Our free checklist for TOMs!
Check all aspects of technical and organizational measures with our free checklist.
Technical and Organizational Measures (TOMs): What They Are and Why They Matter Under GDPR
'%3e%3cpath%20d='M26.6667%2020.022L30%2023.3553V26.6886H21.6667V36.6886L20%2038.3553L18.3333%2036.6886V26.6886H10V23.3553L13.3333%2020.022V8.35531H11.6667V5.02197H28.3333V8.35531H26.6667V20.022Z'%20fill='%230AA971'/%3e%3c/g%3e%3c/svg%3e)
TOMs Explained: Practical Data Protection for Modern Businesses
Technical and Organizational Measures (TOMs) are the foundation of GDPR compliance, blending technology, policy, and practice to secure personal data. This article breaks down what TOMs involve, how they differ across industries, and why proper documentation is critical from day one. Discover practical examples, legal requirements, and expert tips to tailor TOMs to your business in today’s cloud-first, AI-driven world.
Technical and Organizational Measures (TOMs) are a legal requirement under the EU General Data Protection Regulation (GDPR) and foundational to any effective data protection strategy. These technical and procedural safeguards are designed to protect personal data from unauthorized access, loss, or misuse during processing activities.
TOMs include everything from encryption and access control systems to employee training and incident response plans. Their purpose is clear: to reduce risks to data subjects and ensure a high standard of security, accountability, and compliance across your organization.
In this article, we explain what TOMs are in the context of GDPR, why they are critical for data protection compliance, and how businesses can implement and document them effectively. You’ll also learn:
- What types of TOMs does your organization need
- Why you need to document TOMs to meet GDPR Article 32 requirements
- Why industry-specific risks and technologies matter in selecting appropriate measures
- How TOMs contribute to GDPR accountability and audit readiness
Whether you're a data controller, processor, or compliance officer, understanding and applying the right TOMs is essential to protecting personal data and avoiding regulatory penalties.
Table of Contents:
What Are Technical and Organizational Measures?
Technical and organizational measures (TOMs) are the real-world actions you take to safeguard data. They’re not just IT settings or compliance checkboxes. They’re habits your organization builds, through technology, policy, and culture, to handle data responsibly.
- Technical measures include the tools and technologies: encryption, secure servers, and multi-factor authentication.
- Organizational measures cover internal policies, staff training, access protocols, and clearly defined responsibilities.
Together, they form the foundation of your GDPR compliance strategy. And more importantly, they reduce the risk of data breaches and privacy violations.
Our free checklist for TOMs!
Check all aspects of technical and organizational measures with our free checklist.
TOMs Are Not One-Size-Fits-All
The GDPR makes one thing clear: security measures should be proportionate to risk. That means your TOMs need to reflect how sensitive the data is, what you’re doing with it, and what could go wrong if something fails.
So yes - every company needs TOMs. But the specific mix of controls will look very different for:
- A dentist’s office handling patient records
- A SaaS company storing user credentials
- A marketing agency collecting newsletter signups
Why Do I Need to Document This?
In case there's a serious data breach or violation of data protection rules, TOMs can demonstrate that proper steps were taken to protect the data. The company must document these measures early on before authorities ask for it. This documentation starts as soon as personal data is being processed, typically when data like email addresses for newsletters or general customer information is collected.
Right after data collection and documentation begin, it's important to make sure that the TOMs align with the needs of the industry. For example, a doctor's office that handles sensitive patient data, like insurance numbers and medical records, needs more robust IT infrastructure security compared to a tradesperson who stores customer data on a platform like Excel. Each situation has different expectations for data protection, and the TOMs should be tailored accordingly to meet these requirements.
A Closer Look at the Core GDPR TOM Categories
GDPR Article 32 outlines several areas where Technical and Organizational Measures should apply. Here's what they mean in practice for your business:
Access Control
Make sure only the right people can access the right data.
- Use role-based permissions
- Set up secure logins with MFA
- Remove access quickly when staff leave
Transmission Control
Keep data safe when it’s being sent or received.
- Encrypt data in transit (HTTPS, SFTP)
- Use secure cloud storage or VPNs
- Don’t send personal data over unencrypted email
Input Control
Track who’s changing what and when.
- Enable detailed logging
- Require individual user accounts (no shared logins)
- Use audit trails, especially for sensitive records
Separation Control
Avoid mixing data that shouldn’t be processed together.
- Separate HR data from marketing data
- Restrict internal access based on purpose
- Clarify data usage in your records of processing
Availability Control
Ensure systems and data stay up and running—even if things go wrong.
- Back up data regularly (and test your restores)
- Create a disaster recovery plan
- Set up redundant infrastructure where needed
Pseudonymization and Encryption
Make data less useful to attackers—even if they get their hands on it.
- Encrypt files, databases, and backups
- Use pseudonymized identifiers instead of names
- Store encryption keys securely and separately
TOMs in Today’s Tech Landscape: Cloud, AI, and Remote Work
TOMs aren’t frozen in time - they evolve as your tech stack does. Let’s explore what that means in 2025.
Cloud Services
Most companies use cloud platforms, but entrusting your data to someone else does not exempt you from your GDPR responsibilities.
- Understand the shared responsibility model
- Work with providers who offer clear security commitments
- Review their certifications (ISO 27001)
- Encrypt sensitive data before uploading
AI and Automated Decision-Making
If you’re training models on personal data or using AI to profile users, TOMs matter more than ever.
- Use pseudonymized datasets during model training
- Document how decisions are made and reviewed
- Restrict access to model outputs, especially if they affect individuals’ rights
Remote and Hybrid Work
Security isn’t just about office networks anymore.
- Require VPNs for off-site access
- Encrypt laptops and mobile devices
- Provide ongoing staff training to prevent home-office data leaks
- Use mobile device management (MDM) to enforce security standards remotely