GDPR: A Guide to its Technical and Organisational Measures

If you read the GDPR (General Data Protection Regulation) from cover to cover, you will find almost 100 mentions of “appropriate technical and organisational measures”. But as frequently as the concept is discussed in the Regulation, the text doesn’t provide a clear definition of the term.

In this blog, we shed some light on what the GDPR means when it references TOMs (technical and organisation measures) and provide examples of the types of controls that it refers to.

What are “appropriate technical and organisational measures”?

To understand how TOMs fit into the GDPR, we must first explain the relevance of the phrase in relation to the Regulation’s wider objectives.

Let’s start by briefly explaining what technical and organisational measures are, then we’ll delve into the operative word in the phrase: “appropriate”.

‘Technical and organisational measures’ describes the specific ways that organisations address information security.

Under the GDPR, data controllers are required to protect personal data from unauthorised access and misuse. Organisations must identify weaknesses that could jeopardise the security of information and adopt controls to mitigate the risk.

The best solution will often depend on the nature of the weakness. For example, one of the most common information security threats involves cyber criminals exploiting network vulnerabilities.

In those instances, organisations should focus on technical mechanisms such as penetration tests and firewalls.

For other threats, such as phishing emails, the risk should be mitigated with organisational defences such as information security policies and staff awareness training.

A technical and organisational measure is essentially any control that mitigates the risk of sensitive information being exposed.

But what makes them “appropriate”? That is something that each organisation must answer for itself through a risk assessment.

Although finding a tailored solution might sound like extra work, the qualifier (“appropriate”) ensures that organisations’ compliance practices are streamlined. There is no single, set way to mitigate individual risks, and it would be foolish to instruct all organisations to address information security issues in the same way.

For one, some organisations have greater resources than others to deal with threats. Similarly, the level of risk might be higher for some companies than others, while their organisational structure might make certain practices redundant.

By stating that organisations must implement “appropriate” security measures, the GDPR acknowledges that what is feasible or advisable for one organisation won’t necessarily be for another.

This pragmatic approach also acknowledges that it’s impossible to have absolute security. Organisations must balance effective defences with their means, while retaining enough functionality to not disturb operational processes.

Examples of technical measures

Technical measures are anything that can mitigate vulnerabilities in systems, networks and devices. Common technical measures include:

• Software, such as antivirus and antimalware. Threat detection tools are also essential for identifying and addressing technical flaws.
• Encryption and pseudonymisation. This is particularly useful when processing personal data. Masking the identity of individuals, either fully or partially, mitigates the threat in the event that the information is compromised.
• Physical security, such as CCTV cameras. This will deter potential malicious actors from stealing physical copies of your information, and will help you identify the source of a physical breach.
• Passwords and MFA (multi-factor authentication). All sensitive information and accounts holding that information should be password-protected. However, you should also implement MFA for accounts that pose a particular risk. This ensures that a password breach alone isn’t enough to compromise the account.

Examples of organisational measures

Organisational measures are the policies and processes that are implemented to protect personal information. They often support technical measures (for example, a password management policy will complement the implementation of MFA).

Other organisational measures are designed to identify information security risks and to address an incident when it occurs. Common organisational measures include:

• Information security policies governing the organisation’s overall approach to data protection and GDPR compliance.
• Business continuity plans, which explain the actions the organisation will take in response to an information security incident.
• Risk assessments to identify information security threats and determine appropriate controls.
• Staff awareness training. An organisation’s employees are the key to its security practices. They handle sensitive information, follow policies and use the technical measures that have been implemented. They must be educated on information security risks and be shown what to do to mitigate risks.
• Reviews and audits to assess the effectiveness of the measures that have been implemented, and to identify opportunities for improvement.

Are your controls appropriate?

GDPR compliance isn’t just about adopting a set list of technical and organisational security controls. You must ensure that the measures are relevant to the risks you face, and that your investment into them is appropriate to the threat you face.

Unless you’re an information security expert, it can be hard to judge whether your defences are suitable. It’s why many organisations seek third-party assurance to assess their GDPR compliance practices.

If you’re looking for support reviewing your information security controls, DQM GRC’s technical and organisational measures audit is an ideal solution.

Our team of experienced auditors will review your technical and organisational measures to ensure that your controls are appropriate.

We will evaluate the effectiveness of your GDPR compliance practices, focusing on the technical measures that have been applied as well as your policies, processes and procedures.

We’ll also review your staff training programmes and your application of data protection and data privacy by design.

The audit will measure your organisation against our state-of-the-art assessment and evaluation framework, which is based on relevant international standards, including ISO 27001, ISO 27701 and Cyber Essentials.