The GDPR (General Data Protection Regulation) references “appropriate technical and organisational measures” nearly 100 times – yet it stops short of providing a precise definition of the term.
This article examines what TOMs are, how they align with the GDPR’s overall objectives, what kinds of controls they typically involve, and how to ensure they’re “appropriate”.
What are technical and organisational measures?
The GDPR requires data controllers and processors to implement security controls to safeguard personal data against unauthorised access, alteration or destruction. These safeguards are known collectively as technical and organisational measures, or TOMs.
TOMs are controls that reduce the likelihood or impact of a data breach. The term covers both technological solutions and the administrative processes that support them. What they look like in practice depends on the specific threats an organisation faces:
- Technical threats, such as the risk of cyber attacks exploiting network vulnerabilities, are best addressed through controls like firewalls, system hardening and penetration testing.
- Human-centric threats, such as social engineering or phishing, are more effectively managed through organisational defences such as staff training and internal policies.
What makes TOMs “appropriate”?
The Regulation deliberately avoids a fixed list of requirements, instead stating that organisations must implement “appropriate” measures. This flexibility recognises that:
- Risk profiles vary significantly between organisations.
- Resources and technical capabilities differ.
- The same threat may require different controls depending on context.
An “appropriate” measure is therefore one that matches the level of risk to the data and the organisation’s capacity to mitigate it. Determining what is appropriate involves conducting a risk assessment – identifying likely threats and evaluating the impact they could have.
Importantly, this approach reflects the fact that absolute security is unattainable. Organisations must weigh the cost and practicality of controls against the level of protection required. A well-balanced set of measures will provide effective safeguards without obstructing day-to-day operations.
Examples of technical measures
Technical measures typically target system, network and device-level vulnerabilities. Common examples include:
- Protective software
Antivirus, antimalware and threat detection tools help to identify, block and respond to known technical threats. - Encryption and pseudonymisation
These techniques reduce the risk of exposure by rendering personal data unreadable or difficult to attribute to an individual without further information. - Access controls
Passwords and MFA (multi factor authentication) protect sensitive accounts and data. MFA is particularly important for high-risk systems where password compromise alone would be insufficient to gain access. - Physical safeguards
CCTV and secure access controls help protect physical assets and restrict unauthorised access to sensitive environments. - Data seeding
Synthetic data records are added to data sets, enabling you to track and monitor them – and providing an early warning if they are misused or made available for sale by unlicensed parties
Examples of organisational measures
Organisational measures are the administrative and procedural controls that support secure handling of personal data. These include:
- Information security policies
These establish an organisation’s overarching approach to security and ensure consistency in how data protection responsibilities are carried out. - Business continuity and incident response plans
These define how the organisation will respond to a breach or disruption. - Risk assessments
A structured approach to identifying threats, evaluating their severity and deciding which controls to implement. - Training and awareness
Employees must understand their responsibilities, the risks they face, and the correct procedures to follow. Ongoing training helps reduce human error and insider threats. - Audit and review processes
Regular reviews help assess whether existing measures are still effective and identify opportunities for improvement.
Organisational measures often work in tandem with technical controls. For example, a password management policy supports the use of MFA, while incident response planning ensures that technical alerts are acted upon appropriately.
Data seeding solutions
Data seeding is the insertion of unique synthetic data or ‘seed records’ into databases.
It is effectively a way of watermarking your data sets so they can then be tracked and monitored, however and wherever the data is used and transferred.
Data seeding works for physical mail, landlines, mobile phones and email addresses, allowing you to build a detailed picture of how your data is used.
Our data seeding service is a bespoke seeding programme that fits your data and its use.
Our team will create and share unique seed records with you, which you can insert into your data sets – or we can manage the process for you.
Once the seeds are in place, we will monitor any contact made with them. If your data is stolen or misused, we can help you investigate and remediate the breach, protect your data subjects, and take action against whoever is responsible.
We will also provide you with a detailed monthly report setting out the ways your data has been used, as agreed with you.
This typically includes the channels that were used, the time and date on which the use was identified, and evidence of the use, such as an image of a marketing campaign.