Technical and Organizational Measures (TOM) for Companies

Protect your business from data breaches

Technical and organisational measures (TOM)

The GDPR requires technical and organisational measures, in short TOM, to ensure the secure processing of personal data. Companies must have specific measures and procedures in place to comply with data protection requirements. The relevant regulations can be found in Article 25 of the General Data Protection Regulation (GDPR).

Technical and organisational measures: The essential at a glance

  • TOM help to ensure the security of personal data.
  • According to the General Data Protection Regulation (GDPR), there is a documentation obligation for TOM
  • The implementation of appropriate TOM is a legal requirement
  • A GDPR risk analysis forms the basis for the selection of adequate TOMs
  • In case of inadequate TOM, fines can be imposed
  • When selecting contractors, it is important to ensure that they can demonstrate adequate TOM

What are technical and organisational measures (TOM)?

Technical and organisational measures (TOM) form the iron bulwark of data protection. They are divided into technical measures, which act like indispensable high-tech armour and erect an impenetrable protective shield with encryption, firewall systems, and access controls. And organisational measures, which, on the other hand, are the skilled masterminds that coordinate data protection practices in line with legal requirements. These include policies, procedures, and training that turn employees into vigilant guardians of data protection. Together, these measures form the invisible web that strengthens people's trust in the digital world and gives them the assurance that their data is in good hands.

How do technical and organisational measures (TOM) affect companies?

The GDPR sets higher requirements for security in processing personal data and entails extensive documentation and verification obligations for companies and data protection officers. All measures taken must be documented in order to have proof of the precautions taken in the event of a loss. 

Our free checklist for TOMs!

Make sure you have considered all aspects of technical and organisational measures with our free checklist!

Is there a risk of fines if TOM is inadequately implemented?

If TOM is inadequately implemented, resulting in a breach of data protection rules, this can lead to fines.      
Under the GDPR, fines of up to €20 million or 4% of the global annual turnover of the company concerned, whichever is higher, can be imposed. These fines are set by the competent data protection authorities and may vary depending on the nature and severity of the breach.       
It is important to note that data protection authorities do not automatically impose fines when a breach is detected. They may first take other measures, such as asking you to rectify the breaches, issuing warnings or ordering provisional or definitive measures.      

Tip: Do you also work with external service providers? Then you should always have their technical and organisational measures pointed out to you and confirmed in writing!      
Implementing technical and organisational measures not only promotes data protection, but also creates added value for companies:

  • Sensitive company data is consistently and better protected
  • The efficiency of company processes is demonstrated
  • The data stock takes on a new meaning worthy of protection
  • The existing IT is evaluated and improved if necessary. This can increase added value
  • Employees are involved in the processes and feel more valued

Examples of technical measures

  • Data encryption: One of the most effective measures to protect personal data is encryption. All data that is transmitted or stored should be encrypted.
  • Firewall: Make sure your systems and networks are protected by a firewall. A firewall can restrict access to your data from the outside.
  • Access control: It is important that only authorised people can access data. It is best to use strong passwords and two-factor authentication.
  • Data backup: Regular backups ensure that data can be restored in the event of data loss. Review the backup strategy regularly and make sure that data is stored securely.
  • Patches and updates: Keep your systems and software up to date by installing regular patches and updates. This will close known security gaps.
  • Virus protection: Install up-to-date virus protection on all end devices and update it regularly.

Access a team of experienced lawyers to support you in the implementation!

Examples of organisational measures

  • Datenschutzschulungen für die Mitarbeiter: Diese Schulungen helfen, die Bedeutung des Datenschutzes zu verstehen und die TOM korrekt anzuwenden.
  • In- und externe Geheimhaltung: Eine Geheimhaltung schützt vor unautorisierten Zugriffen auf personenbezogene Daten.
  • Besucherregistrierung: Eine Besucherregistrierung hilft, den Zugang zu sensiblen Bereichen zu kontrollieren.
  • Datenschutzbeauftragter, intern oder extern: Der Datenschutzbeauftragte muss durch Beratung und Überwachung einen wirksamen Schutz personenbezogener Daten gewährleisten.

How can we support you in implementing TOM

Do you want to ensure that the technical and organisational measures (TOM) are implemented smoothly? Rely on heyData, our innovative platform, and our team of experienced lawyers to help you.      
As an external data protection officer, we are at your side and take the burden of TOM implementation off your shoulders. You can focus on your day-to-day business while we ensure appropriate safeguards are in place.      
We work closely with your team to coordinate and monitor compliance with the GDPR. Together, we assess your IT landscape and review your current state to ensure your business is compliant.

Through certified training and consulting, we ensure that your employees are informed about the latest best practices. Your processes are reviewed and the appropriate measures are proposed and implemented.

Take advantage of our expert knowledge and rely on the expertise of heyData.

Hear it From Our Customers

Frequently asked questions

View our prices

Technical and organisational measures (TOMs) are an important part of data protection to ensure the security of personal data and to prevent data breaches.

Technical measures refer to technical procedures and tools used to protect personal data. These include, for example, the use of firewalls, encryption, access controls and data backup. Technical measures are designed to ensure that personal data is protected from unauthorised access, manipulation, loss or destruction.

Organisational measures, on the other hand, include procedures and processes designed to ensure that personal data are processed in accordance with data protection laws. These include, for example, policies and procedures for handling personal data, training employees and monitoring compliance with data protection regulations. Organisational measures are designed to ensure that personal data is processed in accordance with applicable laws and regulations and that compliance with data protection policies is ensured by all parties involved.

If you want to introduce technical and organisational measures in your company, there are some steps you should follow:

  • Create a list of internal contacts: If you do not know all the technical processes in the company yourself, you should create a list of contacts who can help you with this.
  • Summarise TOMs in a list: You can create your own list of appropriate measures to use, or you can rely on experts like those on our team to help you properly create this documentation.
  • Reviewing the list: The list should be reviewed regularly to see which TOMs have already been implemented and whether they are appropriate. You should also analyse which measures are missing and which need to be added.
  • Involve other contacts, internal or external: If you need help or are unsure, involve other controllers and discuss the adequacy of measures.
  • Present the measures to the controller: If you are not taking responsibility under the GDPR yourself, you should present and discuss the measures developed with the controller.
  • Regular review of the measures: It should be reviewed at least once a year whether the measures are still appropriate. Then they may need to be updated.

The creation of TOM can usually be carried out by internal teams, such as IT departments or data protection officers. Alternatively, data controllers and processors can also bring in external data protection officers such as heyData to assist in the creation and implementation of appropriate TOM.