Technical and Organizational Measures (TOM) for Companies

Protect your business from data breaches

Technical and organisational measures (TOM)

The GDPR requires technical and organisational measures, in short TOM, to ensure the secure processing of personal data. Companies must have specific measures and procedures in place to comply with data protection requirements. The relevant regulations can be found in Article 25 of the General Data Protection Regulation (GDPR).

Technical organizational measures refer to the security policies and procedures that companies must implement to meet the requirements of the GDPR. These measures should be based on a thorough risk analysis and include both preventative and reactive elements to effectively manage potential data protection risks.

Technical and organisational measures: The essential at a glance

  • TOM help to ensure the security of personal data.
  • According to the General Data Protection Regulation (GDPR), there is a documentation obligation for TOM
  • The implementation of appropriate TOM is a legal requirement
  • Article 32 of the GDPR obliges companies to comply with appropriate technical (e.g. encryption) and organizational (e.g. data protection guidelines) measures.
  • A GDPR risk analysis forms the basis for the selection of adequate TOMs
  • In case of inadequate TOM, fines can be imposed
  • When selecting contractors, it is important to ensure that they can demonstrate adequate TOM

What are technical and organisational measures (TOM)?

Technical and organisational measures (TOM) form the iron bulwark of data protection. They are divided into technical measures, which act like indispensable high-tech armour and erect an impenetrable protective shield with encryption, firewall systems, and access controls. And organisational measures, which, on the other hand, are the skilled masterminds that coordinate data protection practices in line with legal requirements. These include policies, procedures, and training that turn employees into vigilant guardians of data protection. Together, these measures form the invisible web that strengthens people's trust in the digital world and gives them the assurance that their data is in good hands.

How do technical and organisational measures (TOM) affect companies?

The GDPR sets higher requirements for security in processing personal data and entails extensive documentation and verification obligations for companies and data protection officers. All measures taken must be documented in order to have proof of the precautions taken in the event of a loss. 

Legal requirements: GDPR article in focus

The GDPR sets out specific requirements for the security of personal data in several articles. Article 25, for example, requires “Privacy by design and privacy by default”. Article 32, on the other hand, deals with the security of processing and contains explicit requirements for technical and organizational measures, including the pseudonymization and encryption of personal data.

Unsere Checkliste für technische und organisatorische Maßnahmen für Ihr Unternehmen

Our free checklist for TOMs!

Check all aspects of the technical and organisational measures with our free checklist.

Is there a risk of fines if TOM is inadequately implemented?

If TOM is inadequately implemented, resulting in a breach of data protection rules, this can lead to fines.      
Under the GDPR, fines of up to €20 million or 4% of the global annual turnover of the company concerned, whichever is higher, can be imposed. These fines are set by the competent data protection authorities and may vary depending on the nature and severity of the breach.       
It is important to note that data protection authorities do not automatically impose fines when a breach is detected. They may first take other measures, such as asking you to rectify the breaches, issuing warnings or ordering provisional or definitive measures.      

Tip: Do you also work with external service providers? Then you should always have their technical and organisational measures pointed out to you and confirmed in writing!      
Implementing technical and organisational measures not only promotes data protection, but also creates added value for companies:

  • Sensitive company data is consistently and better protected
  • The efficiency of company processes is demonstrated
  • The data stock takes on a new meaning worthy of protection
  • The existing IT is evaluated and improved if necessary. This can increase added value
  • Employees are involved in the processes and feel more valued

Steps for the implementation of TOM

The correct implementation of technical and organizational measures is crucial to comply with the GDPR and avoid heavy fines. Here's your guide to getting there safely:

  1. Carry out risk analysis: Identify potential risks to personal data.
  2. Select measures: Decide on technical and organizational solutions that are appropriate to the identified risks.
  3. Plan implementation: Create a detailed plan for the implementation of the selected measures
  4. Training of employees: Ensure that all employees are informed and trained on the relevant data protection practices.
  5. Monitoring and review: Schedule regular reviews of the measures to ensure their effectiveness and make adjustments.

Access a team of experienced lawyers to support you in the implementation!

Examples of technical measures

  • Data encryption: One of the most effective measures to protect personal data is encryption. All data that is transmitted or stored should be encrypted.
  • Firewall: Make sure your systems and networks are protected by a firewall. A firewall can restrict access to your data from the outside.
  • Access control: It is important that only authorised people can access data. It is best to use strong passwords and two-factor authentication.
  • Data backup: Regular backups ensure that data can be restored in the event of data loss. Review the backup strategy regularly and make sure that data is stored securely.
  • Patches and updates: Keep your systems and software up to date by installing regular patches and updates. This will close known security gaps.
  • Virus protection: Install up-to-date virus protection on all end devices and update it regularly.

Examples of organisational measures

  • Data protection training for employees: This training helps employees to understand the importance of data protection and to apply the TOM correctly.
  • Internal and external confidentiality: Confidentiality protects against unauthorized access to personal data.
    Visitor registration: Visitor registration helps to control access to sensitive areas.
  • Data protection officer, internal or external: The data protection officer must ensure effective protection of personal data through advice and monitoring.

Common challenges and solutions

Implementing and maintaining effective TOMs can present challenges, such as constantly adapting to new technologies or ensuring employee training. Solutions may include the involvement of external data protection officers, the use of specialized compliance software, or regular internal audits and training.

How can we support you in implementing TOM

Do you want to ensure that the technical and organizational measures (TOM) are implemented smoothly? Rely on heyData, our innovative platform, and our team of experienced lawyers to help you.      
As an external data protection officer, we are at your side and take the burden of TOM implementation off your shoulders. You can focus on your day-to-day business while we ensure appropriate safeguards are in place.      
We work closely with your team to coordinate and monitor compliance with the GDPR. Together, we assess your IT landscape and review your current state to ensure your business is compliant.

Through certified training and consulting, we ensure that your employees are informed about the latest best practices. Your processes are reviewed and the appropriate measures are proposed and implemented.

Take advantage of our expert knowledge and rely on the expertise of heyData.

Hear it From Our Customers

"heyData impressed us with their digital software solution and expertise. Like us, heyData is a digital pioneer in a rather traditional and less digital industry. heyData is a strong partner for the BRZ Group."

Markus Schobert

Head of Customer Service at BRZ Gruppe

"heyData is a great help for us and makes the topic of data protection really easy. We are very satisfied with the digital audit, the online training and the customer support."

Leonard von Kleist

CTO & Co-Founder at Hive Technologies GmbH

"I value this feature for its ability to simplify supplier risk assessment. It is an indispensable tool for anyone dealing with data compliance in the European Union and Switzerland."

Jan Stephan

Head of Legal Affairs at Learnship

"As a customer, we have only had good experiences with heyData's support and communication. Questions were answered in detail, responses were always prompt and personal 1-1 support is also no problem."

Roman Georgi

Director Of Customer Support at AMBOSS

“What sets heyData apart is its responsiveness and rapid implementation.”

Sandra Scherzer

Legal department at Bioland

"We always receive competent and prompt advice from heyData and have so far been able to find a satisfactory solution to every question relating to the GDPR or data protection in general."

Nikolai

CTO at Instaffo GmbH

Frequently asked questions

View our prices

Technical and organisational measures (TOMs) are an important part of data protection to ensure the security of personal data and to prevent data breaches.

Technical measures refer to technical procedures and tools used to protect personal data. These include, for example, the use of firewalls, encryption, access controls and data backup. Technical measures are designed to ensure that personal data is protected from unauthorised access, manipulation, loss or destruction.

Organisational measures, on the other hand, include procedures and processes designed to ensure that personal data are processed in accordance with data protection laws. These include, for example, policies and procedures for handling personal data, training employees and monitoring compliance with data protection regulations. Organisational measures are designed to ensure that personal data is processed in accordance with applicable laws and regulations and that compliance with data protection policies is ensured by all parties involved.

If you want to introduce technical and organisational measures in your company, there are some steps you should follow:

  • Create a list of internal contacts: If you do not know all the technical processes in the company yourself, you should create a list of contacts who can help you with this.
  • Summarise TOMs in a list: You can create your own list of appropriate measures to use, or you can rely on experts like those on our team to help you properly create this documentation.
  • Reviewing the list: The list should be reviewed regularly to see which TOMs have already been implemented and whether they are appropriate. You should also analyse which measures are missing and which need to be added.
  • Involve other contacts, internal or external: If you need help or are unsure, involve other controllers and discuss the adequacy of measures.
  • Present the measures to the controller: If you are not taking responsibility under the GDPR yourself, you should present and discuss the measures developed with the controller.
  • Regular review of the measures: It should be reviewed at least once a year whether the measures are still appropriate. Then they may need to be updated.

The creation of TOM can usually be carried out by internal teams, such as IT departments or data protection officers. Alternatively, data controllers and processors can also bring in external data protection officers such as heyData to assist in the creation and implementation of appropriate TOM.