What actually are technical and organizational measures (TOMs)? What do they mean for small businesses?
The term technical and organizational measures (TOMs) has been newly coined by the GDPR. In addition, the GDPR has brought about or also changed many new terms. Consent, personal data, data protection officer, etc. we know. Procedure directories are now called processing directories. However, the terms technical and organizational measures (TOMs), privacy by design or privacy by default are new.
In principle, it is not new that precautions must be taken to ensure the security of data in the technical and organizational area of a company. Nevertheless, it is a rather abstract term, especially for small companies, which may sound more meaningful to larger companies than to the small entrepreneur. The probably asks himself first. Technically, organizationally? What applies to me and my company, and then what does it mean in the context of data protection? So there is a space opening up that you can’t really assess. In this article, we would like to take a closer look at the concept of TOMs and what they mean.
What do we mean by technical and organizational measures (TOMs)?
TOMs are about organizing processes, partnerships, access and access in such a way that the data a company collects and processes is also secured. You collect, store, manage data and organize your business in a variety of ways and with a variety of tools and processes. Be it having a cabinet where data is kept, writing emails or having a chip to get into your offices, etc. These procedures and instruments belong to the technical and organizational measures. Therefore, different areas can be defined in which certain technical and organizational measures must or should be implemented. The basis for technical and organizational measures (TOMs) is Art 32 of the GDPR (See below).
Technical and organizational measures (TOMs) in small companies
Below we have outlined what an overview of TOMs might look like for a small business.
| Technical measures (examples) | Organizational measures (examples) | Legal reference | |
| Admission | alarm system, security locks | employee ID cards, key management | Art 32 (1) b) |
| Access | logins, AV software, firewalls | Password policies, mobile device policies | Art 32 (1) b) |
| Document shredder, shredder, regular deletion of data | Permission concepts | Art 32 (1) b) | |
| Separation | Test environments, multi-client capability | Permission concepts | Art 32 (1) b) |
| Pseudonymization | Physical separation of data and allocation processes | Adhere to deletion deadlines, internal instructions for pseudonymization | Art 32 (1) a) |
| Disclosure | secure transport containers, email encryption, VPN | Handover protocols, careful service provider and employee selection. | Art 32 (1) b) |
| Input | Input logging through log files | User roles with different permissions | Art 32 (1) b) |
| Availability | Security precautions in the server room (air conditioning), service level agreements (SLA) with service providers | Notfallplanung, Backupkonzept | Art 32 (1) c) |
| Data protection management | Certifications, data protection software | Internal or external data protection officer | Art 32 (1) d) |
| Data privacy violations | Virus scanner, spam filter, firewall | Concepts for dealing with data protection breaches | Art 32 (2) |
| Privacy-friendly default settings | Data avoidance during data collection, efficient database construction | Development and documentation guidelines | Art 32 (2) |
| Order management | Examination of security concepts of possible contract partners | Art 32 (4) | |
| Assessment of the protection level | Risk analysis, data protection impact assessment | Art 32 (2) |
Art. 32 GDPR at a glance – Technical and organizational measures
Security of processing
(1. Taking into account the state of the art, the costs of implementation and the nature, scope, circumstances and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, the controller and processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, but not limited to:
(a) the pseudonymization and encryption of personal data;
(b) the ability to ensure the confidentiality, integrity, availability and resilience of the systems and services related to the processing on a continuous basis;
(c) the ability to rapidly restore the availability of and access to personal data in the event of a physical or technical incident;
(d) a procedure for periodic review, assessment and evaluation of the effectiveness of the technical and organizational measures to ensure the security of the processing.
(2) In assessing the appropriate level of protection, particular account shall be taken of the risks inherent in the processing, in particular from destruction, loss, alteration or unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed, whether accidental or unlawful.
(3) Compliance with approved codes of conduct pursuant to Article 40 or an approved certification procedure pursuant to Article 42 may be used as a factor to demonstrate compliance with the requirements referred to in paragraph 1 of this Article.
(4. The controller and the processor shall take steps to ensure that natural persons under their authority who have access to personal data process them only on instructions from the controller, unless they are obliged to process them under Union or Member State law
Source legal text: EURLEX