Technical and organisational measures
Technical and organisational measures (TOMs) are the backbone of data protection under the GDPR. They range from technical security safeguards to organisational processes and should be reviewed and adjusted regularly.
Table of contents
Context: Why TOMs matter
In an increasingly digital world, protecting personal data is of the highest importance. Technical and organisational measures (TOMs) ensure that businesses comply with the GDPR and safeguard the integrity of customer data.
TOMs include technical security measures, organisational training, and physical safeguards. These measures should be reviewed, adjusted, and optimised regularly.
What are technical and organisational measures?
Technical and organisational measures, often referred to as TOMs, form the backbone of data protection under the GDPR.
Regardless of business size, TOMs are essential to increase data security and ensure that personal data is processed in line with legal requirements.
Types of TOMs: technical measures (e.g. end-to-end encryption, firewalls, secure servers), organisational measures (e.g. training, policies, emergency plans), and physical measures (e.g. access controls, protection of paper documents).
Who needs TOMs?
Every business that processes personal data needs a solid foundation of TOMs.
TOMs are not only relevant for IT companies or sectors with sensitive data – they are central to reputation, trustworthiness, and business success.
How do I create TOMs for my business?
Practical approach: needs analysis (Which data? Where stored? Who has access?), technical safeguards (e.g. encryption), organisational structures (training, policies), and regular review and adjustment.
External experts or tools can support implementation and make the process easier.
Appropriate TOMs to protect personal data
Examples: encryption (in transit and at rest), access control (authorised persons only), physical security measures (secured premises), regular backups.
Appropriate TOMs for data collection and processing
Examples: data minimisation (only necessary data), anonymisation (e.g. in surveys), monitoring systems (detect unusual activity), regular software updates (close security gaps).
Implementation: An ongoing process
Implementing TOMs is not a one-off act. It requires risk assessment, continuous monitoring, and regular training.
Audits, penetration tests, and feedback from employees are suitable ways to verify effectiveness.
What happens if I do not have TOMs?
Without TOMs, you risk: GDPR violations, financial penalties, reputational damage, legal consequences, competitive disadvantages, higher follow-up costs after data breaches, and an increased risk of cyber attacks.
Conclusion
TOMs are not only a legal requirement but essential for trust and compliance. Proper implementation and ongoing adjustment protect against penalties and reputational loss.
Author
Sebastian Schenk
Co-Founder & CEO
Lawyer and data protection officer. Drives product vision at simply Legal and ensures Dieter is sound legally and in practice.
This article reflects the position at the date of publication. We update our content when the law changes.
Related articles
Thursday, 10 July 2025
How to create a privacy policy
Every website needs a privacy policy. It fulfils the information obligations under Art. 13 GDPR and explains which data is processed for what purpose and on what legal basis.
Thursday, 23 October 2025
6 answers on the data processing agreement (DPA)
A data processing agreement (DPA) is required under the GDPR as soon as an external service provider processes personal data on your behalf. It defines responsibilities and protects against fines and loss of trust.
Monday, 10 November 2025
Record of processing activities (ROPA) and data deletion concept
The ROPA and a data deletion concept are central building blocks of GDPR compliance: the ROPA documents processing activities; the deletion concept ensures storage limitation and compliant data erasure.
