GDPR
Organisational measures to protect personal data
Companies must take appropriate organizational measures to protect the personal data they process. This includes, for example, stopping unauthorized access to personal data, accidental deletion of personal data and protecting the business against other forms of personal data breaches. The more important the personal data the company processes, the better security measures the GDPR requires.
Companies must implement organizational measures to comply with the other rules of the GDPR
In addition to the fact that companies must take organizational security measures to protect personal data, the company also needs to take such measures to be able to comply with the other rules in the GDPR. For example, in order to comply with data subjects’ rights under the GDPR. If a data subject requests that his or her personal data be corrected or deleted, the company needs to be able to satisfy this. Therefore, it is important to have the necessary organisational measures in place.
Companies must take organizational measures to protect personal data
Below you can read more about some practical organizational measures that companies should implement.
Safety culture
It is important that companies create a good safety culture throughout their operations. This is done primarily by taking appropriate organizational security measures. One example of how companies can do this is by clearly communicating what is expected of employees. The company should inform employees about the procedures and policies that apply in the field of data protection. This makes it easier for employees to report errors or shortcomings. In addition, it is important that all employees who process personal data in their duties have basic knowledge of data protection.
Creating a good safety culture within the company requires that employees are informed and aware of why it is important. Employees should know what risks exist in the field of data protection, and how to act if they detect security flaws or personal data breaches.
For example, certain personal data breaches need to be reported to the responsible data protection authority. Reportable breaches shall be reported by the company that is the controller to the competent supervisory authority within 72 hours of detection. To be able to report on time, it is important that the company has a good safety culture, with a clear reporting process. This helps employees report the discovery more quickly within the company, so that the company can take action quickly.
Eligibility management
It is appropriate, and in some cases necessary, that companies that process personal data control the authority over which persons have the right to access. The purpose of this is to ensure that not all employees have access to processed personal data, when it is not necessary. In particular, the company should implement such authorisation management with regard to extra-protective personal data, such as sensitive personal data pursuant to Article 9 of the GDPR. Through authorization control, companies can prevent unauthorized access to personal data.
In many cases, it is not necessary for every person in a company to have access to all personal data of employees and/or customers in order to perform their duties. In such cases, they should also not have such access.
Furthermore, it is important to implement internal procedures and processes to revoke employees’ access rights, in connection with the termination of employment, or if applicable, consulting assignment.
Written instructions and internal procedures
By creating various written instructions and internal routines for employees, there is less risk of them accidentally violating the GDPR in their work tasks. In addition, it is good to create instructions for, for example, how employees should proceed when a personal data breach occurs. The same applies when a data subject wishes to have a right granted.
By having documented routines and instructions, employees can smoothly follow the established process. This ensures a more uniform handling of cases and reduces the risk of non-compliance. In addition, it is beneficial to also develop checklists that employees can use as support in their work. For example, a checklist of important steps to take in the event of a detected personal data breach.
Data protection education, including GDPR
It is important to train staff in data protection, including GDPR. The company is responsible for ensuring that employees comply with GDPR in practice.
For larger companies with several departments, it may be good to have a responsible person in each department who becomes a contact person regarding data protection issues. In such cases, it is good if such a contact person, also referred to as a data protection ambassador, receives appropriate training.
In addition, companies with a Data Protection Officer (DPO) should offer the DPO the possibility of further education. For example, courses reviewing new practices in the field or new laws/regulations dealing with data protection, such as the EU AI Act.
More information about GDPR
Technical security measures
In addition to the organizational security measures companies need to take, companies must also take appropriate technical security measures. For example, companies can encrypt personal data, back up personal data, split data networks, also called for network segmentation and authentication.