The German TeleTrusT – Bundesverband IT-Sicherheit e.V. has published a “Handout” on the so-called state of the art published. The state of the art is mentioned in Art. 32 (1) GDPR as one of several criteria to be considered when determining the adequacy of technical and organizational measures. In this context, the state of the art lies between
- the “State of science and research”, which offers higher security but enjoys even lower recognition and has proven even less in practice, and
- the “Generally recognized rules of technology”, which offer lower security.
In this context, the state of the art is described as
The procedures, facilities or modes of operation available in the movement of goods and services, the application of which can most effectively ensure the achievement of the respective legal protection objectives
The handout describes technical measures organized by topic and places them in each case on the continuum between the generally accepted rules of technology and the state of the art in science and research. Example:
What action (procedures, facilities, or methods of operation) is described in this section?
The following measures are useful for protecting the stored data:
- Encrypted transfer of files to and from the file sharing service
- Client-side end-to-end encryption of data for the recipient before transfer to cloud storage
- Through encryption integrated into the data exchange service in the client software belonging to the cloud storage.
- Using separate end-to-end encryption software on the client
In particular, the following questions should be considered:
- Who operates the service and does the operator have access to the data, if applicable?
- How is the data protected during transport to and from the operator?
If the service is operated by a trusted entity, then end-to-end encryption of the data itself may not be necessary under certain circumstances, but it is generally sensible even for trusted operators.
File exchange services are available where data is encrypted transparently before upload, i.e. without any special action by the user, and decrypted again after download. The operator then sees only encrypted data. Alternatively, client-side encryption software can be used to provide end-to-end encryption of data before upload or after download. However, these solutions usually require additional effort on the part of the user. When it comes to encryption, care should be taken to use secure procedures for encryption and for key generation and key management.
Under no circumstances should the encryption of data during transport to and from the operator be dispensed with (transport encryption, usually TLS).
These measures are classified as follows:
It is important to note that the state of the art only one of several criteria in the assessment of appropriateness. The measures described in the handout are therefore not mandatory. A company may – and must – e.g. also take the Economic efficiency possible measures into account.