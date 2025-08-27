One of the most frequently used yet often misunderstood concepts in data protection law is the requirement for technical and organizational measures (TOMs). At its core, this phrase captures the duty imposed on data controllers and processors to actively safeguard personal data through both technological tools and management practices.

The Nigeria Data Protection Act (NDPA), 2023 adopts this global standard and requires organizations to implement appropriate technical and organizational measures to ensure the security, integrity, and lawful processing of personal data. This mirrors international regimes such as the EU's General Data Protection Regulation (GDPR), making it an essential compliance obligation for Nigerian businesses and multinationals operating in Nigeria.

What Are Technical and Organizational Measures (TOMs)?

Technical measures are the technological controls used to protect personal data. Examples include, (a) encryption of personal data at rest and in transit (b) firewalls, intrusion detection systems, and anti-malware tools.(c) access controls such as multi-factor authentication and role-based permissions and (d) Pseudonymisation and anonymisation techniques.

On the other hand, organizational measures are the internal policies, governance frameworks, and cultural practices that ensure personal data is processed responsibly. Common examples include (a) data protection policies and staff training (b) regular data protection impact assessments (DPIAs) (c) incident response and breach notification protocols. (d) Vendor management and contractual safeguards (e) Clear allocation of responsibilities through Data Protection Officers (DPOs).

Together, these measures form a holistic framework, one that combines technology with accountability structures.

Technical and Organizational Measures under the NDPA

Under the NDPA, controllers and processors are required to adopt appropriate technical and organizational measures considering (a) nature, scope, and purpose of the processing (b) risks to the rights and freedoms of data subjects and (c) State of the art technology and cost of implementation.

This risk-based approach is crucial. It means a fintech company processing millions of customer records is expected to implement far more advanced technical and organizational measures than a small retailer managing only basic customer details.

Importantly, the NDPA also empowers the Nigeria Data Protection Commission (NDPC) to issue codes of practice and guidance that may specify required measures for particular sectors, making TOMs a living obligation that will evolve as risks and technology change.

Why TOMs Matter

The requirement to implement technical and organizational measures is more than a compliance box-tick. It is the linchpin of trust in digital ecosystems. Failing to adopt robust TOMs exposes organizations to legal sanctions as the NDPA provides for significant penalties for breaches of security obligations. Organisations may also face reputation harm as a single data breach can permanently damage brand reputation. Conversely, companies that demonstrate well-documented TOMs are better positioned to defend themselves in regulatory inquiries and litigation, as they can show evidence of due diligence and accountability.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.