Technical and organizational measures

Technical and organizational measures (TOMs)

TOMs for Data Protection

Technical and Organizational Measures (TOMs) are guidelines that personal data that is processed, collected or used must follow to meet the security and protection requirements of the GDPR.

What is it anyway? 

Technical and organizational measures (TOMs) are guidelines that govern the processing, collection, and use of personal data with the aim of meeting the stringent security and protection requirements outlined by the GDPR. TOMs encompasses a variety of subject areas, including physical (alarm systems in buildings), digital (hardware and software) or procedural (dual control principle). 

In data protection, TOMs are mainly present in the digital environment. These include user accounts, passwords, data backups, firewalls, virus scanners and biometric user identification.

Why do I need to document this? Why do I need that?

In case there's a serious data breach or violation of data protection rules, TOMs can demonstrate that proper steps were taken to protect the data. It's crucial for the company to document these measures early on, before authorities ask for it. This documentation starts as soon as personal data is being processed, typically when data like email addresses for newsletters or general customer information is collected.

Right after data collection and documentation begin, it's important to make sure that the TOMs align with the needs of the industry. For example, a doctor's office that handles sensitive patient data, like insurance numbers and medical records, needs more robust IT infrastructure security compared to a tradesperson who stores customer data on a platform like Excel. Each situation has different expectations for data protection, and the TOMs should be tailored accordingly to meet these requirements. 

What do I need to pay attention to when creating it?

When creating TOMs, it's crucial to consider the different categories involved. We can split them into technical measures and organizational measures. Technical measures cover physical safeguards that ensure the security of data processing, such as locks on windows and doors or alarm systems. On the other hand, organizational measures involve guidelines and procedures for employees to follow, such as visitor registration protocols or the dual control principle. It's worth noting that both types of measures can be found within various control categories, each of which should be documented separately.

These control categories can be divided into access control, access control, separation requirement, input control, disclosure control and availability control.

In accordance with Article 32 (1) of the GDPR, several factors must be considered when introducing technical and organizational measures, such as the current state of the art, implementation costs, and the nature, scope, circumstances and purposes of the processing of personal data. It’s therefore important that the purposeful processing of data is secured, which is why the data processing systems must be highly resilient and there are procedures for recovering personal data after a data loss. Data should always be processed in encrypted and pseudonymous form. 

When designing the TOMs, it is imperative to consider the likelihood and the severity of risks to the rights and freedoms of the individuals whose data is being processed. 

About the Author

More articles

Datenvernichtung nach der DSGVO

Data destruction according to the GDPR

The GDPR regulates the handling of data and information containing personal data. The collection, storage and further use of the data is subject to rules, the disregard of which can mean fines and a loss of image. Data protection compliant data destruction - how it works! More in the article

Learn more

Product news: mattersOut from heyData

Whistleblowing as a chance for your company! With mattersOut from heyData, incidents in your company can be reported securely and anonymously.

Learn more
5 Data Protection Tips for Easter

Get your business ready for Data Privacy 2023: Tips for the Easter season.

Data privacy remains a crucial factor in the business world. Particularly in Germany, data privacy regulations are very strict, and companies should prepare for further tightening of these regulations in 2023. By complying with data privacy requirements, companies demonstrate their responsible handling of personal data and gain the trust of their customers. In this blog post, we would like to provide you with a few tips on how to prepare your business for the data privacy regulations in Germany in 2023.

Learn more

Get to know our team today, with no obligations!

Contact us