Context:
In some cases the GDPR refers to explicit organisational measures that need to be implemented such as data protection policies and human intervention. In other instances the regulation is vague on which measures are required. Therefore there is no definitive list of exactly which organisational measures need to be implemented. The measures an organisation chooses should be based on a combination of those measures specifically required by the regulation with the addition of measures that are required to ensure the safety of processing.
Considerations:
The nature and scale of processing that your organisation undertakes will direct which organisational measures you should implement.
If your industry has a code of conduct or certification mechanism this can be useful in showing that you are implementing good data governance practices.
Documentation of processes, information and policies will be fundamental to most organisational measures so having these in place is a foundational first step.
It is likely that you pass data to a third party supplier, provider or IT partner. In these cases you need to also check that these organisations have put in place appropriate technical measures.
How to:
Data mapping
Start by understanding which data and types of personal information you are storing and processing. For these processing activities you should have policies and procedures in place to ensure good governance. You should also keep an ongoing record of these activities so that you are able to provide details should the individual or supervisory authority request it.
Impact Assessment
The primary aim of the data protection impact assessment is to identify any risks that exist in your processing operations. Organisational measures are some of the main ways in which you can mitigate these risks. Therefore understand what your risks are and target organisational measures at these risks.
Data Subject Rights
Ensure you have processes in place to support all the rights of data subjects.
Review
Once you have Organisational Measures in place you are required to review them on a regular basis.
It is likely that you may not posses all of the skills required to implement the above within your organisation. In that case you should speak to your IT or legal providers or alternatively our Brand Partners can assist with implementation.
Common Scenarios:
Customer submits a request for information
- Be able to explain what information you hold on them
- Describe the use of the information and why it is needed
- Provide details of anyone who you transfer the information to
- Describe the measures taken and policies in place to protect their information
Customer requests a change to their information
- Provide detail on the information you currently hold
- Inform them of your policies regarding their data
- Explain the process for the change
- Do the above without undue delay
References:
- GDPR Recitals: 29, 71, 74, 77, 78, 87, 114, 156
- GDPR Articles: 24, 25
