HomeKnowledge HubWeekly Guidance Watch › The Standard Data Protection Model (SDM)

Regulator guidance · surfaced resource

The Standard Data Protection Model (SDM)

Datenschutzkonferenz (Germany)Methodology / framework

A regulator-built method that converts the GDPR's abstract "appropriate technical and organisational measures" duty into seven concrete, testable protection goals — each mapped to a catalogue of reference measures. Developed by a sub-group of the DSK, the conference of Germany's federal and state data protection authorities.

Published by
Datenschutzkonferenz (DSK) — Germany's federal & state data protection authorities
Type
Methodology / framework (with a reference-measures catalogue)
Jurisdiction
Germany / EEA — GDPR Art. 5, 24, 25, 32
Primary audience
DPOs, security / IT teams & DPIA authors (secondarily controllers and processors building TOMs)
Topic tags
TOMs / security · accountability · DPIA · data protection by design · Art. 32
Availability
English translation of Version 3.0a (2022); current German version V3.1a (2024). The method is in English; the reference-measures catalogue is largely German.

Why it matters

Article 32 requires "appropriate" technical and organisational measures but never defines what appropriate looks like — most teams fill that gap with a control checklist and hope it survives scrutiny. The SDM closes it: it transforms the Article 5 principles and the Article 24/25/32 duties into seven "guarantees to be achieved" — data minimisation, availability, integrity, confidentiality, unlinkability ("no concatenation"), transparency and intervenability ("possibility of intervention") — each with a catalogue of reference measures. That gives a DPO a defensible, auditable way to show why a given control set is appropriate — exactly what Article 5(2) accountability demands — and it doubles as a ready-made structure for the TOMs section of a DPIA (Article 35) or an Article 28 processor schedule. The method is in English; the detailed measures catalogue is largely not. It is one of the few regulator-backed methods that makes "appropriateness" demonstrable rather than asserted — yet, being German in origin, it stays off most UK practitioners' radar.

A Weekly Guidance Watch resource entry, curated by VulaPri. We summarise and link to the original; we do not reproduce or host it. Suggest a correction.