TOMs: Technical and organizational measures


Technical and organizational measures or "TOMs" are an important component of information security and data protection. They comprise a range of measures designed to ensure the confidentiality, integrity and availability of information in a company or organization.

According to Article 24 of the General Data Protection Regulation, the controller must implement appropriate technical and organizational measures (TOMs) to ensure and be able to demonstrate compliance with the General Data Protection Regulation. The main provision dealing with TOMs is Article 32 of the GDPR. Under this provision, both the controller and processor are required to take appropriate technical and organizational measures to ensure the security of the data.

Article 32 GDPR also describes the key protection objectives for data security, namely confidentiality, integrity, availability and resilience of systems and services.

What are technical measures?

Technical measures refer to the use of technology and IT systems to minimize security risks and ensure the protection of information. They include, but are not limited to:

  • Access Control: This includes assigning user rights and authenticating users to ensure that only authorized individuals have access to specific information.

  • Pseudonymization and Encryption: In pseudonymization, personal data is converted into a form in which it is no longer possible to assign it to a specific person without additional information. Encryption, on the other hand, uses cryptographic processes to convert the data into an unreadable form that can only be read again with a corresponding decryption key.

  • Firewall and Intrusion Detection/Prevention Systems (IDS/IPS): These systems monitor traffic and detect potential attacks or suspicious activity. They help prevent unauthorized access to the network or systems.

  • Data backup and recovery: Regular backups and the implementation of recovery mechanisms are important technical measures to prevent the loss of information in the event of system failures or other disasters. In addition, rapid recovery of data and access after a physical or technical incident must be ensured so that operations can be resumed as quickly as possible.

What are organizational measures?

Organizational measures, on the other hand, focus on implementing policies, procedures, and controls to ensure the security of information. These include:

  • Security policies and procedures: Clear policies and procedures should be in place to govern the handling of information, such as password policy, handling of sensitive data, or access control.

  • Training and awareness: Employees:should receive regular training on the importance of information security. This will make them aware of the risks and teach them how to behave responsibly.

  • Risk Management: Identifying, assessing and monitoring risks is an important part of organizational measures. To this end, a process must be established to ensure regular review, assessment and evaluation of the effectiveness of technical and organizational measures. This means that companies and organizations should continuously monitor and evaluate their security measures to ensure that they meet current requirements and effectively protect personal data.

  • Incident Management: Procedures should be established for reporting and handling security incidents to respond quickly to incidents and minimize damage.

Why are technical and organizational measures important for companies?

Implementing appropriate TOMs is essential to ensure the protection of sensitive information and meet regulatory requirements. The primary concern here is the protection of personal customer data. Companies and organizations should develop a holistic security strategy that includes both technical and organizational measures to identify potential threats, assess them and act accordingly. By continuously monitoring and regularly updating TOMs, organizations can proactively respond to security risks and ensure the integrity and confidentiality of their data.

What does this mean for businesses?

For companies and organizations, this means in particular an extended documentation and verification obligation. All measures must be documented in order to have records of the precautions taken in the event of a loss.

In the event of omissions and violations within the scope of technical and organizational measures, fines can be imposed. It is particularly important to carry out any impact assessment that may be required and, above all, to document the measures that have been implemented. Violations in this area can result in fines of up to 10 million euros or 2% of annual global turnover, in addition to the maximum fines of 300,000 euros for other violations. However, implementation is made more difficult by vague legal terms that are open to interpretation and are required as a benchmark in the regulation, such as the requirement to implement the "state of the art".

Our solutions for reliable
and scalable infrastructure.

Easily and scale your IT infrastructure while deploying applications quickly and securely with our cloud native technology solutions.

But it does not have to be like this

Now full data control is one click away