What is that?
Technical and organizational measures (TOM) are guidelines that personal data that are processed, collected or used must follow in order to meet the security and protection requirements of the GDPR. TOMs are available in various subject areas, for example physical (alarm systems in buildings), digital (hardware and software) or procedural (four-eyes principle).
When it comes to data protection, TOM are primarily present in the digital environment. This includes user accounts, passwords, data backups, firewalls, virus scanners and biometric user identification.
Why do I have to document this? Why do i need this?
In the event of a reportable data breach or data protection breach, TOM can prove that suitable measures have been taken to protect the data. It is important that the company documents the TOM at an early stage before the authority requests it. This documentation takes place as soon as the personal data is in the processing process. The process begins when data such as email addresses from newsletters or general customer data is collected.
Immediately after you begin collecting and documenting the data, you need to ensure that the TOMs are appropriately deployed for the relevant industry. A good example of this would be a doctor's practice that collects patient data such as insurance numbers and medical files, requires more protection in the IT infrastructure than a craftsman who records his customer data on a platform such as Excel. Both situations have different expectations of data protection, which should be adapted differently in the TOMs.
What do I have to pay attention to when creating?
When creating technical and organizational measures, it is important to pay attention to the different categories. A distinction is made between technical measures and organizational measures. The first includes physical protective measures that serve to ensure the security of data processing, such as window and door security and alarm systems. On the other hand, organizational measures contain instructions and procedures or procedures for employees (as well as the implementation of these), such as guidelines for visitor registration or the four-eyes principle. It is also important that both types of measures can be found in the various control categories, which must be documented individually.
These control categories can be subdivided into access control, access control, access control, separation requirement, input control, transfer control and availability control.
According to Art. 32 (1) GDPR, a wide range of different technical and organizational measures must be taken into account, such as the current state of the art, implementation costs and the type, scope, circumstances and purposes of the processing of personal data. Here it is important that the appropriate data processing is secured, which is why the data processing systems must be highly resilient and there are procedures for restoring personal data after a data loss. The data must always be encrypted and processed using a pseudonym.
The different probabilities of occurrence and the severity of the risk to the rights and freedoms of those affected must also be taken into account when setting up the technical and organizational measures.