Secure your Company from Data Breaches
Technical and Organizational Measures (TOM)
The GDPR requires technical and organizational measures, or TOMs for short, to ensure the secure processing of personal data. Companies must have specific measures and procedures to meet data protection requirements. The relevant provisions can be found in Article 25 of the General Data Protection Regulation (GDPR).
How Can Technical and Organizational Measures Be Defined?
Technical and organizational measures relate to the security policies and procedures that companies must implement to comply with the GDPR. These measures should be based on a thorough risk analysis and include both preventive and reactive elements to effectively manage potential data protection risks.
Key facts about Technical and Organizational Measures
Data Protection Security
TOMs effectively protect personal data under the GDPR
Legal Obligation
Professional documentation and a risk analysis are mandatory
Risk of Fines
Missing TOMs can result in penalties of up to 10 million
Our Free Checklist for the TOMs!
Check all aspects of technical and organizational measures with our free checklist.
Hear it From Our Customers
"heyData impressed us with their digital software solution and expertise. Like us, heyData is a digital pioneer in a rather traditional and less digital industry. heyData is a strong partner for the BRZ Group."
Markus Schobert
Head of Customer Service at BRZ Gruppe
"heyData is a great help for us and makes the topic of data protection really easy. We are very satisfied with the digital audit, the online training and the customer support."
Leonard von Kleist
CTO & Co-Founder at Hive Technologies GmbH
"I value this feature for its ability to simplify supplier risk assessment. It is an indispensable tool for anyone dealing with data compliance in the European Union and Switzerland."
Jan Stephan
Head of Legal Affairs at Learnship
"As a customer, we have only had good experiences with heyData's support and communication. Questions were answered in detail, responses were always prompt and personal 1-1 support is also no problem."
Roman Georgi
Director Of Customer Support at AMBOSS
“What sets heyData apart is its responsiveness and rapid implementation.”
Sandra Scherzer
Legal department at Bioland
"We always receive competent and prompt advice from heyData and have so far been able to find a satisfactory solution to every question relating to the GDPR or data protection in general."
Nikolai
CTO at Instaffo GmbH
Examples of Technical Measures
- Encryption of data: One of the most effective measures for protecting personal data is encryption. All data that is transmitted or stored should be encrypted.
- Firewall: Make sure that systems and networks are protected by a firewall. A firewall can restrict access to your data from outside.
- Access control: It is important that only authorized persons can access the data. It is best to use strong passwords and two-factor authentication for this.
- Data backup: Regular backups ensure that data can be restored in the event of data loss. Review the backup strategy regularly and make sure that the data is stored securely.
- Patches and updates: Keep your systems and software up to date by installing regular patches and updates. This will close known security gaps.
- Virus protection: Install up-to-date virus protection on all end devices and update it regularly.
Examples of Organizational Measures
- Data protection training for employees: These training sessions help to understand the importance of data protection and to apply the TOM correctly.
- Internal and external confidentiality: Confidentiality protects against unauthorized access to personal data.
- Visitor registration: Visitor registration helps to control access to sensitive areas.
- Data protection officer, internal or external: The data protection officer must ensure effective protection of personal data through advice and monitoring.
Steps for establishing TOMs
1
Risk Analysis
Identification and assessment of potential risks for personal data.
2
Measure Planning
Selection of appropriate technical and organizational measures based on the risk analysis.
3
Implementation
Implementation of the planned measures in the company.
4
Monitoring and Customization
Regular review of the effectiveness of the measures and adaptation to new risks or legal requirements.
How Do We Support You in Implementing TOMs?
Personalized Consultation
Analysis of your IT systems/processes and suggestions for specific measures
Compliance Training
Certified training courses to get your employees in shape for data protection
External Data Protection Officer
We take responsibility so that you can concentrate on your day-to-day business
Our experienced lawyers look forward to helping you!
Contact us today!Technical and organisational measures (TOMs) are an important part of data protection to ensure the security of personal data and to prevent data breaches.
Technical measures refer to technical procedures and tools used to protect personal data. These include, for example, the use of firewalls, encryption, access controls and data backup. Technical measures are designed to ensure that personal data is protected from unauthorised access, manipulation, loss or destruction.
Organisational measures, on the other hand, include procedures and processes designed to ensure that personal data are processed in accordance with data protection laws. These include, for example, policies and procedures for handling personal data, training employees and monitoring compliance with data protection regulations. Organisational measures are designed to ensure that personal data is processed in accordance with applicable laws and regulations and that compliance with data protection policies is ensured by all parties involved.
If you want to introduce technical and organisational measures in your company, there are some steps you should follow:
- Create a list of internal contacts: If you do not know all the technical processes in the company yourself, you should create a list of contacts who can help you with this.
- Summarise TOMs in a list: You can create your own list of appropriate measures to use, or you can rely on experts like those on our team to help you properly create this documentation.
- Reviewing the list: The list should be reviewed regularly to see which TOMs have already been implemented and whether they are appropriate. You should also analyse which measures are missing and which need to be added.
- Involve other contacts, internal or external: If you need help or are unsure, involve other controllers and discuss the adequacy of measures.
- Present the measures to the controller: If you are not taking responsibility under the GDPR yourself, you should present and discuss the measures developed with the controller.
- Regular review of the measures: It should be reviewed at least once a year whether the measures are still appropriate. Then they may need to be updated.
The creation of TOM can usually be carried out by internal teams, such as IT departments or data protection officers. Alternatively, data controllers and processors can also bring in external data protection officers such as heyData to assist in the creation and implementation of appropriate TOM.