Technical and Organisational Measures (TOMs)
Art. 32 GDPR requires every organisation to protect personal data with a level of security appropriate to the risk – and to document it provably. SimpleAct keeps your TOMs structured, current and audit-ready.
What are TOMs?
Technical and organisational measures (TOMs) are all the safeguards that ensure the security of processing personal data. “Technical” means e.g. encryption, access control or backups; “organisational” means e.g. policies, training and authorisation concepts. Art. 32 GDPR requires a level of protection appropriate to the risk – and, as part of accountability, evidence that the measures exist and are effective.
The protection goals of Art. 32
Document and maintain TOMs
- Assess the protection needs of your processing activities
- Define physical, system and data access controls
- Implement encryption and pseudonymisation
- Document a backup and recovery concept
- Maintain an authorisation and role concept
- Review TOMs regularly and update them on changes
- Link TOM evidence to processing activities and DPAs
Frequently asked questions about TOMs
Is there a mandatory TOM list?
No. Art. 32 names protection goals and examples but prescribes no fixed list. The measures must match the risk of the specific processing – higher risk requires stronger measures.
How often must TOMs be reviewed?
Regularly and on occasion – for example with new systems, changed processing or after a security incident. The review itself is part of the obligations.
Must TOMs be disclosed to the processor?
Yes. In the DPA under Art. 28, the processor must set out its TOMs, and the controller should review and document them.
Are technical measures alone enough?
No. Only the combination of technical (e.g. encryption) and organisational measures (e.g. policies, training) meets the requirements of Art. 32.
TOM management with SimpleAct
Capture protective measures in a structured way, review them regularly and provide them as accountability evidence at any time.
Start for free