GDPR and IT security: technical requirements, TOMs and implementation
The GDPR explicitly requires technical security measures (Art. 32). This comprehensive article clarifies the intersection between data protection law and IT security: TOMs (technical and organizational measures) across the 8 areas of protection, complete TOM documentation, a 72-hour reporting obligation following data breaches (Art. 33/34), data protection impact assessment (DPIA under Art. 35), privacy by design (Art. 25), GDPR-compliant IT architecture, ISO 27001 alignment, and the risk of fines.
Summary: The EU General Data Protection Regulation (GDPR), in effect since May 2018, requires all companies that process the personal data of EU citizens to comply with its provisions. Fines of up to 4% of global annual revenue or €20 million—whichever is higher.
Sources & References
- [1] Datenschutz-Grundverordnung (EU) 2016/679 - EUR-Lex
- [2] BSI: Technische Maßnahmen nach Art. 32 DSGVO - BSI
- [3] ENISA: Pseudonymisation Techniques and Best Practices - ENISA
Questions about this topic?
Our experts advise you free of charge and without obligation.
About the Author
Dipl.-Math. (WWU Münster) und Promovend am Promotionskolleg NRW (Hochschule Rhein-Waal) mit Forschungsschwerpunkt Phishing-Awareness, Behavioral Security und Nudging in der IT-Sicherheit. Verantwortet den Aufbau und die Pflege von ISMS, leitet interne Audits nach ISO/IEC 27001:2022 und berät als externer ISB in KRITIS-Branchen. Lehrbeauftragter für Communication Security an der Hochschule Rhein-Waal und NIS2-Schulungsleiter bei der isits AG.
3 Publikationen
- Different Seas, Different Phishes - Large-Scale Analysis of Phishing Simulations Across Different Industries (2025)
- Self-promotion with a Chance of Warnings: Exploring Cybersecurity Communication Among Government Institutions on LinkedIn (2024)
- Exploring the Effects of Cybersecurity Awareness and Decision-Making Under Risk (2024)
