Technical and Organisational Measures (TOMs)

Technical and organisational measures (TOMs) are the combined security safeguards an organisation implements to protect personal data and information assets. GDPR Article 32 requires that these measures are 'appropriate' to the risk – and that you can demonstrate them.

Back to Dictionary

Table of Contents

    What are TOMs?

    TOMs is the abbreviation for technical and organisational measures. The term originates from GDPR Article 32, which requires data controllers and data processors to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the processing.

    TOMs are not a standalone document format but a collective term for the entire portfolio of security safeguards that together protect data against breaches and misuse. These are the measures you typically describe in a data processing agreement or in response to a customer's security questionnaire.

    Technical measures

    Technical measures are technology-based security safeguards:

    • Encryption: Protecting data at rest and in transit using modern encryption standards.
    • Pseudonymisation: Reducing the risk of data breaches by replacing identifying information with artificial identifiers.
    • Access control: Implementing role-based access control and the principle of least privilege.
    • Multi-factor authentication (MFA): Requiring more than one form of verification to access systems and data.
    • Logging and monitoring: Recording and monitoring access to systems to detect anomalies and unauthorised activity.
    • Backup and recovery: Maintaining tested backup and restoration procedures to ensure data availability.

    Organisational measures

    Organisational measures are process-based and management-level safeguards:

    • Information security policies and procedures
    • Security awareness training for employees
    • Access management procedures and onboarding/offboarding processes
    • Vendor management and assessment of data processors
    • Incident response and data breach handling procedures
    • Information classification policies

    What constitutes 'appropriate' measures?

    GDPR requires measures that are 'appropriate' to the risk. What is appropriate depends on:

    • State of the art: What technology is available and practicable.
    • Cost of implementation: The expense must be proportionate to the risk.
    • Nature, scope and purpose: The characteristics of the data processing activity.
    • Likelihood and severity: The probability and potential impact of risks to data subjects.

    There is no universal checklist of what is 'appropriate' – it requires a risk-based assessment in the specific context.

    Documentation

    The accountability principle in GDPR requires you to document your TOMs. This is typically done through your ISMS documentation, data processing agreements specifying the measures your processors have implemented, and responses to customers' security questionnaires (vendor assessments).


    Accountability:     It is not sufficient to have measures in place – you must be able to demonstrate that they exist and are effective. Supervisory authorities expect documented evidence of your TOMs during audits and investigations.

    Frequently Asked Questions about Technical and Organisational Measures (TOMs)

    What are technical and organisational measures?

    Technical and organisational measures (TOMs) are the security safeguards an organisation implements to protect personal data and information. GDPR Article 32 requires data controllers and data processors to implement appropriate technical and organisational measures.

    What are examples of technical measures?

    Technical measures include encryption, pseudonymisation, access control, firewalls, multi-factor authentication, backup, vulnerability scanning and logging. These are technology-based security safeguards.

    What are examples of organisational measures?

    Organisational measures include policies and procedures, security awareness training for employees, access management procedures, incident response plans and vendor management. These are process-based and management-level safeguards.

    How do you determine what measures are 'appropriate'?

    GDPR requires a risk-based assessment considering the state of the art, cost of implementation, nature, scope and purpose of the processing, and the likelihood and severity of risks to data subjects. There is no universal checklist.

    Where should TOMs be documented?

    TOMs are typically documented in your ISMS documentation, data processing agreements, responses to vendor security questionnaires, and records of processing activities. The accountability principle requires demonstrable evidence.

    +400 companies use .legal
    Region Sjælland
    Aarhus Universitet
    aj_vaccines_logo
    Realdania
    Right People
    IO Gates
    PLO
    Finans Danmark
    geia-food
    Vestforbrænding
    Evida
    Klasselotteriet
    NRGI1
    BLUE WATER SHIPPING
    Karnov
    Ingvard Christensen
    VP Securities
    AH Industries
    Lægeforeningen
    InMobile
    AK Nygart
    ARP Hansen
    DEIF
    DMJX
    Axel logo
    qUINT Logo
    KAUFMANN (1)
    SMILfonden-logo
    kurhotel_skodsborg
    nemlig.com
    Molecule Consultancy
    Novicell
    Footer topswirl

    Info

    .legal A/S

    hello@dotlegal.com
    +45 7027 0127

    VAT-no: DK40888888

    Support

    support@dotlegal.com
    +45 7027 0127
    Need help?

     

    Office

    Aarhus

    Store Torv 14, 2.
    8000 Aarhus C

    We care about safety

    Download our declarations

    ISAE 3000

    ISAE 3402

    Modules

    Let me help you get started

    joa i blob
    Reach out to me on phone
    +45 7027 0127 and I'll get you started
    arrow-right-white Get a demo

    .legal is not a law firm and is therefore not under the supervision of the Bar Council.

    Footer bottomswirl