuals in charge of information systems, whether technicians or not, who deal directly with personal data management.

What is included in the guide?

In particular, the guide provides instructions on:

• how to conduct a Data Protection Impact Assessment (DPIA);
• data subject rights and the duty to provide information to data subjects;
• concrete measures to be taken to protect personal data, such as Privacy by Design and by Default, encryption, pseudonymization, anonymization, minimization, randomization, and using synthetic data;
• measures to protect the infrastructure where the personal data is located, such as security of premises, server room security, and use of cloud services;
• measures to secure data use and management, notably covering access management, and data life cycle and logging; and
• measures to secure personal data when it is shared or transmitted, including when it is shared with data processors.

The guide also contains brief recommendations for public bodies.

You can read the press release here and download the guide here.