Technical and organizational measures

What is it anyway? 

Technical and organizational measures (TOMs) are guidelines that govern the processing, collection, and use of personal data with the aim of meeting the stringent security and protection requirements outlined by the GDPR. TOMs encompasses a variety of subject areas, including physical (alarm systems in buildings), digital (hardware and software) or procedural (dual control principle). 

In data protection, TOMs are mainly present in the digital environment. These include user accounts, passwords, data backups, firewalls, virus scanners and biometric user identification.

Why do I need to document this? Why do I need that?

In case there's a serious data breach or violation of data protection rules, TOMs can demonstrate that proper steps were taken to protect the data. It's crucial for the company to document these measures early on, before authorities ask for it. This documentation starts as soon as personal data is being processed, typically when data like email addresses for newsletters or general customer information is collected.

Right after data collection and documentation begin, it's important to make sure that the TOMs align with the needs of the industry. For example, a doctor's office that handles sensitive patient data, like insurance numbers and medical records, needs more robust IT infrastructure security compared to a tradesperson who stores customer data on a platform like Excel. Each situation has different expectations for data protection, and the TOMs should be tailored accordingly to meet these requirements. 

What do I need to pay attention to when creating it?

When creating TOMs, it's crucial to consider the different categories involved. We can split them into technical measures and organizational measures. Technical measures cover physical safeguards that ensure the security of data processing, such as locks on windows and doors or alarm systems. On the other hand, organizational measures involve guidelines and procedures for employees to follow, such as visitor registration protocols or the dual control principle. It's worth noting that both types of measures can be found within various control categories, each of which should be documented separately.

These control categories can be divided into access control, access control, separation requirement, input control, disclosure control and availability control.

In accordance with Article 32 (1) of the GDPR, several factors must be considered when introducing technical and organizational measures, such as the current state of the art, implementation costs, and the nature, scope, circumstances and purposes of the processing of personal data. It’s therefore important that the purposeful processing of data is secured, which is why the data processing systems must be highly resilient and there are procedures for recovering personal data after a data loss. Data should always be processed in encrypted and pseudonymous form. 

When designing the TOMs, it is imperative to consider the likelihood and the severity of risks to the rights and freedoms of the individuals whose data is being processed.