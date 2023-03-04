We are always pleased that our free “TOM order processing checklist according to Art. 28 + 32 GDPR – technical and organizational measures” is so well received. And we also look forward to regular feedback on this by email or in the comments on our website. If questions and comments are sent to us by email, these and our replies to them are not visible on the website for other users of the checklist. So let’s just pick up a few points here:

“The checklist does not include all of our internal technical and organizational protective measures.”

Well, that’s what the free fields are for, in which you can enter other existing protective measures. The free text field at the end of each section can also be used for further lists or descriptions.

“The TOM order processing checklist contains a number of measures that we don’t even have.”

That’s not bad. If in doubt, simply leave this blank. Or even better: Since these measures have proven themselves across the board and quite independently of the different organizational forms, you could also consider whether they should be implemented or introduced in your company. Just as an idea…

“Wouldn’t it be helpful if the protective measures mentioned immediately referenced the specific building blocks and requirements from IT baseline protection or controls and objectives from ISO 27001?”

Yes. 🙂 However, since the standards are subject to continuous adjustments, the checklist would have to be updated regularly for possible changes in the ISMS standards. We’re happy to accept the idea, but we can’t promise it will be implemented in the future.

“The state data protection officer responsible for us (an authority) denies the obligation of confidentiality, since there is official secrecy! Then why is it on the checklist?”

A) Because there are also other perspectives and b) the checklist is not limited to use in authorities (greetings from the bigger picture 😉 )

And even if one shares this view of the supervisory authority, one could use the written commitment at the end of a documented and regulated onboarding process as proof that the process was carried out correctly. Incidentally, the induction process does not mean putting hundreds of pages of guidelines and instructions (alternatively a general reference to all existing guidelines on the intranet) on the table for the employee and having acknowledgment and compliance confirmed at the same time 🙂 It should be noted that the supervisory authorities also initially only represent an opinion that is neither duty nor law. One can and may have different opinions, at least if there are good reasons for doing so. And they are not that rare at all 😉

“Will the TOM order processing checklist be further developed?”

Yes, of course. However, we have not planned a fixed update interval for this. But the current version number 3.1 alone shows that the list is “alive”.

“Can you buy the checklist?”

nope But it is available for use within the defined scope. If you want to “brand” them, please feel free to contact us.