Technical and Organizational Measures (TOMs): What They Are and Why They Matter Under GDPR
TOMs for Data Protection
Technical and Organizational Measures (TOMs) are guidelines that personal data that is processed, collected or used must follow to meet the security and protection requirements of the GDPR.
Technical and organizational measures (TOMs) are a central component of the General Data Protection Regulation (GDPR) and form the backbone of any data protection strategy. These measures are crucial to ensure the security of personal data during its processing and to minimize the risks for the data subjects. They include physical security measures, digital safeguards, and procedural policies, all of which are designed to ensure a high level of data security.
But what exactly do these measures entail, why are they so important, and how should they be documented and implemented? In this article, we examine the essential aspects of TOM, explain their significance in day-to-day data protection, and provide an overview of what companies need to consider in order to meet legal requirements.
Find out why it is essential to document TOMs from the outset, which categories of controls need to be considered, and how organizations can implement the appropriate measures for their industry.
Table of Contents:
What Are Technical and Organizational Measures?
Technical and organizational measures (TOMs) are the real-world actions you take to safeguard data. They’re not just IT settings or compliance checkboxes. They’re habits your organization builds, through technology, policy, and culture, to handle data responsibly.
- Technical measures include the tools and technologies: encryption, secure servers, and multi-factor authentication.
- Organizational measures cover internal policies, staff training, access protocols, and clearly defined responsibilities.
Together, they form the foundation of your GDPR compliance strategy. And more importantly, they reduce the risk of data breaches and privacy violations.
Our free checklist for TOMs!
Check all aspects of technical and organizational measures with our free checklist.
TOMs Are Not One-Size-Fits-All
The GDPR makes one thing clear: security measures should be proportionate to risk. That means your TOMs need to reflect how sensitive the data is, what you’re doing with it, and what could go wrong if something fails.
So yes - every company needs TOMs. But the specific mix of controls will look very different for:
- A dentist’s office handling patient records
- A SaaS company storing user credentials
- A marketing agency collecting newsletter signups
Why Do I Need to Document This?
In case there's a serious data breach or violation of data protection rules, TOMs can demonstrate that proper steps were taken to protect the data. The company must document these measures early on before authorities ask for it. This documentation starts as soon as personal data is being processed, typically when data like email addresses for newsletters or general customer information is collected.
Right after data collection and documentation begin, it's important to make sure that the TOMs align with the needs of the industry. For example, a doctor's office that handles sensitive patient data, like insurance numbers and medical records, needs more robust IT infrastructure security compared to a tradesperson who stores customer data on a platform like Excel. Each situation has different expectations for data protection, and the TOMs should be tailored accordingly to meet these requirements.
Book a consultation with our compliance experts
Get in touch!A Closer Look at the Core GDPR TOM Categories
GDPR Article 32 outlines several areas where Technical and Organizational Measures should apply. Here’s how those translate into the real world:
Access Control
Make sure only the right people can access the right data.
- Use role-based permissions
- Set up secure logins with MFA
- Remove access quickly when staff leave
Transmission Control
Keep data safe when it’s being sent or received.
- Encrypt data in transit (HTTPS, SFTP)
- Use secure cloud storage or VPNs
- Don’t send personal data over unencrypted email
Input Control
Track who’s changing what and when.
- Enable detailed logging
- Require individual user accounts (no shared logins)
- Use audit trails, especially for sensitive records
Separation Control
Avoid mixing data that shouldn’t be processed together.
- Separate HR data from marketing data
- Restrict internal access based on purpose
- Clarify data usage in your records of processing
Availability Control
Ensure systems and data stay up and running—even if things go wrong.
- Back up data regularly (and test your restores)
- Create a disaster recovery plan
- Set up redundant infrastructure where needed
Pseudonymization and Encryption
Make data less useful to attackers—even if they get their hands on it.
- Encrypt files, databases, and backups
- Use pseudonymized identifiers instead of names
- Store encryption keys securely and separately
Our experienced lawyers are there to support you!
Get in touch!TOMs in Today’s Tech Landscape: Cloud, AI, and Remote Work
TOMs aren’t frozen in time - they evolve as your tech stack does. Let’s explore what that means in 2025.
Cloud Services
Most companies use cloud platforms, but entrusting your data to someone else does not exempt you from your GDPR responsibilities.
- Understand the shared responsibility model
- Work with providers who offer clear security commitments
- Review their certifications (ISO 27001)
- Encrypt sensitive data before uploading
AI and Automated Decision-Making
If you’re training models on personal data or using AI to profile users, TOMs matter more than ever.
- Use pseudonymized datasets during model training
- Document how decisions are made and reviewed
- Restrict access to model outputs, especially if they affect individuals’ rights
Remote and Hybrid Work
Security isn’t just about office networks anymore.
- Require VPNs for off-site access
- Encrypt laptops and mobile devices
- Provide ongoing staff training to prevent home-office data leaks
- Use mobile device management (MDM) to enforce security standards remotely
