TOMs are often documented — but not connected. A safeguard description in an annex does not show which processing activities it protects, who is responsible for it, or whether it is actually implemented.
EAB structures TOM profiles as governed evidence records — linked to processing activities, vendors, and the AI governance record where applicable.
“Organisations copy TOM lists from templates. They describe safeguards that exist — in general. But they cannot show which safeguard protects which processing activity, who is responsible for it, or whether it was actually implemented rather than merely listed.”
The GDPR TOM Profiles module addresses the gap between safeguard documentation and safeguard governance. TOMs are required by GDPR Art. 32 as appropriate technical and organisational measures — but what makes a safeguard appropriate is its connection to the risk it mitigates and the processing it protects.
EAB structures TOM profiles as governed records — each with a safeguard description, a named owner, an implementation state, and an evidence record. Profiles are linked to the processing activities in the processing register and to the vendor records where applicable.
For AI systems that process personal data, TOM profiles are also linked to the AI system governance record — so the safeguards protecting personal data processed by an AI system are visible alongside the AI Act governance obligations for that system.
Each capability is connected to the shared system inventory, evidence layer, and audit trail.
Each safeguard category has a structured TOM profile — safeguard description, implementation method, responsible owner, and evidence requirement. Not a copied list from a template, but a governed record specific to the organisation.
Each TOM profile is linked to the processing activities it protects. The connection between safeguard and processing is explicit — not left for an auditor to infer from two separate documents.
AI systems that process personal data require both AI Act obligations and GDPR safeguards. TOM profiles linked to AI systems appear in both the GDPR module and the AI system governance record — one safeguard record serving both frameworks.
Evidence that a safeguard is implemented — configuration records, access controls documentation, encryption certificates — is uploaded and linked to the TOM profile. Evidence is not in a folder; it is in the governance record.
For processing activities involving processors or sub-processors, the TOM profile includes the safeguards required from the vendor — documented in the vendor governance record and linked to the relevant DPA requirements.
TOM completeness is tracked as a live state — not a point-in-time document. When a safeguard becomes incomplete — due to system change, vendor change, or evidence expiry — the gap surfaces as a governance action item.
The GDPR TOM Profiles module uses the same system inventory as the EU AI Act module. For AI systems that process personal data, TOM profiles are visible alongside AI Act obligation records — not in a separate GDPR tool that must be reconciled manually.
Evidence uploaded for TOM profiles is available in the same evidence layer. An organisation does not maintain separate evidence for GDPR and AI Act compliance — evidence is collected once and referenced where applicable.
At audit time — whether for a GDPR supervisory authority or an EU AI Act market surveillance authority — the governance record shows safeguards, evidence, and obligation linkage in one coherent record.
Available as part of the GDPR Module for Professional and Enterprise. Shares one system inventory, one evidence layer, and one audit trail with the EU AI Act module.
EU-hosted · Anchored to CELEX 32024R1689
Tell us about your organization and what you’re looking to address. We’ll follow up with the relevant information.
