Technical & Organizational Measures

Technical and Organisational Measures under the GDPR

Article 32 GDPR requires controllers and processors to implement appropriate technical and organisational measures (TOMs) to ensure a level of security appropriate to the risk. The measures must consider the state of the art, implementation costs, the nature, scope, context, and purposes of processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons.

TOMs are not optional add-ons but a core compliance requirement. They must be documented, regularly reviewed, and updated as risks evolve. Supervisory authorities will ask for TOM documentation during audits and investigations.

The Four Pillars of Art. 32

Article 32(1) explicitly names four capabilities that organisations must ensure:

1. Pseudonymisation and Encryption

Pseudonymisation replaces directly identifying data with pseudonyms, so the data can no longer be attributed to a specific data subject without additional information. This additional information must be kept separately and protected by technical and organisational measures.

Encryption protects data both at rest and in transit. Use established algorithms such as AES-256 for data at rest and TLS 1.2 or higher for data in transit. Key management is critical: store encryption keys separately from the data they protect and rotate them regularly.

2. Confidentiality, Integrity, Availability, and Resilience

These four properties form the backbone of information security and map directly to the classic CIA triad (plus resilience):

• Confidentiality: Only authorised persons can access personal data. Implement role-based access controls (RBAC), the principle of least privilege, and multi-factor authentication.
• Integrity: Data must remain accurate and unaltered. Use checksums, audit logging, and change detection mechanisms.
• Availability: Data and systems must be accessible when needed. Implement redundancy, load balancing, and disaster recovery plans.
• Resilience: Systems must withstand and recover from attacks and disruptions. Test your recovery processes regularly.

3. Ability to Restore Availability and Access

In the event of a physical or technical incident, you must be able to restore availability and access to personal data in a timely manner. This requires:

• Regular, tested backup strategies with defined RPO/RTO values
• Geographically separated backup storage
• Documented disaster recovery plans
• Regular recovery drills to verify that backups actually work

4. Regular Testing, Assessment, and Evaluation

Article 32(1)(d) requires a process for regularly testing, assessing, and evaluating the effectiveness of your TOMs. This is not a one-off activity but an ongoing obligation. Methods include:

• Penetration testing (at least annually)
• Vulnerability scanning (continuously or at regular intervals)
• Internal audits of security controls
• Review of access rights and user accounts
• Security awareness assessments

Common Technical Measures

While the GDPR does not prescribe specific technologies, the following measures are widely considered state of the art:

• Access controls: Centralised identity and access management, multi-factor authentication, privileged access management
• Network security: Firewalls, network segmentation, intrusion detection/prevention systems
• Endpoint security: Endpoint detection and response (EDR), device encryption, mobile device management
• Data protection: Data loss prevention (DLP), database encryption, secure deletion procedures
• Monitoring and logging: Centralised log management (SIEM), anomaly detection, audit trails

Common Organisational Measures

• Information security policies: Written policies covering data classification, acceptable use, incident response, and more
• Employee training: Regular security awareness training and role-specific training for IT staff
• Clean desk / clear screen: Policies to prevent unauthorised access to physical and digital information
• Onboarding and offboarding processes: Ensuring access is granted and revoked systematically
• Physical security: Access controls for server rooms, visitor management, CCTV where appropriate
• Vendor management: Assessing and monitoring the security posture of processors (see Data Processing under GDPR)

Documenting Your TOMs

Documentation is essential for demonstrating compliance under the accountability principle (Art. 5(2)). Your TOM documentation should include:

• Description of each measure and its purpose
• Risk assessment that justifies the measure
• Responsible person or team
• Implementation date and review schedule
• Evidence of effectiveness (test results, audit findings)

If you use an ISO 27001-certified ISMS, much of this documentation already exists. See our ISO 27001 and GDPR Cross-Mapping for details on the overlap.