Organisational measures
Security culture in data protection and cybersecurity
Companies should have a strong security culture in data protection and cybersecurity to protect personal data they process. Personal data is data that can be linked to a physical living person. For example, a name, social security number, passport number or similar. In addition, the GDPR distinguishes between “ordinary” personal data and privacy-sensitive personal data.
Personal data breaches must be prevented through technical and organisational security measures
Companies must prevent personal data breaches. This is done by implementing appropriate technical and organizational security measures. In addition, companies must minimise the consequences of personal data breaches, keep a register of them and, in some cases, inform affected data subjects. The national data protection authority shall also be informed in the event of certain types of personal data breaches.
A company in Poland had to pay a fine for late notification of a personal data breach to the national data protection authority. According to the GDPR, the notification shall be made by the controller within 27 hours of the discovery.
Higher requirements for more important personal data
The more important the personal data is, the higher the requirements for companies. Processing of special categories of personal data pursuant to article 9 of the GDPR, which constitutes one of four categories of privacy-sensitive personal data, is followed by very high demands.
Safety culture within a company
The meaning of security culture or data protection culture is common values, knowledge, attitude and behavior of those who work within the company, to create security around the processing of personal data. Companies must protect personal data by taking appropriate technical and organizational security measures. By having a good security culture, the ability to protect personal data will increase. The security culture should cover both cybersecurity and the protection of personal data.
Examples of what companies can do to create a strong and good safety culture
Role of management
Management has an important role within the company to ensure that the business complies with GDPR. Therefore, it is good to have a commitment to work with GDPR issues within management. For example, by continuously discussing data protection during board meetings and analysing areas for improvement.
Education
Companies need to train their staff so that they can comply with GDPR in their practical work. In particular, staff working in the field of data protection. If the company has a data protection officer, they must also offer him or her further training in GDPR. By having written instructions and procedures, staff can easily read through what they need to do to comply with the regulations, as there is a risk that they forget or make mistakes if they only hear it orally.
Engage more
It is not only those who work with data protection issues who can benefit from knowledge in the field. It is positive if everyone in the company has access to information about the safety culture, so that they feel a responsibility and can contribute. For example, it is good to educate all employees about common cyber risks, which can lead to personal data breaches. For example, about phishing attacks, and how it can be detected.
Eligibility management
It is important that staff who need access to personal data have access to it, but not other employees. Therefore, the company needs to control the permissions and control the access rights to the systems that process personal data. For example, staff from the finance department need access to, among other things, the accounting system in order to be able to issue invoices to customers. However, not all employees within the company necessarily need such access rights.
Reporting process
Companies shall report certain types of personal data breaches to data subjects and the national data protection authority. However, staff who find out that a personal data breach has occurred need to report it to the right person internally. Therefore, it is important to create a clear process for how it should be done. For example, it may be easier to develop a checklist that employees should use if they suspect a personal data breach. In addition, it is important that internal communication is quick and smooth, as there are deadlines the company must comply with when it comes to notifiable personal data breaches. The consequences can be much worse the longer the time goes by and the greater the delay.
Larger companies may have data protection ambassadors to facilitate data protection work
The larger the company, the greater the challenges of internal communication on data protection-related matters. It is important that the company communicates its internal routines, policies, etc. within the business in a smooth way, to ensure that correct information reaches the employees. In addition, it is important that employees are able to communicate important information to the company’s management in a smooth manner.
One thing that can facilitate this flow of communication is to appoint data protection ambassadors within the various departments of the business. These ambassadors should receive additional training in GDPR and data protection in general, and act as a hub for communication between management and employees. In this way, communication within the area can flow more easily within the business.
More information about Organisational measures
Internal procedures and instructions for employees
By creating written internal procedures and instructions for employees, the company reduces the risk of employees violating the GDPR when performing their tasks. For example, companies may establish instructions on how employees should proceed when a data subject requests to have one of their rights fulfilled. There are important deadlines to comply with under the GDPR and the content of the information provided to the data subject must meet specific minimum requirements. Written documentation also makes it easier for the company to prove that it complies with the principle of accountability as set out in Article 5(2) of the GDPR.