Technical and Organizational Measures (TOMs)

TOMs are technical and organizational measures to protect personal data and make data processing compliant to the GDPR.

Jul 31, 20232 min read

The General Data Protection Regulation (GDPR) requires the controller of any processing of personal data to employ technical and organizational measures (TOMs). Those are security measures to protect personal data and uphold compliance. TOMs have to ensure the confidentiality, integrity, availability, and resilience of personal data processing.

The GDPR does not provide an exhaustive list of specific TOMs but requires organizations to implement appropriate measures based on the nature, scope, context, and purposes of the processing at hand, as well as the potential risks to individuals' rights and freedoms. Therefore, TOMs may be very different from one controller to another.

Some common examples of TOMs are:

Organizations are responsible for conducting risk assessments and determining the appropriate TOMs based on their specific circumstances. They should also regularly review and update their security measures to address evolving risks and ensure ongoing compliance with the GDPR's requirements.