GDPR Article 32 requires "appropriate technical and organisational measures" — what this means in practice is deliberately left open in the legislative text. That ambiguity is intentional, because the obligation must be interpreted in proportion to risk. For day-to-day operations, however, it is uncomfortable: mid-market companies receive no ready-made list to tick off. This checklist closes that gap. Fourteen points that are audited in DACH mid-market organisations, that are relevant in every supervisory inspection, and that protect against fines. The broader cybersecurity context is covered in our Cybersecurity Guide for Mid-Market Companies; for a demarcation from NIS2 see our article NIS2 for Mid-Market Companies.
What GDPR Article 32 Actually Requires
Article 32 specifies four protection objectives for personal data: confidentiality, integrity, availability, and resilience. To achieve these, "appropriate measures" must be taken, "taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons".
In plain language: the measures must match the risk. A small tax consultancy with 200 clients needs less than a mid-size insurance company with 50,000 customer records. But every organisation needs something — and must be able to justify and document its choice of measures.
Article 32 names four concrete examples: pseudonymisation and encryption, ongoing confidentiality and availability, rapid restoration after an incident, and procedures for regularly reviewing effectiveness. These four are not exhaustive, but they are the minimum standard.
The 14-Point Self-Assessment Checklist
This checklist covers the TOM expectations of German supervisory authorities. Any organisation that can answer all fourteen points with "fulfilled" and can substantiate that with documentation is protected against moderate audit findings.
- 1. Encryption of stored dataFull disk encryption on all laptops (BitLocker, FileVault, LUKS), database encryption for sensitive columns, encrypted backups. Without this baseline, any laptop theft is automatically a notifiable data protection incident.
- 2. Encryption of data in transitTLS 1.2+ for all web connections, S/MIME or PGP for sensitive email traffic, VPN for remote access. Self-signed or expired certificates are the number-one finding in supervisory inspections.
- 3. Multi-factor authenticationMFA for all cloud services, all administrative accounts, all VPN access, and ideally also all internal applications that handle personal data. Hardware tokens are the standard for privileged accounts.
- 4. Role and permissions frameworkDocumented framework with need-to-know principle, regular review (at least semi-annually), automated provisioning and deprovisioning when employees join or leave.
- 5. Backup strategy with restore testing3-2-1 rule (3 copies, 2 media, 1 offline), regular documented restore tests (at least quarterly), backups encrypted and protected against ransomware encryption.
- 6. Patch managementDocumented patch process with defined response times (critical patches within 14 days, high-risk patches within 30 days), inventory of all patchable components, automated detection of new security updates.
- 7. Antivirus and EDREndpoint protection on all devices, ideally with EDR capabilities (Endpoint Detection and Response), centralised monitoring console, alerting on suspicious activity.
- 8. Logging and monitoringCentralised logging of security-relevant events (logins, permission changes, data access), minimum retention of six months, regular review for anomalies.
- 9. Asset inventoryComplete list of all IT assets with a personal data nexus (servers, databases, cloud services, end-user devices), updated at least annually, with ownership assigned per asset.
- 10. Records of processing activities under Article 30Documentation of all processing activities with purpose, legal basis, data categories, recipients, retention period, and TOMs. This is the first document requested by authorities in any supervisory inspection.
- 11. Data processing agreementsWritten contracts under Article 28 with all external service providers that process personal data — including cloud providers, email providers, and IT service providers. A TOM annex is a mandatory component.
- 12. Employee awarenessRegular training (at least annually), documented attendance, focus areas: phishing recognition, handling of personal data, correct response to security incidents.
- 13. Incident response processDocumented procedure for suspected data protection incidents, defined escalation paths, preparation of the 72-hour notification, exercise scenario at least once a year. Covered in depth in our article Incident Response Plan.
- 14. Effectiveness reviewRegular TOM audits, at least annually with external involvement, ideally supplemented by penetration testing or continuous validation. Documented findings and remediation.
Have your GDPR TOMs reviewed in a structured audit
We audit your 14 TOM areas in a two-to-four-week engagement and deliver a written findings report with prioritised recommendations. Suitable as preparation for a supervisory inspection or as evidence for cyber insurance.
Request a GDPR auditCommon Audit Findings from Practice
Certain findings recur consistently in our audits of German mid-market companies. Avoiding these classics eliminates the most likely audit findings.
Missing full disk encryption on older laptops. New devices are usually provisioned correctly; older ones from 2019–2021 are often not retrofitted. When an unencrypted laptop containing customer data is lost, notification is mandatory and the fine risk is significant.
Cloud storage without a permissions framework. SharePoint, OneDrive, and Google Drive are frequently used as shared storage without structured access rights. Employees have access to everything because that was convenient at the start. In the event of staff turnover or an insider incident, the burden of proof becomes difficult.
Backups without restore testing. Backups run daily — but no one has verified in the past two years whether they are actually restorable. In a real incident it turns out that backups are inconsistent or that recovery keys have been lost.
Data processing agreements with incorrect content. Standard contracts from cloud providers (Microsoft, Google, AWS) are accepted without scrutiny, without validating the TOM annex or checking for German data residency. In Schrems II-related supervisory inspections this is one of the most frequent findings.
No documented effectiveness review. TOMs are documented, but no one has checked whether they still apply. The records of processing activities are from 2019 and describe an IT landscape that no longer exists. Authorities treat this as "insufficient diligence" and can use it to justify an increased fine.
Records of Processing Activities under Article 30 — the Mandatory Documentation
The records of processing activities are the central compliance document. In every supervisory inspection it is the first requirement — organisations that do not have it immediately face a notifiable deficiency.
Mandatory content per processing activity: name and purpose of the processing, legal basis (consent, contract, legitimate interest, statutory obligation), categories of data subjects and data, recipients (internal and external), transfers to third countries, retention periods, technical and organisational measures.
In practice, 30 to 80 processing activities are typical for a mid-market company. HR administration, payroll, customer management, newsletters, applicant management, supplier management, IT logging, video surveillance, time tracking — each of these is a separate processing activity with its own documentation. In our GDPR audits we provide an Excel template covering all typical processing activities as a starting point.
Reporting Data Breaches — the 72-Hour Obligation
In the event of a data protection incident posing a risk to data subjects, Article 33 requires notification to the supervisory authority within 72 hours of becoming aware of the incident. Where the risk is high, the data subjects themselves must also be informed under Article 34.
What counts as a notifiable data breach? Loss or theft of data carriers containing personal data, unauthorised access by internal or external persons, accidental disclosure (for example an incorrect email distribution list), ransomware encryption where the availability of the data is affected, technical errors resulting in a data leak.
The 72-hour clock starts when the incident becomes known — not when it is confirmed. An organisation that learns of an incident on Friday evening and waits until Monday has missed the deadline. In practice: a documented procedure that also works on weekends, with clear accountability and a pre-prepared notification form from the competent supervisory authority.
Important: if an incident has both GDPR and NIS2 relevance (for example because personal data was compromised and a NIS2-obligated sector is simultaneously affected), both notification obligations apply in parallel — to different authorities, with different deadlines and different content requirements.
GDPR versus NIS2 — What Applies Where
Both frameworks protect different values and follow different logic. Understanding the distinction is essential for mid-market companies operating in NIS2 sectors.
GDPR protects personal data — customer names, employee data, supplier contacts, newsletter subscribers. Every company that processes such data is subject to GDPR. Supervisory authority: the relevant state data protection authority. Fine threshold: up to 20 million euros or 4 percent of annual turnover.
NIS2 protects the operational continuity of critical services — the availability of the IT infrastructure that a sector needs to fulfil its functions. Applies only to medium and large companies in 18 defined sectors. Supervisory authority in Germany: the BSI. Fine threshold: up to 10 million euros or 2 percent of annual turnover.
The overlap: many NIS2 obligations coincide with GDPR TOM expectations. An organisation with a solid GDPR implementation is already a good way towards NIS2 compliance. An organisation that fully implements NIS2 will almost automatically satisfy the GDPR TOM obligations. We leverage exactly this synergy in our compliance packages — one consolidated implementation plan instead of two parallel projects.
Frequently Asked Questions
What are technical and organisational measures (TOM)?
TOMs are all measures to protect personal data that are mandatory under GDPR Article 32. Technical measures include encryption, access control, and backup. Organisational measures include training, access permission frameworks, and contracts with data processors. Both must be documented and regularly reviewed for effectiveness.
How high are GDPR fines for IT security deficiencies?
The maximum fine threshold is 20 million euros or 4 percent of global annual turnover (whichever is higher). In practice, moderate TOM deficiencies result in fines of 50,000 to 500,000 euros — depending on severity, number of data subjects affected, intent, and cooperation with the authority.
Do we have to report every data breach?
No — notification is only required when there is a risk to the rights and freedoms of the data subjects. For encrypted data without key loss, or purely internal incidents without data exfiltration, notification may not be required. The assessment should be documented, and in cases of doubt it is better to report — supervisory authorities penalise missing notifications, not excessive ones.
How do GDPR and NIS2 differ?
GDPR protects personal data and applies to every data processor. NIS2 protects the operational continuity of critical services and applies to medium and large companies in 18 sectors. In the event of a security incident, both notification obligations may apply simultaneously — GDPR under Article 33 within 72 hours to the data protection authority, NIS2 in a three-stage process to the BSI reporting office.
Do we need a Data Protection Officer?
A Data Protection Officer is mandatory for organisations with 20 or more employees engaged in continuous processing of personal data, or where core activities involve large-scale processing of sensitive data — regardless of headcount. Even where not mandatory, appointing one is often advisable in practice to ease the burden of proof with authorities.
How often should TOMs be reviewed?
At least once a year and after every significant organisational or technical change. For security-relevant changes (new application, new data processor, cloud migration), a TOM review should be part of the change process. We recommend semi-annual reviews as a sensible middle ground.
Implement GDPR and NIS2 in a single project — not two in parallel
We deliver consolidated compliance packages that implement the TOM obligations of both frameworks jointly. One asset inventory, one risk register, one control matrix. Instead of two consultants running in parallel: one partner with consolidated reporting.
Request compliance consulting