Technical and Organisational Measures (TOMs)


Identify which technical and organisational measures you need to implement in order to comply with GDPR. Pridatect simplifies the process. Let us show you how:

Technical Controls and Organisational Security Measures

Pridatect simplifies your TOMs management

Detect risks to your company

Perform a risk assessment to understand the risks associated with your company's assets

Define security measures

Easily and intuitively identify the technical and organisational measures that your company should implement

Ensure GDPR compliance

Check that security measures have been implemented to verify that you comply with GDPR

Technical and Organisational Measures - Template

Download our free template for technical and organisational measures with several examples that can serve to implement in your company.


Technical and Organisational Measures according to GDPR

Accredits and guarantees the security of personal data

Data protection in a company is NOT a one-off action, it is a commitment to responsible and continuous management of the personal data processed in a company and to ensure that you can continue to adapt to constantly evolving regulations.

Therefore, Article 32 of GDPR provides for the imposition of technical and organisational measures to accredit and guarantee the security of personal data processed in a company. These security measures have the ultimate aim of ensuring the integrity and confidentiality of the data.

But on what basis should TOMs be established? It is obvious that all data processing has associated risks that must be avoided, so it is essential to detect the level of risk for each data processing activity and thus define the security measures.


The first step will be to carry out a Risk Assessment to identify threats, so that the person responsible for, or in charge of the processing will have to assign the TOMs proportionally and appropriately to each of the risks detected. In this way the security measures can be preventive (to avoid future risks) and reactive (to react to a detected risk and be able to mitigate it).


It is essential that a company can demonstrate that the security measures have been carried out to comply with the principle of proactive responsibility established by GDPR. 


In this way, you will avoid penalties for non-compliance and maintain credibility in the event of a security breach, for example if sensitive customer or supplier data is leaked.

Generate technical and organizational security measures with Pridatect

Adjusted to the associated risks

In order to determine the technical and organizational security measures, the first step is to detect the risks to which they will be associated. Using an automated and intuitive software such as the one offered by Pridatect, you will be able to make a risk assessment that will allow you to detect the risks based on your company’s assets and thus be able to identify the technical and organizational measures that must be implemented in order to comply with GDPR and ISO/IEC 27005 that guarantee a level of security adequate to the risk.

Frequently Asked Questions

These measures are an organisation’s approach to evaluating, developing, and implementing controls to protect personal data for the purpose of prevention or prohibition.

Therefore, raising awareness and training employees will be the key organisational measure that should be implemented on a regular basis with respect to other measures. 

Every company must inform all employees who have access to personal data that they have obligations and responsibilities for the processing of such data.

Some of the organisational measures are classified as follows:

  • Security policies and regulations for employees and users of information systems: (safe password policy, data destruction policy, policies for the good use of email and internet, clean desktop policy, etc..)
  • Rights of data holders: Employees must be aware of the procedure for dealing with the rights of the data subjects. For example, in cases of right of access request, rectification or suspension or deletion of data, by the subject.
  • Involvement of senior management: This is a key aspect for the success of the company, as they must be involved in the development of these measures and demonstrate good practice.

Generally, it is defined as the measures and controls provided to the systems and technological aspects of a company, such as devices, networks and hardware. These measures include both physical and IT security


From the perspective of “physical” security, the following factors must be taken into account:


  • The quality of the locks and doors, the protection of the office with alarms and CCTV
  • How to control access to the office and how guests are supervised
  • How to dispose of electronic and paper waste
  • How to keep computer equipment, such as cell phones, safe.


In the IT context they can sometimes be categorized as “cyber security” measures. So we have to take into account factors such as:


  • Security systems: for example the security of our network and information systems, not to mention those that process personal data. 


  • Data security: the security with which you store the data in your systems. For this you have to: Have secure passwords and keep them confidential, separate personal and professional uses by managing users, roles and privileges, protect your email with anti-spam and anti-phishing systems


  • Online security of your website: Filtered access to malicious sites, downloads with code, alerts to detect malicious traffic, security for Wi-Fi networks to prevent unauthorized access or uncontrolled devices and possible attacks.


  • Device security: Updating devices and computers, have an anti-virus system and update it regularly, have a firewall for computers where automated data processing is carried out, encryption of data, files and/or USB devices in case it is necessary to take the data out of the office where it is processed


Whatever the nature of your activity, you must remember that 

  • Cyber security measures must be appropriate for the size and use of the network and information systems.
  • Security must be appropriate to the practice of your company’s activity. For example, if you offer remote work, make sure that the security of the data used in the company is not compromised.

According to Article 32 of the GDPR, technical and organisational measures should be determined taking into account the following criteria:

  • Application costs
  • Type, scope, context and purpose of processing
  • Probability and severity of the risk to the rights and freedoms of natural persons

GDPR does not contain a precise list of TOMs that have to be implemented in companies, since all measures are variable and have to be applied according to the judgement of the controller.

These are some examples of technical and organisational security measures under GDPR:

TM – alarm systems

TM – biometric access control

TM- video surveillance of access to facilities

TM – access with personalised username and password.

TM – software antivirus for mobile devices

OM – “Secure Password” policy

OM – “data deletion” policy

OM – access control by reception / porter

OM – visitor registration / visitor log

OM – worker and visitor badges

Get started today

Discover how Pridatect can help you in taking control of your companies data protection

Do you have any questions? Get in touch with our sales team.

☏ +44 20 80 59 39 99 | Monday to Friday from 8:00 to 17:00 GMT