Technical and organizational measures (TOM) in accordance with Art. 32 GDPR are the central protection mechanism for personal data in your company. They are not a one-off task, but must be continuously adapted to new technical, legal and organizational framework conditions – from cloud use to AI, from remote work to supply chain integration.
Below you will find ten effective starting points on how companies can optimize their TOM in 2025 in a structured and practical way.
1. actively implement accountability
The GDPR not only requires effective measures, but also their verifiable implementation. A centrally maintained TOM directory with responsibilities, review cycles and documented decisions creates transparency – both internally and externally. The current status of the measures and their documentation should be reviewed at least once a year, also to avoid liability consequences.
2. update access and authentication systems
Unrestricted access and simple passwords are no longer up to date. Two-factor authentication and role-based rights management are now the technical standard – especially for confidential documents and sensitive applications. Access rights should be checked and adjusted regularly.
3. reliably plan and test backups
Secure and functioning backups are essential. It is not only the technical implementation that is important, but also the testing of the restoration. It must be ensured that no data that has already been deleted is unintentionally restored.
4. establish encryption as a standard
Whether during transmission or storage, it may be necessary to encrypt sensitive data. Companies should check whether encryption is implemented consistently and universally – including on mobile devices and in cloud systems. According to Bitkom, around 72% of German companies were affected by cyberattacks in 2024. This must be countered with measures such as encryption.
5. ensure physical and digital security separately
Technical measures such as electronic access restrictions must be supplemented by physical and organizational access controls. This applies to server rooms, archive areas or mobile hardware, for example. Both levels should be clearly separated and documented.
6. security concepts for mobile working
Working from home and mobile devices bring new risks with them. Centralized device management, clearly defined bring-your-own-device rules and secure network connections are mandatory. Older home office solutions should be critically scrutinized and adapted, so it usually makes sense to draw up a corresponding policy.
7. targeted use of pseudonymization
Pseudonymized data reduces risks and can reduce the need to protect individual processes – for example in internal analysis or product development. The measure is effective if the key information for de-pseudonymization is consistently secured separately.
8. check service provider contractually and technically
Contracts for order processing are necessary, but are not sufficient on their own to guarantee the security of data. Companies must actively monitor whether agreed measures are being adhered to – especially in the case of cloud services or international providers. Certifications or audit reports are suitable instruments for this.
9. assess TOM on a risk basis
Not every measure is necessary in every context – but every measure must be appropriate to the risk situation. Companies should regularly evaluate their protective measures on the basis of a simple risk assessment and adapt them if necessary. An audit documents the necessity and choice of measures.
10. clearly define responsibilities
TOMs are only effective if responsibilities, communication channels and escalation processes are clearly defined. Data protection, IT and specialist departments should work together regularly to keep measures effective and up to date. For example, set up recurring meetings for coordination purposes.
Conclusion
The abstract technical and organizational requirements for the protection of personal data formulated in the GDPR must be implemented through specific measures. They represent a central element of modern corporate responsibility. Those who systematically plan, document and continuously develop these requirements not only protect personal data, but also trust in their own organization – and minimize potential liability risks at the same time. Although this requires a certain degree of initiative, it is rewarded with improved future security for the company.
