GDPR

Technical and Organisational Measures Under GDPR

Technical and Organisational Measures (TOMs) Under the GDPR

Technical and Organisational Measures (TOMs) form the structural backbone of GDPR compliance. They are the practical safeguards an organisation introduces to ensure that personal data is handled securely, consistently, and in a manner that respects the rights of individuals. These measures are not optional; they are legally required under Article 32 of the GDPR and are expected by both EU regulators and the individuals whose data is processed. A well-implemented TOMs framework protects the confidentiality, integrity, and availability of personal data while reducing operational risk, legal exposure, and reputational damage.

Unlike generic “security policies,” TOMs refer to precise, documented controls—technical, physical, administrative, procedural, and human. They must be proportionate to the nature of the organisation, the volume and sensitivity of personal data processed, and the likelihood and severity of potential risks. What follows is a comprehensive and practical guide for organisations of all sizes seeking to develop or refine their GDPR-aligned TOMs documentation.

1. What Are Technical and Organisational Measures?

TOMs are the combined technology, systems, processes, and behavioural practices that ensure personal data is protected throughout its lifecycle—from collection and storage to transmission, usage, retention, and deletion. The GDPR requires organisations to implement measures that guarantee:

  • Confidentiality: Permission-based access to personal data so only authorised individuals can interact with it.
  • Integrity: Safeguards ensuring data remains accurate, complete, and unaltered unless intentionally changed.
  • Availability: Ensuring authorised users can access personal data when required for legitimate purposes.
  • Resilience: Systems capable of withstanding failures, attacks, or unexpected events without losing data.
  • Restoration: The ability to restore data quickly after a breach, corruption, or system failure.
  • Regular evaluation: Ongoing testing, monitoring, and improvement of all security measures.

The GDPR does not prescribe specific technologies. Instead, it requires organisations to apply contextual judgement, choosing measures that effectively mitigate actual risks. A small consultancy will not have the same TOMs as a multinational enterprise, but both are equally obligated to deploy measures that are “appropriate to the risk.”

2. Categories of TOMs (Comprehensive EU Regulatory Framework)

European Data Protection Authorities (DPAs) typically evaluate TOMs according to several recognised categories. Each category below includes practical examples and expectations, allowing organisations to benchmark their own readiness.

2.1 Access Control Measures

Access control prevents unauthorised individuals from viewing, modifying, or deleting personal data. Regulators expect organisations to operate on a strict “least privilege” basis—granting employees only the access they absolutely require.

Key measures include:

  • Unique employee accounts with traceable activity logs
  • Strong password policies with rotation and complexity requirements
  • Multi-factor authentication (MFA) for all privileged accounts
  • VPN or zero-trust architecture for remote access
  • Automatic session timeouts and account lockouts
  • Regular access rights reviews and approval workflows

Access control is regarded as one of the highest-risk areas and often the first point of inspection after a breach.

2.2 Physical Security Safeguards

Physical protection of file storage, IT infrastructure, and office environments is required even for primarily digital businesses. Personal data stored on paper, portable devices, or local servers must be shielded from theft, tampering, or accidental loss.

Examples of effective physical safeguards:

  • Keycard or PIN-controlled building access
  • Locked server rooms with restricted access lists
  • CCTV monitoring in sensitive areas
  • Secure disposal of paper documents (shredding or certified destruction)
  • Firewalls, power backups, and environmental hazard controls
  • Clean desk policies and supervision of visitors

In cases where third-party facilities are used (such as co-working spaces or cloud data centres), organisations must assess and document their providers’ physical protections.

2.3 Data Encryption and Data Protection Technology

Encryption is one of the most powerful and regulator-approved methods for protecting data. If encrypted data is stolen, it is often considered unreadable and therefore less damaging, sometimes reducing obligations during breach reporting.

Expected encryption measures include:

  • Encryption of data in transit using TLS 1.2+/HTTPS
  • Encryption of data at rest on servers, cloud platforms, or portable devices
  • Encrypted email for sensitive data transfers
  • Secure key management procedures preventing unauthorised decryption
  • Use of hashing and salting for password storage

Small businesses processing even limited personal data are increasingly expected to adopt encryption as a baseline requirement.

2.4 Pseudonymisation, Minimisation, and Data Segmentation

One of the most practical and cost-effective TOMs is reducing the amount of personal data exposed at any time.

Examples include:

  • Removing direct identifiers and replacing them with unique IDs
  • Separating identifiable information from operational data systems
  • Collecting only the minimum required data for each processing activity
  • Restricting database queries to the least identifiable datasets
  • Automated deletion or anonymisation workflows

Minimisation is often the easiest TOM to implement and immediately reduces compliance risk.

2.5 Monitoring, Logging, and Audit Trails

Regulators expect organisations to monitor their systems for suspicious or unauthorised activity and to store evidence of processing events.

Common monitoring measures include:

  • Centralised log management systems
  • Audit trails documenting access, modifications, and deletions
  • Automated alerts for unusual login patterns or failed authentication attempts
  • Security Information and Event Management (SIEM) tools
  • Endpoint detection and antivirus systems

Without logging, organisations cannot demonstrate that data is protected or provide evidence during investigations.

2.6 Backup, Redundancy, and Business Continuity

Availability is a core GDPR requirement. Organisations must guarantee that personal data can be restored and accessed even after an incident.

Essential TOMs include:

  • Daily or real-time data backups stored securely offsite or in the cloud
  • Regular testing of backup restoration capability
  • Redundant servers or failover systems
  • Disaster recovery plans with defined recovery time objectives (RTO)
  • Documented procedures for continuity during system failure, cyber attack, or natural disaster

A backup is only GDPR-compliant if it can be restored successfully. Regulators often request proof of successful restoration tests.

2.7 Incident Detection and Response Measures

GDPR Article 33 requires organisations to detect, assess, and notify data breaches within 72 hours. A fast, structured response reduces harm and liability.

Core components of an incident response TOM include:

  • Incident detection systems and tools
  • Predefined reporting channels for staff
  • A documented breach response plan
  • Internal communication protocols
  • Procedures for notifying supervisory authorities and affected individuals
  • Post-incident analysis and preventive improvements

Regulators frequently review breach logs and response documents to evaluate preparedness.

2.8 Vendor, Supplier, and Processor Management

Because many organisations rely heavily on third-party services, GDPR imposes strict obligations for managing processors.

Required TOMs include:

  • Data Processing Agreements (DPAs) for every processor
  • Documented due diligence before onboarding new vendors
  • Annual or risk-based vendor security assessments
  • Verification of international data transfer mechanisms
  • Ensuring processors apply equivalent security measures

Controllers remain legally responsible for their processors’ failures, making this category critical for risk reduction.

2.9 Organisational, Administrative, and Human Measures

Many breaches occur not because technology fails but because humans do. Therefore, GDPR emphasises organisational safeguards that govern behaviour, responsibilities, and internal culture.

Key measures include:

  • Regular GDPR and cybersecurity training for employees
  • Clear internal data protection policies
  • Confidentiality agreements for employees and contractors
  • Procedures for approving data access, transfers, and deletion
  • Internal audits and compliance reviews

These measures are often the most underestimated but provide some of the highest compliance returns.

3. TOMs for SMEs vs. Large Enterprises

GDPR uses a risk-based, proportionality-driven approach. While requirements apply to all organisations, the depth and sophistication of TOMs may differ.

SMEs should focus on:

  • Encryption for all data storage and transmission
  • Strong access control policies
  • Basic monitoring and logging
  • Cloud-based security solutions
  • Regular staff training
  • Documenting every measure in a TOMs register

Larger organisations are expected to:

  • Conduct penetration testing and vulnerability assessments
  • Use SOC/SIEM monitoring
  • Implement multi-layered security systems
  • Create advanced incident response capabilities
  • Perform regular compliance audits

Regulators evaluate organisations not by size but by the adequacy of their safeguards.

4. How to Build a TOMs Register

A TOMs Register is a formal document that lists every measure an organisation has implemented. Regulators often request this document as part of investigations, audits, or responses to complaints.

Your TOMs register should include:

  • Every technical and organisational control currently implemented
  • The purpose and risk addressed by each measure
  • The system or process where it applies
  • The responsible owner or department
  • Review dates and testing intervals
  • Links to evidence, such as training logs or audit reports

Maintaining a TOMs register is mandatory for processors and strongly recommended for controllers. It also serves as a valuable blueprint during growth or organisational change.

5. TOMs by Data Category

Different types of personal data require different levels of protection. Below is a practical breakdown of safeguards expected for common data categories.

Customer Data

  • Encryption at rest and in transit
  • Role-based access restrictions for sales and support teams
  • Secure customer portals
  • Automated deletion after retention periods expire

Employee Data

  • Secure HR systems with access limited to authorised managers
  • Locked physical storage for paper-based employee records
  • Multi-factor authentication for payroll systems

Special Category Data

Includes data relating to health, biometrics, racial or ethnic origin, political opinions, sexual orientation, etc.

Required TOMs:

  • Pseudonymisation and/or encryption by default
  • Highly restricted access lists
  • Documented assessments such as DPIAs
  • Secure storage and controlled sharing protocols

6. Regular Testing, Review, and Continuous Improvement

GDPR Article 32(1)(d) requires organisations to regularly test and update their security measures. TOMs cannot be static—they must evolve with threats, technology, and organisational changes.

Examples of required activities:

  • Quarterly vulnerability assessments
  • Annual penetration tests for high-risk data environments
  • Internal and external audits
  • Policy reviews at least annually
  • Tabletop incident response simulations
  • Testing of backup restorations

Regulators evaluate not only whether TOMs exist but whether they are proven effective.

7. Benefits of Strong TOMs for Organisations

Beyond compliance, TOMs provide significant operational and commercial advantages:

  • Reduced likelihood of cyber-attacks and breaches
  • Lower regulatory fines or penalties when breaches occur
  • Enhanced customer trust and brand credibility
  • Improved operational stability and system reliability
  • Competitive advantage during procurement or due diligence
  • Reduced downtime and financial losses during incidents
  • Higher organisational maturity, supporting growth and scalability

Modern organisations increasingly view TOMs as an investment rather than a legal obligation.

8. TOMs Adequacy Checklist (Self-Assessment)

Use this evaluation to determine whether your measures are adequate:

  • Is all personal data encrypted at rest and in transit?
  • Are backups regularly tested for restorability?
  • Do employees receive routine GDPR and security training?
  • Are access rights reviewed and adjusted regularly?
  • Do we maintain a documented TOMs register?
  • Are vendors monitored and under DPAs?
  • Do we have a tested incident response plan?
  • Have we conducted DPIAs for high-risk processing?
  • Do we monitor logs, alerts, and system changes?

If any response is “no,” the measure likely requires immediate implementation.

9. Optional Templates and Add-ons

If desired, we can generate:

  • A complete TOMs register in HTML, Word, or PDF
  • A printable TOMs compliance checklist
  • A policy document suitable for staff handbooks
  • A board-level TOMs summary presentation
  • An auditor-ready TOMs evidence package

Request any of these and they will be provided in your preferred format.