What are Technical and Organizational Measures (TOM)?
According to the Article 32 of the GDPR, the processor has to implement and document appropriate technical and organizational measures to ensure a level of security appropriate to the risk entailed by the processing activity, in particular:
pseudonymisation and encryption of personal data;
ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.