Quickly explained: Technical and organizational measures - TOMs


The GDPR requires that certain measures are taken to protect personal data when it is processed - also known as technical and organizational measures (TOM). These measures are intended to ensure that, in particular, the integrity and confidentiality of personal data are maintained and processing is secure.

What is the importance of TOMs?

Companies that process personal data are required to implement technical and organizational measures to protect the data and comply with data protection law. These include measures such as:

  • Anonymization and encryption of data.
  • Ensuring the integrity and availability of data and related systems.
  • Continuous monitoring and evaluation of implemented measures.

Goals of the TOMs in data protection

The aim of the TOMs is to ensure appropriate data protection in line with current technological developments. A thorough risk assessmentshould therefore be carried out when implementing the TOMs so that measures appropriate to the risk can be taken. For example, if a server or network drive fails, it must be possible to restore the data from backups.

Explore PLANIT // PRIMA now.

How can data protection be improved through TOMs?

  • Physical access control: Prevent uncontrolled access to places where IT systems are located.
  • System access control: Ensures that it is possible to track who has had access to IT systems.
  • Access control: Restricted ensures that only authorized persons can access personal data.
  • Transport control: protection of data during transfer.
  • Input control: Ensures that every data input can be traced.
  • Job control: Ensures that contractors only handle personal data in a controlled manner.
  • Availability control: Ensures that personal data is available and not permanently lost in the event of IT failures.
  • Separation according to the purpose of processing: Ensures that personal data are processed separately for different purposes.

The specific measures required for your company should by all means be determined on the basis of an individual risk analysis.