Technical and Organisational Measures (TOMs) are the safeguards that organisations must implement under GDPR Article 32 to ensure appropriate security for personal data processing. Technical measures include encryption, access controls and pseudonymisation, whilst organisational measures cover policies, staff training and incident response procedures. The specific measures required depend on the nature, scope, context and purposes of processing, as well as the risk to individuals' rights and freedoms.
Implementing robust TOMs is not merely a legal obligation but a cornerstone of trustworthy data handling. Organisations must regularly review and update these measures to keep pace with evolving threats and technological developments. Documenting your TOMs thoroughly also provides essential evidence of compliance during audits and regulatory inquiries.