Technical and organisational measures: An introduction incl. checklist

What you need to know, in a nutshell

• Technical and organisational measures (TOMs) comprise of all provisions put into place to guarantee the security of personal data.
• According to the GDPR, TOMs must be documented.
• Implementing appropriate TOMs is a legal requirement.
• A risk analysis forms the foundation for selecting suitable protective measures.
• Insufficient TOMs often result in fines.
• When choosing processors, you should make sure that they can provide evidence of adequate TOMs.

In this article

• What does the abbreviation TOM stand for according to the GDPR? 
• What do technical and organisational measures refer to in data protection?
• How do I find out what TOMs are suitable for my company?
• TOMs in data protection: Where can I find checklists and templates?
• Will I risk being fined if TOMs aren’t properly implemented? 
• How can companies benefit from TOMs and increase their security?
• Who can help me implement TOMs? 
• Conclusion and recommendations

What does the abbreviation TOM stand for according to the GDPR?  

TOM stands for Technical and Organisational Measures. The term appears in the General Data Protection Regulation (GDPR). This concept refers to all concrete provisions taken by a company to guarantee the security of personal data.

What do technical and organisational measures refer to in data protection? 

Strictly speaking, data protection law consists of two components: Data protection and data security.

Data protection deals with the legal requirements of collecting and processing personal data – meaning any information that can be traced back to an individual. This area focuses on informational autonomy and thus the question of whether and for what purposes companies may acquire and process personal data.

Data security addresses the question of how and with which measures data protection can be ensured. This is where the technical and organisational measures come in.

Good to know: Data security doesn’t only cover personal data, but any data held by a company – regardless of whether these are personally identifiable.

By the way: Do you know how data protection and data security are related in companies? Read about it here.

How do I find out what technical and organisational measures are suitable for my company?

Article 32 of the GDPR makes it clear that the measures implemented by your company must guarantee an adequate level of protection. The suitability of any measures taken relates to the likelihood of occurrence and severity of any risk that could harm the rights and freedoms of affected individuals.

Practical guidelines can help you turn the requirements laid out by the GDPR into actual measures. ZAWAS, devised by the state of Lower Saxony’s data protection officer, defines eight specific steps for selecting and implementing appropriate security measures. We have compiled the information in condensed form for you as a checklist:

Step 1: Describe your processing activities

What kind of data do you process? When, by whom, and for what purpose? What systems do you use for this?

Step 2: Check the legal foundations

Are you collecting and processing data in a lawful manner? Are you recording data for a specific purpose and are you following data processing guidelines?

Step 3: Determine which business processes require greater security

Which services, systems, rooms, and data does your company need to protect? How are these related to one another?

Step 4: Analyse potential risks

• • Identify the risks: Is the security of personal data vulnerable due to a risk of natural catastrophes, unclear responsibilities within the company, or potential technical failures?
  • Evaluate possible consequences: How severe would the consequences be in the event of an incident? Would a worst-case scenario affect data that are particularly worthy of protecting, such as health data or details from your employees’ personnel file?
  • Evaluate the likelihood of occurrence: How high is the likelihood of a certain incident occurring? What experience does your company have that would make it easier to estimate the severity of any damage? What information could you include to determine this?
  • Determine the risk value: What risks come with a high degree of severity as well as a high likelihood of occurrence? What risks would cause less damage and are less likely to occur?
    
   Step 5: Choose technical and organisational measures
  
   Which risks should you address first in light of their high risk value? Based on the current state of the art, which specific measures are worth considering to minimise these risks? What measures can you implement on a reasonable scale (cost-effective measures, for example)?

Step 6: Evaluate the residual risk

Which risks are you unable to fully eliminate through technical and organisational measures? How high are the residual risks?

Step 7: Consolidate your measures

Should you combine various measures, or are individual measures sufficient? Are the measures appropriate given your company’s individual circumstances?

Step 8: Implement your chosen measures

Which measures will you put into practice first? Who will assume responsibility for implementing these? Has the implementation led to the desired result?

Where can I find checklists and templates for technical and organisational measures?

Suitable TOM checklists or compendia can help you understand the range of necessary security measures. That said, it’s easy to lose sight of what matters as you wade through the abundance of online information.

In this case, the laws themselves can offer useful insight. In addition to the GDPR, the Data Protection Act 2018 and UK GDPR can help you understand the purpose that specific technical and organisational measures should fulfil:

Compare this overview with your company’s current situation as documented. We recommend implementing TOMs in all categories. In the area of IT security, the Basic IT Protection compendium, published by the Federal Office for Information Security (BSI) and updated every year, provides helpful guidance. It gives you an in-depth look into numerous fundamental sources of danger, such as the misuse of personal data, and details the requirements for implementing respective IT security measures.

DIN standards can offer instructive information, for example for determining the state of the art. For one, DIN standard 66399 defines the current technical requirements for different security levels when destroying data carriers.

Will I face fines if I fail to implement technical and organisational measures to a sufficient level? 

Inadequately implemented TOMs can lead to negative consequences. So far, the authorities (such as the ICO) have primarily fined companies for inadequate technical and organisational measures – most of these due to insufficient IT security. This illustrates the importance of documenting any implemented security measures as important legal protection.

If your company does experience a data breach, documentation of your technical and organisational measures serve as a significant criterion in determining the amount of the fine. Simply put: In a worst-case scenario, evidence of your attempts to protect data through suitable measures could lead to lower fines.

In addition to your own TOMs, make sure you are also aware of those of your external processors. Ask for evidence that your service providers are also taking sufficient technical and organisational measures. Otherwise you still face the risk of sanctions.

If you want to read more about how you should respond to a data breach, check out this article.

How can companies benefit from TOMs and increase their security?

Conscientiously implementing and documenting TOMs alone does not protect you from fines and a damaged reputation. If you make your own processes transparent and take suitable security precautions, you will most likely see benefits beyond data protection, because:

• you are protecting business secrets and sensitive company data.
• efficiency potential regarding your own business processes may come to light.
• you are also strengthening the integrity and availability of your entire database – beyond personal data.
• the resilience of your IT infrastructure will increase. you are reducing the risk of a costly system failure.

Who can help me implement technical and organisational measures? 

The person responsible for data protection, the head of the company, can delegate this task to an internal or external data protection officer. The bigger the organisation, the more important it is to ensure interdisciplinary collaboration within the company. The following gives an example of what this collaboration could look like:

• The data protection officer coordinates adherence to the GDPR across all departments in the company.
• They will consult the IT department about implementing technical measures.
• They work with the HR department to provide the required training for all employees.
• Finally, they consult with all specialist departments to ensure that data protection is accounted for inany processes specific to the departments.
• Every single employee should do their part to keep data safe and get in touch with the data protection officer if they have any questions or concerns. 

As you can see, data protection and the implementation of technical and organisational measures constitute company-wide tasks.

Conclusion and recommendations

Secure ways of processing personal data are crucial for ensuring data protection. Companies are obligated to proactively determine potential risks for affected individuals that could occur during processing.

Building on this, they must put suitable measures in place to guarantee sufficient protection. Whether a small workshop or a major corporation making millions, every company will benefit from implementing appropriate TOMs and regularly checking their effectiveness.

There are still some questions that you would like to get answered? Feel free to reach out to one of our experts: