Technical and Organizational Measures (TOMs)

Jul 31, 20232 min read

The General Data Protection Regulation (GDPR) requires the controller of any processing of personal data to employ technical and organizational measures (TOMs). Those are security measures to protect personal data and uphold compliance. TOMs have to ensure the confidentiality, integrity, availability, and resilience of personal data processing.

The GDPR does not provide an exhaustive list of specific TOMs but requires organizations to implement appropriate measures based on the nature, scope, context, and purposes of the processing at hand, as well as the potential risks to individuals' rights and freedoms. Therefore, TOMs may be very different from one controller to another.

Some common examples of TOMs are:

  • Encryption: Implementing encryption techniques to protect personal data during storage and transmission.
  • Access controls: Setting up access controls, user authentication, and authorization mechanisms to ensure that only authorized individuals can access personal data.
  • Pseudonymization and anonymization: Applying techniques to replace or remove identifying information from data sets to reduce the risk of unauthorized identification.
  • Regular data backups: Establishing regular backup procedures to ensure data availability and resilience in the event of a system failure or data breach.
  • Incident response and breach notification: Implementing procedures to detect, respond to, and report data breaches or security incidents to the appropriate supervisory authority and affected individuals.
  • Employee training and awareness: Providing regular training and awareness programs to educate employees about data protection responsibilities, security practices, and handling of personal data.
  • Data minimization and storage limitation: Implementing measures to collect and retain only the necessary personal data for specific purposes, and not keeping it longer than required.
  • Privacy by design and default: Incorporating privacy and data protection considerations into the design and implementation of systems, processes, and products from the outset.

Organizations are responsible for conducting risk assessments and determining the appropriate TOMs based on their specific circumstances. They should also regularly review and update their security measures to address evolving risks and ensure ongoing compliance with the GDPR's requirements.