Technical and organizational measures
TOMs for Data Protection
Technical and Organizational Measures (TOMs) are guidelines that personal data that is processed, collected or used must follow to meet the security and protection requirements of the GDPR.
Technical and organizational measures (TOMs) are a central component of the General Data Protection Regulation (GDPR) and form the backbone of any data protection strategy. These measures are crucial to ensure the security of personal data during its processing and to minimize the risks for the data subjects. They include physical security measures, digital safeguards, and procedural policies, all of which are designed to ensure a high level of data security.
But what exactly do these measures entail, why are they so important, and how should they be documented and implemented? In this article, we examine the essential aspects of TOM, explain their significance in day-to-day data protection, and provide an overview of what companies need to consider in order to meet legal requirements.
Find out why it is essential to document TOMs from the outset, which categories of controls need to be considered, and how organizations can implement the appropriate measures for their industry.
Table of Contents:
What is it anyway?
Technical and organizational measures (TOMs) are guidelines that govern the processing, collection, and use of personal data to meet the stringent security and protection requirements outlined by the GDPR. TOMs encompasses a variety of subject areas, including physical (alarm systems in buildings), digital (hardware and software) or procedural (dual control principle).
In data protection, TOMs are mainly present in the digital environment. These include user accounts, passwords, data backups, firewalls, virus scanners, and biometric user identification.
Our free checklist for TOMs!
Check all aspects of technical and organizational measures with our free checklist.
Why do I need to document this? Why do I need that?
In case there's a serious data breach or violation of data protection rules, TOMs can demonstrate that proper steps were taken to protect the data. The company must document these measures early on before authorities ask for it. This documentation starts as soon as personal data is being processed, typically when data like email addresses for newsletters or general customer information is collected.
Right after data collection and documentation begin, it's important to make sure that the TOMs align with the needs of the industry. For example, a doctor's office that handles sensitive patient data, like insurance numbers and medical records, needs more robust IT infrastructure security compared to a tradesperson who stores customer data on a platform like Excel. Each situation has different expectations for data protection, and the TOMs should be tailored accordingly to meet these requirements.
What do I need to pay attention to when creating it?
When creating TOMs, it's crucial to consider the different categories involved. We can split them into technical measures and organizational measures. Technical measures cover physical safeguards that ensure the security of data processing, such as locks on windows and doors or alarm systems. On the other hand, organizational measures involve guidelines and procedures for employees to follow, such as visitor registration protocols or the dual control principle. It's worth noting that both types of measures can be found within various control categories, each of which should be documented separately.
These control categories can be divided into access control, access control, separation requirement, input control, disclosure control, and availability control.
Under Article 32 (1) of the GDPR, several factors must be considered when introducing technical and organizational measures, such as the current state of the art, implementation costs, and the nature, scope, circumstances, and purposes of the processing of personal data. It’s therefore important that the purposeful processing of data is secured, which is why the data processing systems must be highly resilient and there are procedures for recovering personal data after a data loss. Data should always be processed in encrypted and pseudonymous form.
When designing the TOMs, it is imperative to consider the likelihood and the severity of risks to the rights and freedoms of the individuals whose data is being processed.
Our experienced lawyers are there to support you!
Get in touch!Compliance Newsletter
Subscribe to our newsletter now and stay updated with the latest insights on data protection, GDPR, cybersecurity, and other important compliance frameworks like revDSG, NIS 2, and ISO 27001. Get expert tips, exclusive resources, and access to regular webinars. Don’t miss out on crucial news and developments!
More articles
A day in the life: Michael Head of Demand Gen
Meet Michael, Head of Demand Gen heyData! He shares his journey, passion for privacy and tech, and how he tackles challenges while driving team success.
Learn more
How to Achieve NIS2 Compliance: What Businesses Need to Know
The NIS2 Directive, effective from October 17, 2024, strengthens the EU's cybersecurity framework by expanding on the 2016 NIS Directive. It applies to large and medium enterprises in critical sectors like energy, transport, banking, and healthcare, as well as some smaller firms, especially those impacting essential services. NIS2 mandates stringent security measures, emphasizing risk management, corporate accountability, incident reporting, business continuity, and inter-state cooperation. Companies must comply to avoid penalties, with significant focus on proactive cybersecurity strategies and cross-border collaboration within the EU.
Learn more
Whistleblower Protection: How to Build a Culture of Trust and Transparency in Your Business
Creating a whistleblower-friendly culture in your business is pivotal for maintaining transparency, accountability, and compliance. This guide outlines the crucial steps to foster such a culture, from establishing robust whistleblowing programs with accessible and confidential reporting mechanisms, empowering employees through comprehensive training, to enforcing zero-tolerance policies against retaliation, and promptly addressing all reports. These measures promote a transparent and ethical organizational culture, fostering trust and proactive problem-solving.
Learn more