Technical and Organisational Measures (TOMs)

Technical and Organisational Measures

GDPR appropriate technical and organisational measures
Appropriate technical and organisational measures

Technical and Organisational Measures

technical and organisational measures tom specialist

Technical and Organisational Measures (TOMs) are the functions, processes, controls, systems and procedures used to protect and secure the personal information you collect, process and store. You must demonstrate that you have integrated data protection into every aspect of your processing activities by having appropriate TOMs in place to achieve GDPR compliance.

The GDPR does not detail the technical and organisational measures you should use, only that they should be ‘appropriate’ given the cost, nature, scope, context and purposes of processing, and the risks to data subjects. TOMs should meet the principles of data protection by design and data protection by default.

Data protection by design considers data privacy and protection issues at the design phase of any system, service, product or process and implements appropriate TOMs, such as policies and procedures, training, reporting, reviews and audits. These issues are monitored, making any necessary changes throughout the lifecycle of the data processing activity.

Data protection by default hinges on the principles of data minimisation and purpose limitation. It requires you to process only the data necessary to achieve your purpose, store it for the minimum amount of time and restrict accessibility.

Technical measures
Technical measures are the measures and controls implemented to protect personal data by securing company systems - devices, networks and hardware.
Technical measures include:

  • Cybersecurity
  • Encryption and pseudonymisation
  • Physical (building) security
  • Appropriate disposal of paperwork and devices containing personal data
  • Passwords
  • Access rights

Organisational measures
Organisational measures may consist of internal policies, procedures or standards, monitored and reviewed by controls and audits.
Organisational measures include:

  • Information security policies
  • Business continuity plan
  • Risk assessments
  • Data protection policies and procedures
  • Awareness and training of staff
  • Reviews and audits
  • Due diligence checks/audits of vendors

We partner with you to identify and review your current Technical and Organisational Measures and recommend appropriate improvements to mitigate risk and ensure you can demonstrate compliance with the GDPR.

Pharma Data Protection

Talk to us about Technical and Organisational Measures.

Helping pharmaceutical and medical device businesses worldwide navigate the interface between pharma and EU data protection.

let's talk

Related articles

What are your ongoing GDPR data requirements when closing a clinical trial?

Read the full article >>

Data protection concerns: Will the UK’s new data protection bill upset the EU-UK adequacy agreement?

Read the full article >>

Challenges of GDPR compliance for clinical trials spanning multiple international borders – a case study

Read the full article >>

Business Benefits of Data Protection and Data Privacy in Clinical Trials in Europe

Read the full article >>

The Role and Responsibilities of the GDPR Data Protection Officer

Read the full article >>

Outsourcing Data Protection. A biotech client’s perspective

Read the full article >>

Data Protection and Data Privacy Training are Mandatory under GDPR

Read the full article >>