The necessary security measures can differ based on the nature of the personal data you process and the associated risks to individuals. In any case, there are some minimum measures you should put into place:

• secure access to the premises;
• use regularly updated antivirus software;
• carefully choose your passwords;
• make users authenticate themselves before using the computer facilities;
• have a data back-up and retrieval policy in place in case of an incident.

In addition, some basic measures such as locking your screen while you are away and locking up the office at the end of the day are never out of place...

More information:

• Secure personal data

Data controllers can only process personal data in one of the following circumstances:

• with the consent of the individuals concerned;
• where processing is necessary for the performance of a contract (a contract between your organisation and an individual);
• to meet a legal obligation under EU or national legislation;
• where processing is necessary for the performance of a task carried out in the public interest under EU or national legislation;
• to protect the vital interests of an individual;
• for your organisation’s legitimate interests - except where they are overridden by the rights and freedoms of individuals.

In addition, the GDPR establishes additional conditions for the processing of sensitive data.

More information:

• Process personal data lawfully

The task of the DPO include, among others:

• to inform and advise the organisation and its employees on data protection compliance;
• to monitor data protection compliance;
• to provide advice on requests concerning the data protection impact assessment (DPIA);
• to act as a contact point for the data protection authority (DPA) and to cooperate with that DPA;
• to act as a contact point for individuals.

In addition, the DPO’s presence is generally recommended where decisions with data protection implications are taken. The DPO should also be promptly consulted once a data breach or another incident has occurred.

More information:

• Data Protection Officer

A valid contract between the data controller and data processor is obligatory under the GDPR. An infringement can be subject to an administrative fine up to 10M€ or up to 2% of the total annual turnover of a company, whichever is higher.

To help guide you when setting up a controller-processor agreement, the Danish and Slovenian data protection authorities, as well as the European Commission, have developed template agreements.

More information:

• Data controller or data processor

If your organisation is collecting the personal data directly from individuals, it must provide the necessary information at the time of collection.

In case of indirect collection of personal data, your organisation must provide the information at the latest within one month after the personal data has been initially obtained. This maximum period of one month can be reduced:

• if the personal data is used for the purpose of communication with the data subject. In that case, you must inform the data subject at the latest at the time of the first communication to the data subject;
• if the data is transmitted to another recipient, the organisation informs the data subjects of this at the latest when the personal data is transferred. 

More information:

• Respect individuals’ rights

Processing personal data is allowed if there is a legal basis for it. In addition to free, specific , informed and unambiguous consent, other legal bases for processing can be used.
In other words, consent is necessary when none of the other legal bases applies.

More information:

• Process personal data lawfully

Every organisation, regardless of the their size or sector, established in the European Economic Area (EEA) or offering products or services to individuals in the EEA, processing personal data whether or not by automated means needs to comply with the GDPR. Even if the GDPR mainly relates to automated processing of personal data, processing operations carried out manually will also be subject to the GDPR from the moment the paper files are organised in a systematic manner, e.g. ordered alphabetically in a filing cabinet. 

Examples of processing operations include collecting, recording, organising, using, modifying, storing, disclosing, altering and erasing individuals’ personal data.

Nevertheless, the application of the GDPR is modulated according to the nature, context, purposes and risks of the processing operations carried out. For SMEs whose core business is not the processing of personal data, the obligations can be less strict than for a large company.

More information:

• Data protection basics

For consent to be considered valid, it must be:

• freely given;
• specific;
• informed; and
• unambiguous.

This means that individuals must have a genuinely free choice regarding whether or not they agree with the processing of their personal data; they need sufficient information so that they can understand which data is processed, for what purpose, and how this is done; they also need sufficient granularity in consent requests.

In addition, there should be a clear affirmative action from the individual (without pre-ticked boxes and made separately from applicable general conditions).

In addition, individuals need to be able to freely withdraw their consent (without any negative consequences) if they change their mind later on.

More information:

• Process personal data lawfully

The GDPR foresees specific rights for individuals that have to be respected. You can do this by:

• informing individuals whose data you process about your processing operations and the processing purposes when you collect their data, for example via a privacy statement on your website;
• by responding to individuals’ requests to exercise their rights, such as access, rectification, objection, erasure or portability requests.

Organisations that are transparent about their use of personal data and that respect the rights of individuals are less likely to become subject to complaints.

More information:

• Respect individuals’ rights

Individuals have the right to request erasure of personal data concerning them and in that case, the controller has the obligation to erase the personal data. You should respond without undue delay and at the latest within one month after receipt of the request. This deadline can be extended by another two months if the request is too complex and more time is needed to comply with the request, provided that the individual is informed of this within one month after receiving the request.

It is important to note that the right to erasure is not absolute. It does not apply when the data in question is necessary for:

• exercising the right to freedom of expression and information (e.g. for journalistic purposes);
• compliance with a legal obligation which requires the processing of personal data (e.g. processing records on employees’ work hours);
• reasons of public interest in the area of public health
• archiving purposes in the public interest or scientific or historical research purposes or statistical purposes; and
• the establishment, exercise or defence of legal claims.

When the personal data that is to be erased was previously transferred to other organisations, you must inform these recipients that the individual has requested erasure, unless this proves impossible or would require disproportionate efforts.

More information:

• Respect individuals’ rights