Technical and organisational measures (TOMs)

The controller must implement appropriate technical and organisational measures to ensure an adequate level of protection of personal data. The data protection principle of data minimisation must also be implemented and the necessary guarantees must be put in place to meet the requirements of the General Data Protection Regulation.

The GDPR remains quite vague here. The controller must individually assess the risks of processing and decide on appropriate measures. Under the heading "Security of processing", Art. 32 GDPR provides some examples of how technical and organisational measures can be implemented: 

• Pseudonymisation and encryption of data
  
• Ensuring the confidentiality, integrity, availability and resilience of systems
• Recoverability of data after a physical or technical incident
• Procedures for regular review, assessment and evaluation of the effectiveness of the measures

In practice, it has become common practice to also document the technical and organisational measures.

Source: OpenClipart-Vectors on Pixabay