Technical organizational measures refer to the security policies and procedures that companies must implement to meet the requirements of the GDPR. These measures should be based on a thorough risk analysis and include both preventative and reactive elements to effectively manage potential data protection risks.
Technical and organisational measures (TOM) form the iron bulwark of data protection. They are divided into technical measures, which act like indispensable high-tech armour and erect an impenetrable protective shield with encryption, firewall systems, and access controls. And organisational measures, which, on the other hand, are the skilled masterminds that coordinate data protection practices in line with legal requirements. These include policies, procedures, and training that turn employees into vigilant guardians of data protection. Together, these measures form the invisible web that strengthens people's trust in the digital world and gives them the assurance that their data is in good hands.
The GDPR sets higher requirements for security in processing personal data and entails extensive documentation and verification obligations for companies and data protection officers. All measures taken must be documented in order to have proof of the precautions taken in the event of a loss.
The GDPR sets out specific requirements for the security of personal data in several articles. Article 25, for example, requires “Privacy by design and privacy by default”. Article 32, on the other hand, deals with the security of processing and contains explicit requirements for technical and organizational measures, including the pseudonymization and encryption of personal data.
Check all aspects of the technical and organisational measures with our free checklist.
If TOM is inadequately implemented, resulting in a breach of data protection rules, this can lead to fines.
Under the GDPR, fines of up to €20 million or 4% of the global annual turnover of the company concerned, whichever is higher, can be imposed. These fines are set by the competent data protection authorities and may vary depending on the nature and severity of the breach.
It is important to note that data protection authorities do not automatically impose fines when a breach is detected. They may first take other measures, such as asking you to rectify the breaches, issuing warnings or ordering provisional or definitive measures.
Tip: Do you also work with external service providers? Then you should always have their technical and organisational measures pointed out to you and confirmed in writing!
Implementing technical and organisational measures not only promotes data protection, but also creates added value for companies:
The correct implementation of technical and organizational measures is crucial to comply with the GDPR and avoid heavy fines. Here's your guide to getting there safely:
Implementing and maintaining effective TOMs can present challenges, such as constantly adapting to new technologies or ensuring employee training. Solutions may include the involvement of external data protection officers, the use of specialized compliance software, or regular internal audits and training.
Do you want to ensure that the technical and organizational measures (TOM) are implemented smoothly? Rely on heyData, our innovative platform, and our team of experienced lawyers to help you.
As an external data protection officer, we are at your side and take the burden of TOM implementation off your shoulders. You can focus on your day-to-day business while we ensure appropriate safeguards are in place.
We work closely with your team to coordinate and monitor compliance with the GDPR. Together, we assess your IT landscape and review your current state to ensure your business is compliant.
Through certified training and consulting, we ensure that your employees are informed about the latest best practices. Your processes are reviewed and the appropriate measures are proposed and implemented.
Take advantage of our expert knowledge and rely on the expertise of heyData.
Technical and organisational measures (TOMs) are an important part of data protection to ensure the security of personal data and to prevent data breaches.
Technical measures refer to technical procedures and tools used to protect personal data. These include, for example, the use of firewalls, encryption, access controls and data backup. Technical measures are designed to ensure that personal data is protected from unauthorised access, manipulation, loss or destruction.
Organisational measures, on the other hand, include procedures and processes designed to ensure that personal data are processed in accordance with data protection laws. These include, for example, policies and procedures for handling personal data, training employees and monitoring compliance with data protection regulations. Organisational measures are designed to ensure that personal data is processed in accordance with applicable laws and regulations and that compliance with data protection policies is ensured by all parties involved.
If you want to introduce technical and organisational measures in your company, there are some steps you should follow:
The creation of TOM can usually be carried out by internal teams, such as IT departments or data protection officers. Alternatively, data controllers and processors can also bring in external data protection officers such as heyData to assist in the creation and implementation of appropriate TOM.