TOM (Technical and Organisational Measures)
Security measures pursuant to Article 32 GDPR - mandatory for every controller
TL;DR
Technical and Organisational Measures (TOM) pursuant to Article 32 GDPR are mandatory security safeguards - aligned with the risk profile and the state of the art. Typical categories: pseudonymisation, encryption, confidentiality, integrity, availability, resilience, recoverability, regular effectiveness reviews.
What are TOMs (Technical and Organisational Measures)?
Article 32 GDPR requires risk-appropriate TOMs. Unlike ISO 27001 (which also applies), GDPR does not specify a concrete minimum list. The state of the art is updated continuously - BSI Grundschutz, ENISA recommendations, ISO 27002. Examples: hard-drive encryption, MFA, backup strategy, patch management, authorisation concept, training, data carrier destruction per DIN 66399.
Practical example
A 30-person mechanical engineering company documents 14 typical TOMs in a list: - MFA for all admin accounts - VPN for remote access - Hard-drive encryption (BitLocker) - Daily backup with 30-day retention - Need-to-know based authorisation concept - Mandatory annual training - Patch management process - Four-eyes principle for sub-engagements - Locked server room + access log - SSL/TLS for all web services - Pseudonymisation in the test environment - DIN 66399-compliant file destruction - Annual penetration test - Emergency plan + tabletop exercise every six months