A Guide to TOMs (technical and organisational measures) under the GDPR

The GDPR (General Data Protection Regulation) references “appropriate technical and organisational measures” nearly 100 times – yet it stops short of providing a precise definition of the term.

This article examines what TOMs are, how they align with the GDPR’s overall objectives, what kinds of controls they typically involve, and how to ensure they’re “appropriate”.


What are technical and organisational measures?

The GDPR requires data controllers and processors to implement security controls to safeguard personal data against unauthorised access, alteration or destruction. These safeguards are known collectively as technical and organisational measures, or TOMs.

TOMs are controls that reduce the likelihood or impact of a data breach. The term covers both technological solutions and the administrative processes that support them. What they look like in practice depends on the specific threats an organisation faces:

  • Technical threats, such as the risk of cyber attacks exploiting network vulnerabilities, are best addressed through controls like firewalls, system hardening and penetration testing.
  • Human-centric threats, such as social engineering or phishing, are more effectively managed through organisational defences such as staff training and internal policies.

What makes TOMs “appropriate”?

The Regulation deliberately avoids a fixed list of requirements, instead stating that organisations must implement “appropriate” measures. This flexibility recognises that:

  • Risk profiles vary significantly between organisations.
  • Resources and technical capabilities differ.
  • The same threat may require different controls depending on context.

An “appropriate” measure is therefore one that matches the level of risk to the data and the organisation’s capacity to mitigate it. Determining what is appropriate involves conducting a risk assessment – identifying likely threats and evaluating the impact they could have.

Importantly, this approach reflects the fact that absolute security is unattainable. Organisations must weigh the cost and practicality of controls against the level of protection required. A well-balanced set of measures will provide effective safeguards without obstructing day-to-day operations.


Examples of technical measures

Technical measures typically target system, network and device-level vulnerabilities. Common examples include:

  • Protective software
    Antivirus, antimalware and threat detection tools help to identify, block and respond to known technical threats.
  • Encryption and pseudonymisation
    These techniques reduce the risk of exposure by rendering personal data unreadable or difficult to attribute to an individual without further information.
  • Access controls
    Passwords and MFA (multi factor authentication) protect sensitive accounts and data. MFA is particularly important for high-risk systems where password compromise alone would be insufficient to gain access.
  • Physical safeguards
    CCTV and secure access controls help protect physical assets and restrict unauthorised access to sensitive environments.

Examples of organisational measures

Organisational measures are the administrative and procedural controls that support secure handling of personal data. These include:

  • Information security policies
    These establish an organisation’s overarching approach to security and ensure consistency in how data protection responsibilities are carried out.
  • Business continuity and incident response plans
    These define how the organisation will respond to a breach or disruption.
  • Risk assessments
    A structured approach to identifying threats, evaluating their severity and deciding which controls to implement.
  • Training and awareness
    Employees must understand their responsibilities, the risks they face, and the correct procedures to follow. Ongoing training helps reduce human error and insider threats.
  • Audit and review processes
    Regular reviews help assess whether existing measures are still effective and identify opportunities for improvement.

Organisational measures often work in tandem with technical controls. For example, a password management policy supports the use of MFA, while incident response planning ensures that technical alerts are acted upon appropriately.


Evaluating whether your TOMs are suitable

GDPR compliance isn’t about adopting a standard checklist of controls. It’s about ensuring your defences are proportionate to the risks you face – and that your technical and organisational measures remain effective over time.

For many organisations, determining whether their existing TOMs are suitable can be difficult without external support. This is why many choose to undergo an independent audit.


GDPR Article 32 Technical and Organisational Measures Audit

Our sister company DQM GRC, a GRC Solutions company, offers a specialist audit service that evaluates whether your technical and organisational measures are appropriate, effective and compliant with the GDPR’s requirements.

Independent auditors will assess:

  • The controls you have in place, including technical solutions and administrative processes;
  • The quality and scope of your information security policies and risk management practices;
  • The adequacy of staff awareness and training;
  • How well your organisation applies principles of privacy and data protection by design.

The assessment is carried out using a framework aligned with internationally recognised standards, including ISO 27001, ISO 27701 and Cyber Essentials.


The post A Guide to TOMs (technical and organisational measures) under the GDPR appeared first on IT Governance Blog.

Leave a Reply