What are Technical and Organizational Measures?
Art. 32 GDPR requires organizations to implement "appropriate technical and organizational measures" to ensure a level of security appropriate to the risk. TOMs cover everything from encryption and access control to employee training and clean desk policies. They must be documented and kept current.
Categories of TOMs we assess
- Confidentiality — access control, encryption, need-to-know principle
- Integrity — change logs, audit trails, data validation
- Availability — backups, redundancy, disaster recovery
- Resilience — ability to restore systems promptly after incidents
- Pseudonymization — reducing risk through data minimization
- Testing & evaluation — regular reviews of security measures
What you receive
A complete, up-to-date TOM documentation ready for inclusion in your DPAs, annual DPO reports, and supervisory authority submissions. We also provide a prioritized list of measures to improve your security posture.