Technical and organizational measures under the GDPR are essential for protecting personal data. Today, data is one of the most valuable resources – not only for large companies, but also for small businesses, associations and public institutions. At the same time, the risks are increasing: cyberattacks, data breaches and human error can have serious consequences.
The General Data Protection Regulation (GDPR) therefore obliges all controllers to take appropriate technical and organizational measures (TOM) to protect personal data.
According to Art. 32 GDPR, the measures must offer a level of protection that is appropriate to the respective risk. An individual risk assessment and continuous adaptation to new threats are crucial. In this article, you will learn what is meant by TOM, what requirements the GDPR sets and how they can be implemented in practice.
| Is your company already GDPR-compliant? With // PRIMA, you can make your data protection management simple, clear and always legally compliant – always up to date thanks to automatic updates – developed by data protection experts. Get a free 14-day demo now! |
What are technical and organizational measures (TOM)?
Technical and organizational measures (TOM) are safeguards designed to protect personal data from unauthorized access, loss or misuse. The basis for this is Art. 32 para. 1 GDPR, which mentions the following aspects in particular:
- State of the art,
- Implementation costs,
- the nature, scope, circumstances and purposes of the processing,
- and risks to the rights and freedoms of data subjects.
TOM are subdivided into:
- Technical measures such as encryption, firewalls or access controls,
- Organizational measures, such as training, internal guidelines or access regulations.
The higher the risk of processing, the more comprehensive and stringent the measures must be. Particularly in the case of sensitive data – such as health or financial data – extended safeguards are absolutely essential.
Important: Measures must not be defined once. Those responsible must review them regularly and adapt them if risks change.
Examples of technical measures
Technical measures serve to protect personal data through targeted technical precautions. Art. 32 para. 1 lit. a GDPR gives specific examples:
- Encryption protects data during transmission and storage and prevents unauthorized access.
- Pseudonymization reduces risks by ensuring that personal data cannot be assigned to a person without additional information (Art. 4 No. 5 GDPR).
- Access controls (e.g. password protection, two-factor authentication, role-based assignment of rights) secure access to personal data.
- Firewalls and anti-virus software protect systems and networks from malware and unauthorized access.
- Regular software updates and patches close known security gaps and maintain IT security.
Examples of organizational measures
Organizational measures complement the technology by controlling internal processes and rules of conduct:
- Training and sensitization of employees promotes data protection awareness and prevents errors.
- Authorization concepts regulate data access according to the need-to-know principle.
- Data protection guidelines and clear instructions create binding rules for the secure handling of data.
- Emergency concepts and backup strategies ensure rapid recovery in the event of data loss or IT failures.
- Data protection-friendly default settings (privacy by default) ensure that systems work in a data-saving manner by default (Art. 25 para. 2 GDPR).
| Download our free TOM checklist now and document your protective measures [TOM checklist download, stored here: Planner – Website-Download: Checklist TOMs |
Why are technical and organizational measures (TOM) so important?
TOMs are the central building block of an effective data protection concept. They not only protect personal data, but also organizations themselves from legal, financial and reputational damage.
Protection of the rights and freedoms of data subjects
The GDPR protects the rights of natural persons. If personal data is not adequately secured, there is a risk of serious consequences for those affected – such as identity theft, discrimination or economic damage.
Avoidance of data breaches
According to Art. 4 No. 12 GDPR, a data breach occurs when personal data is destroyed, lost, altered or disclosed without authorization. TOMs are intended to prevent precisely such incidents or minimize their consequences.
minimization of fines and reputational damage
Violations of the obligations under Art. 32 GDPR can result in significant fines – up to 20 million euros or 4% of annual global turnover (Art. 83 (4) and (5) GDPR). There is also a risk of long-term damage to the trust of customers, partners and employees.
Obligation to continuously adapt
TOMs must be constantly adapted to new threats and technical developments. Cyberattacks, new attack methods or organizational changes require a regular review and update of protective measures.
Selection of measures: What companies should consider
The GDPR does not provide an exhaustive list of protective measures. Instead, organizations must individually check which measures are required.
The following are decisive:
Risk assessment
A well-founded risk assessment is the basis for every selection. It evaluates the probability of occurrence and potential impact of data breaches.
State of the art
Measures must correspond to the current state of the art. Outdated systems or weak encryption do not meet the requirements of the GDPR.
Implementation costs
Economic considerations may be taken into account, but must not lead to the omission of necessary protective measures.
Nature, scope and purpose of processing
The more sensitive the data or the larger the data volume, the higher the requirements for the TOM. Processing operations must always be considered on a case-by-case basis.
Data processing security: these are the requirements of the GDPR
Art. 32 GDPR requires organizations to ensure four protection objectives:
- Confidentiality: Protection against unauthorized access (e.g. through access controls, encryption).
- Integrity: Protection against unauthorized modification or loss (e.g. through checksums or versioning).
- Availability: Ensuring that data is accessible when required (e.g. through backups and failover).
- Resilience: Systems must remain functional even under high loads or after malfunctions.
In addition, the GDPR requires regular reviews and adjustments to protective measures in order to identify new risks in good time.
Special features for small companies, associations and voluntary organizations
The GDPR applies regardless of the size of the organization. However, small organizations may use the principle of proportionality:
- Measures must be appropriate to the specific risk.
- Basic protection such as secure passwords, regular updates, sensitization of employees and encrypted communication is mandatory.
Even small organizations must document their measures in order to be able to prove them to the authorities if necessary.
A step-by-step approach helps:
- Analyze risks,
- record existing measures,
- Improve protection,
- Check measures regularly.
Consequences of inadequate technical and organizational measures
Those who do not take appropriate TOMs risk considerable consequences:
- Fines of up to 20 million euros or 4% of annual turnover (Art. 83 (4) and (5) GDPR).
- Loss of reputation if data protection incidents become public.
- Liability claims of data subjects for damages (Art. 82 GDPR).
- Official orders, such as prohibition of processing or conditions.
A lack of budget or limited resources does not release the company from its obligation to implement appropriate protective measures.
Conclusion
Technical and organizational measures are crucial for effective data protection. They must be selected and implemented on a risk-based basis and continuously adapted to new threats. Only those who actively shape data protection can protect not only sensitive data, but also their own organization from fines, loss of reputation and damage to trust.
| Avoid fines due to inadequate technical and organizational measures. // PRIMA offers you structured documentation of your TOM. Try it for 14 days free of charge now and implement data protection correctly! |
