GDPR requires proportionate technical and organisational measures (TOMs) to protect personal data based on risk.

Why this matters

GDPR does not mandate specific tools — it expects reasonable protection.

Common technical measures

• Access controls and authentication
• Encryption and secure backups
• Device and endpoint security
• Patch management and monitoring
• Network and system security measures
• Pseudonymisation, anonymisation and data purging
• Logging and monitoring
• Data loss prevention tooling

Common organisational measures

• Maintain policies, procedures, maintain registers such as
  • risks (DPIAs)
  • processing activities
  • breach logs
  • contracts with 3rd parties and processors

• Established system to respond to Subject Requests
• Incident response plans
• Staff training and awareness
  
  

Evidence of compliance

• Documented controls
• Regular reviews and testing