Technical and Organisational Measures
Technical and Organisational Measures (TOMs) are the functions, processes, controls, systems and procedures used to protect and secure the personal information you collect, process and store. You must demonstrate that you have integrated data protection into every aspect of your processing activities by having appropriate TOMs in place to achieve GDPR compliance.
The GDPR does not detail the technical and organisational measures you should use, only that they should be ‘appropriate’ given the cost, nature, scope, context and purposes of processing, and the risks to data subjects. TOMs should meet the principles of data protection by design and data protection by default.
Data protection by design considers data privacy and protection issues at the design phase of any system, service, product or process and implements appropriate TOMs, such as policies and procedures, training, reporting, reviews and audits. These issues are monitored, making any necessary changes throughout the lifecycle of the data processing activity.
Data protection by default hinges on the principles of data minimisation and purpose limitation. It requires you to process only the data necessary to achieve your purpose, store it for the minimum amount of time and restrict accessibility.
Technical measures are the measures and controls implemented to protect personal data by securing company systems - devices, networks and hardware.
Technical measures include:
- Encryption and pseudonymisation
- Physical (building) security
- Appropriate disposal of paperwork and devices containing personal data
- Access rights
Organisational measures may consist of internal policies, procedures or standards, monitored and reviewed by controls and audits.
Organisational measures include:
- Information security policies
- Business continuity plan
- Risk assessments
- Data protection policies and procedures
- Awareness and training of staff
- Reviews and audits
- Due diligence checks/audits of vendors
We partner with you to identify and review your current Technical and Organisational Measures and recommend appropriate improvements to mitigate risk and ensure you can demonstrate compliance with the GDPR.