TOM (Technical and Organizational Measures)
Security measures pursuant to Article 32 GDPR - mandatory for every controller
TL;DR
Technical and Organizational Measures (TOM) pursuant to Article 32 GDPR are mandatory security safeguards - aligned with the risk profile and the state of the art. Typical categories: pseudonymization, encryption, confidentiality, integrity, availability, resilience, recoverability, regular effectiveness reviews.
What are TOMs (Technical and Organizational Measures)?
Article 32 GDPR requires risk-appropriate TOMs. Unlike ISO 27001 (which also applies), GDPR does not specify a concrete minimum list. The state of the art is updated continuously - BSI Grundschutz, ENISA recommendations, ISO 27002. Examples: hard-drive encryption, MFA, backup strategy, patch management, authorization concept, training, data carrier destruction per DIN 66399.
Practical example
A 30-person mechanical engineering company documents 14 typical TOMs in a list: - MFA for all admin accounts - VPN for remote access - Hard-drive encryption (BitLocker) - Daily backup with 30-day retention - Need-to-know based authorization concept - Mandatory annual training - Patch management process - Four-eyes principle for sub-engagements - Locked server room + access log - SSL/TLS for all web services - Pseudonymization in the test environment - DIN 66399-compliant file destruction - Annual penetration test - Emergency plan + tabletop exercise every six months