On April 13, 2017, the North Rhine-Westphalia State Commissioner for Data Protection and Freedom of Information published an English translation of the draft Standard Data Protection Model (“SDM”). The SDM was adopted in November 2016 at the Conference of the Federal and State Data Protection Commissioners.
German data protection authorities (“DPAs”) are currently reviewing the SDM, and the final version is expected to be published later this year. The English version of the SDM is a literal translation of the German text. An international version of the SDM currently is being prepared by the German DPAs.
The SDM contains a catalogue of data security measures and creates a methodology with respect to how the EU General Data Protection Regulation’s (“GDPR’s”) general security requirements should be implemented in practice. The SDM aims to harmonize how German DPAs review data security measures. The SDM also aims to assist companies in planning, implementing and reviewing their data security measures. The SDM structures the legal requirements in terms of data protection goals, such as data minimization, availability, integrity, confidentiality, transparency, “unlinkability” and “intervenability.”
In the current version, the SDM takes into account the GDPR wherever it contains references to German legal requirements, and is applicable until the GDPR takes effect in May 2018.