What are Technical and Organizational Measures?
Technical and Organizational Measures (TOMs) are crucial steps that every organization processing personal data must take. These measures are established in the General Data Protection Regulation (GDPR) and aim to ensure the security of data processing. The GDPR requires organizations to protect the rights and freedoms of individuals whose data they process, including ensuring lawful data processing.
Key Aspects of the GDPR
There are specific articles in the GDPR relevant to the security of personal data:
- Article 24: This article stipulates that organizations must comply with data protection principles, including lawfulness, fairness, transparency, and data minimization.
- Article 32: Addresses measures for data processing security. Organizations should implement measures like pseudonymization and data encryption, especially when transmitting data, such as in emails.
- Article 25: Emphasizes data protection through technology design and privacy-friendly default settings. Organizations should consider data protection aspects in the development of products and services, like prototypes or demonstrators.
Documentation and Responsibilities
Every organization processing personal data must create and continuously update a processing directory. Required by Article 30 of the GDPR, this directory should contain information about data processing, such as the controller’s name and contact details, the purposes of processing, and data deletion timelines. It must also include technical and organizational measures for each data processing activity and be available to supervisory authorities upon request.
Practical Implementation of TOMs
Organizations must implement a wide range of technical and organizational measures depending on their size and processing activities. These include establishing information security policies, access controls, using secure passwords and encryption methods, and measures for secure document disposal and emergency plans. It’s essential to regularly review and adjust all measures to new risks.
In addition to technical measures, organizations must also implement organizational security measures. This includes ensuring that data can only be accessed or modified by authorized persons and maintaining data integrity and availability. The organization must also assess the required level of security based on the sensitivity and value of the processed data and potential risks in case of data loss.
Finally, it’s important to note that there is no one-size-fits-all solution for information security. What is appropriate for an organization depends on its specific circumstances and the risks associated with its data processing.