Technical and organizational measures

Technical and organizational measures (TOMs)

TOMs for Data Protection

Technical and Organizational Measures (TOMs) are guidelines that personal data that is processed, collected or used must follow to meet the security and protection requirements of the GDPR.

What is it anyway? 

Technical and organizational measures (TOMs) are guidelines that govern the processing, collection, and use of personal data with the aim of meeting the stringent security and protection requirements outlined by the GDPR. TOMs encompasses a variety of subject areas, including physical (alarm systems in buildings), digital (hardware and software) or procedural (dual control principle). 

In data protection, TOMs are mainly present in the digital environment. These include user accounts, passwords, data backups, firewalls, virus scanners and biometric user identification.

Why do I need to document this? Why do I need that?

In case there's a serious data breach or violation of data protection rules, TOMs can demonstrate that proper steps were taken to protect the data. It's crucial for the company to document these measures early on, before authorities ask for it. This documentation starts as soon as personal data is being processed, typically when data like email addresses for newsletters or general customer information is collected.

Right after data collection and documentation begin, it's important to make sure that the TOMs align with the needs of the industry. For example, a doctor's office that handles sensitive patient data, like insurance numbers and medical records, needs more robust IT infrastructure security compared to a tradesperson who stores customer data on a platform like Excel. Each situation has different expectations for data protection, and the TOMs should be tailored accordingly to meet these requirements. 

What do I need to pay attention to when creating it?

When creating TOMs, it's crucial to consider the different categories involved. We can split them into technical measures and organizational measures. Technical measures cover physical safeguards that ensure the security of data processing, such as locks on windows and doors or alarm systems. On the other hand, organizational measures involve guidelines and procedures for employees to follow, such as visitor registration protocols or the dual control principle. It's worth noting that both types of measures can be found within various control categories, each of which should be documented separately.

These control categories can be divided into access control, access control, separation requirement, input control, disclosure control and availability control.

In accordance with Article 32 (1) of the GDPR, several factors must be considered when introducing technical and organizational measures, such as the current state of the art, implementation costs, and the nature, scope, circumstances and purposes of the processing of personal data. It’s therefore important that the purposeful processing of data is secured, which is why the data processing systems must be highly resilient and there are procedures for recovering personal data after a data loss. Data should always be processed in encrypted and pseudonymous form. 

When designing the TOMs, it is imperative to consider the likelihood and the severity of risks to the rights and freedoms of the individuals whose data is being processed. 

About the Author

More articles

The biggest mistakes in contract and data protection management

Contract and data protection management platforms primarily help to save costs and time and simplify the day-to-day handling of data protection and contract law issues. Here you can find out which mistakes you should avoid.

Learn more
Whistleblower Protection Act

Whistleblower Protection Act: New Obligations for Companies and a Milestone for Whistleblower Protection in Germany

On May 12, 2023, the Whistleblower Protection Act (HinSchG) was adopted by the Bundesrat, the upper house of the German parliament, after the Mediation Committee had previously reached an agreement. This law, which is based on the EU Whistleblower Directive, aims to improve the protection of whistleblowers in Germany and create a legal basis for dealing with whistleblowing. The implementation of these new regulations imposes additional obligations and information on companies with regard to the protection of whistleblowers. In this blog post, we will highlight the key aspects of the Whistleblower Protection Act and the Whistleblowing Directive and explain their significance for startups, companies and founders.

Learn more
5 GDPR Myths

5 myths you are likely to believe about the GDPR

Although the GDPR has generally been well received, there are still many myths and misunderstandings about what it entails. In this blog post, we debunk some of the most common GDPR myths and help you better understand the regulation.

Learn more

Get to know our team today, with no obligations!

Contact us