Organisational Measures


In some cases the GDPR refers to explicit organisational measures that need to be implemented such as data protection policies and human intervention. In other instances the regulation is vague on which measures are required. Therefore there is no definitive list of exactly which organisational measures need to be implemented. The measures an organisation chooses should be based on a combination of those measures specifically required by the regulation with the addition of measures that are required to ensure the safety of processing.


The nature and scale of processing that your organisation undertakes will direct which organisational measures you should implement.

If your industry has a code of conduct or certification mechanism this can be useful in showing that you are implementing good data governance practices.

Documentation of processes, information and policies will be fundamental to most organisational measures so having these in place is a foundational first step.

It is likely that you pass data to a third party supplier, provider or IT partner. In these cases you need to also check that these organisations have put in place appropriate technical measures.

How to:

Data mapping

Start by understanding which data and types of personal information you are storing and processing. For these processing activities you should have policies and procedures in place to ensure good governance. You should also keep an ongoing record of these activities so that you are able to provide details should the individual or supervisory authority request it.

Impact Assessment

The primary aim of the data protection impact assessment is to identify any risks that exist in your processing operations. Organisational measures are some of the main ways in which you can mitigate these risks. Therefore understand what your risks are and target organisational measures at these risks.

Data Subject Rights

Ensure you have processes in place to support all the rights of data subjects.


Once you have Organisational Measures in place you are required to review them on a regular basis.

It is likely that you may not posses all of the skills required to implement the above within your organisation. In that case you should speak to your IT or legal providers or alternatively our Brand Partners can assist with implementation.

Common Scenarios:

Customer submits a request for information
  • Be able to explain what information you hold on them
  • Describe the use of the information and why it is needed
  • Provide details of anyone who you transfer the information to
  • Describe the measures taken and policies in place to protect their information
Customer requests a change to their information
  • Provide detail on the information you currently hold
  • Inform them of your policies regarding their data
  • Explain the process for the change
  • Do the above without undue delay


  • GDPR Recitals: 29, 71, 74, 77, 78, 87, 114, 156
  • GDPR Articles: 24, 25

How Gydeline helps

We, at Gydeline, help small and medium sized organisations save money and time by building systems, processes and policies that simplify their business and support their sustainability aims.  We do this with a range of services.

If you would like to discuss any aspects of dealing with this and other risks in your business we are always happy to offer some, free, no obligation assistance – just contact us.

Related Posts