Data Protection Academy » Data Protection Wiki » Technical organisational measures (TOMs)
Data protection according to GDPR
Technical organisational measures (TOMs)
Even though the General Data Protection Regulation has been in force since 2018, there are hardly any standards for implementing the individual requirements. Particularly in the area of technical organisational measures, requirements from the areas of data protection and data security as well as the laws GDPR and BDSG-new converge. This appears opaque to many data protection officers, and compliance with the requirements appears complicated.
We provide you with an overview of the legal situation and show you how you can guarantee the security of the processing of personal data with the help of technical organisational measures. Whether it's purchases in an online shop or video surveillance - any processing of personal data must be protected by appropriate technical and organisational measures.
In the following article you will learn which technical and organisational measures you should implement and what you should pay attention to when implementing them.
Most important information about Technical Organisational Measures
- Technical-organisational measures are measures described in the GDPR which are intended to ensure the protection of personal data.
- Technical and organisational measures are abbreviated as "TOM" or "TOMs"
- Since the entry into force of the GDPR 2018, are the ones listed in the BDSG. measures described are no longer applicable, instead in Article 32 of the GDPR Technical-organisational measures listed in categories
- TOMs also serve as proof of compliance with the GDPR, which is why written documentation is mandatory (stipulated in Art. 24 Para. 1 GDPR)
Content on the topic of Technical Organisational Measures:
Technical and organisational measures - What is the difference?
Technical measures include any protection of data processing security that can be realized by physical measures or in software and hardware. Organizational measures in the sense of the Article 32 GDPR include measures that involve the implementation of instructions, policies and procedures for employees to ensure the security of the processing of personal data.
Examples of technical measures
- Use of a firewall
- Encryption of data carriers and data transfers
- Pseudonymisation and encryption of personal data
- Installation of an alarm system
- Structural protection of buildings/premises
- Defaults for the password complexity of users (FIDO-2)
Examples of organisational measures
- Employee training on data protection
- Visitor registration
- Data protection compliant disposal of documents with personal data (DIN 66399)
What are the purposes of technical organisational measures?
Technical organizational measures are assigned to the area of data security and serve the purpose of comprehensively protecting personal data in accordance with the latest state of the art. Before you can define suitable TOMs for your company, you must first carry out a risk analysis or a risk assessment. Data Protection Impact Assessment (DPIA) for the processing activities of your company. Once you have identified potential risks for processed personal data, you can adequately protect them through the use of TOMs.
Legal development of technical organisational measures
The old regulations in the BDSG were more of a catalogue of requirements that had to be worked through in order to comply with the law. The new regulations, however, see the TOMs much more as a Criterion in the comprehensive risk assessment to be carried out. On the one hand, this opens up new approaches to the definition of appropriate measures. On the other hand, however, it increases the concrete scope of the assessment to be carried out by the competent authority. Data Protection Officer.
§ 9 BDSG - old
Technical and organisational measures
1 Public and non-public bodies that collect, process or use personal data themselves or on their behalf shall take the technical and organisational measures required to ensure the implementation of the provisions of this Act, in particular the requirements specified in the Annex to this Act.
2 Measures are only necessary if their cost is proportionate to the protective purpose sought.
Article 32 GDPR
Safety of processing
(1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. adequate level of protection These measures shall include, but not be limited to, the following, as appropriate: [...]
What must technical organisational measures contain according to the GDPR?
The Technical Organisational Measures ensure an adequate level of protection in accordance with the GDPR if they contain the following:
- the pseudonymisation and encryption of personal data;
- the ability to ensure confidentiality, integrity, availability and resilience of the systems and services related to the processing on a permanent basis;
- the ability to ensure the availability of and access to personal data in the event of a a physical or technical incident;
- a procedure for the regular review, assessment and evaluation of the effectiveness of technical and organisational measures to ensure the security of processing.
In doing so, controllers and clients must take into account the state of the art, implementation costs, the severity and likelihood of occurrence of the (potential) risk, the rights and freedoms of data subjects, and the nature, scope, circumstances and purposes of the processing.
Based on these criteria, each company must develop its own catalogue of measures specifically adapted to the company. It should be noted that measures based on the criteria must be permanently reviewed, adapted and updated.
In the Robin Data ComplianceOS® you will be shown suitable TOMs based on your industry and can easily import them into your digital data protection documentation.
What do TOMs mean for companies?
With the entry into force of the GDPR the safety of the processing personal data expanded and with it the documentation and verification obligations. If companies process, collect or store particularly sensitive and personal data, they are obliged to implement TOM.
All measures taken to protect the data must be documented in order to be able to prove precise records of the precautions taken in the event of damage. If technical and organisational measures are carefully documented and implemented your company benefits in many ways. This is how you protect your company from fines and loss of reputation.In addition, sensitive company data and business secrets are also protected.
Structure and systematisation
With the entry into force of the GDPR, the security of the processing of personal data has been expanded and with it the documentation and verification obligations. The General Data Protection Regulation remains rather vague when it comes to a concrete definition of technical organisational measures. In purely schematic terms, the following systematisation patterns can be compared for the definition of TOM:
Classic structure of TOM according to old model:
- Measures for access control of data processing centres
- Measures for access control of data processing systems
- Measures for access control of personal data in data processing systems
- Measures of transfer control
- Measures of order control
- Measures of availability control
- Measures to implement the separation requirement
In contrast, the following structure is predominantly chosen uniformly today :
Confidentiality
- Measures for access control of data processing centres
- Measures for access control of data processing systems
- Measures for access control of personal data in data processing systems
- Measures of separation control
- Pseudonymisation measures
Procedures for regular review, assessment and evaluation
- Data Protection Management
- Incident Response Management
- Order control
Defined in Art. 32 para. 1 lit. d GDPR and the Art. 25 para. 1 GDPR
Practical procedure for the creation of technical organisational measures in the company
An important part of the implementation of the Technical Organisational Measures is the documentation of the implemented TOMs. However, it should not be forgotten that the documentation of the measures is only a partial step.
TOMs serve the purpose of comprehensively protecting personal data in accordance with the latest state of the art. Before you can define suitable TOMs for your company, you must first carry out a risk analysis or a risk assessment. Data Protection Impact Assessment (DPIA) for the processing activities of your company. Only the interaction with the specific processing activities will show whether the individual protection measures can be sufficient to ensure the necessary level of security.
Each company must therefore develop its own catalogue of measures specifically adapted to the company. It should be noted that measures must be permanently reviewed, adapted and updated on the basis of the criteria. In purely practical terms, it is therefore advisable to differentiate according to the specific processing scenarios when drafting the TOM.
The following systematisation can be recommended:
- A representation of the TOMs that concerns all techniques that are applied throughout the enterprise and are likely to affect all processing operations.
- Individual specific measures, which are assigned to them in the context of the concrete processing activities.
- (Optional) A representation containing only the measures relevant in processing relationships.
The subsequent risk assessment should also usefully take place in the context of the processing registers, taking into account both the information provided in the "General" TOM and the additional measures of the specific processing operations.
Furthermore, it must be ensured that the organisational measures taken do not merely exist on paper, but that the necessary instructions under labour law are effectively taken vis-à-vis the employees. Only such measures can be considered effective.
Implement your organisation's TOMs with Robin Data
Let ComplianceOS® Compliance Field Data Protection guide you through all the requirements of the GDPR. Starting with the implementation of the register of processing activities, the identification of necessary data protection impact assessments, the implementation of technical organisational measures through to the fulfilment of documentation obligations, Robin Data always provides you with the right tools. Start by booking a short introductory meeting with us.
What is the proportionality principle?
Article 32 of the GDPR states that the implementation costs of the technical and organisational measures must be taken into account in order to ensure a level of protection appropriate to the risk. By taking into account the economic adequacy, the TOM projects may be somewhat limited and, for example, the TOM of a small company may meet different standards than the TOM of a large corporation.
Eight steps to implementation
The process for selecting appropriate security measures, "ZAWAS" for short, was created by the LfD Lower Saxony and comprises the following steps:
- Describe processing activity
- Check legal basis
- Perform structural analysis
- Conduct a risk assessment
- Select measures
- Evaluate residual risk
- Consolidate measures
- Implement measures
The ZAWAS principle of the LfD Lower Saxony is a practical orientation for data protection officers who have an overview of the processing activities of their company. After implementing the measures, however, the step of data protection documentation should follow in order to comply with the documentation and verification obligations of the GDPR and to be meaningful in the event of an audit.
Examples of technical organisational measures
- Locking systems with code locks
- Chip cards for locked areas
- Access barriers secured with biometric features
- Data protection compliant video surveillance
- Secure firewall
- Anti-virus software
- Locking USB ports and other external interfaces
- Locking of device housings
- Authentication via password entry or biometric scans
- Security locks
- Logging of access to applications and processes such as data destruction
- Data protection compliant destruction of data carriers (files, drives etc.)
- Encryption of data carriers and mobile devices
Whitepaper with checklist, samples, templates and examples as PDF
In the whitepaper on Technical Organisational Measures you will find:
- 43 Examples for TOMs divided into confidentiality, integrity and other categories
- 12 ready-made examples for your data protection documentation
- Each Examples of technical AND organisational measures
- Checklist to tick off the TOMs for your company
- References to background information and relevant legal basis
Who can support the implementation of the technical and organisational measures?
Generally responsible for data protection in a company is the management, which usually delegates this task internally or appoints an external data protection officer. Successful data protection always requires cross-departmental cooperation, especially with regard to TOMs, since contacts from the IT department have the best overview of technical details and technical implementation. But colleagues from the Human Resources department must also be involved, because employees must be trained to deal with established TOMs. In turn, department heads can provide support in this task.
Implementation and documentation of the technical organisational measures with the Robin Data Software
If you are interested in the implementation and documentation of the Technical Organisational Measures with the Robin Data ComplianceOS®, you can download the individual articles in our Help Center or book free initial meetings book.
What are the consequences of a data protection breach?
A breach of data protection law in the area of Technical Organisational Measures is described in Art. 5 para. 1 of the GDPR defined as a breach of integrity and confidentiality. Controllers thus violate the principles of data processing and must, in accordance with Art. 83 (5) GDPR face fines of up to €20 million or 4% of turnover.
If the precautions taken turn out to be inadequate in the course of a data breach, companies run a high risk. In such a case, the GDPR Art. 83 Par. 4 fines of up to €10 million or 2% of turnover.
The amount of the fine incurred is determined by certain criteria: Type, severity and duration of a violation as well as the associated consequences. Measures taken (TOMs) are also used to determine the amount. The documentation of the technical and organisational measures taken is therefore an essential part of the process. legal protection which may reduce the amount of the fine.
Conclusion: TOMs must be adapted to the requirements of the company
Security in the processing of personal data in accordance with Article 32 of the GDPR is an essential component for ensuring data protection within a company. The technical organisational measures play a central role in this.
Not only are risks identified for the company internally and corporate security strengthened, but your customers in particular benefit from the GDPR-compliant implementation of the TOMs. Companies of all sizes are required to carefully implement and document the technical organisational measures.
Digital solutions, checklists, guidelines from the supervisory authorities and data protection officers can help here.
FAQ
What does TOM mean?
Technical-organisational measures are also abbreviated as "TOM" or "TOMs".
What are technical and organisational measures GDPR?
Technical-organisational measures are measures described in the GDPR which are intended to ensure the protection of personal data.
What are organisational measures GDPR?
Organisational measures within the meaning of Art. 32 GDPR include measures that involve the implementation of instructions, policies and procedures for employees to ensure the security of the processing of personal data.
When are TOMs required within the meaning of Art. 32 GDPR?
Public and non-public bodies that collect, process or use personal data are obliged to ensure technical and organisational measures. According to Art. 32 GDPR, companies must take technical and organisational measures to ensure an adequate level of protection, taking into account the state of the art, the costs of implementation, the purposes of the processing and the likelihood or severity of the risks to the data subjects.
Which technical and organisational protection measures for personal data are meant according to the BDSG?
According to § 9 BDSG, the following protective measures are meant. Technical measures are measures that can be implemented physically, such as alarm systems, firewalls and pseudonymisation of personal data. Organisational measures, on the other hand, are implemented through instructions and procedures, such as visitor registration, staff training or the dual control principle.
Robin Data ComplianceOS® Field Data protection
The Data Protection compliance field supports you in a court-proof and time-saving manner in the continuous implementation of your data protection management in the company. Both data protection officers and responsible persons benefit from the numerous functions.
- Internal control system - 10 September 2024
- TISAX requirements: Prepare certification step by step - 8 January 2024
- Audit management: Implementing audits more efficiently - 26 October 2023