Everything you need to know about GDPR

This article covers everything you need to know about GDPR to be able to handle compliance tasks for your company.  

The article is for you, who are the internal GDPR responsible and have the responsibility to ensure that your organization is compliant and complies with the General Data Protection Regulation, which came into effect in 2018. 

The aim of this article is to provide you with a comprehensive overview of the concepts and legal requirements that you need to be aware of and to ensure that your organization complies with them. 

Background of GDPR

Although it may seem that way, GDPR was not created to increase the amount of paperwork and regulations that need to be followed. 

As the use of the internet has become more widespread, the sharing of data across services and platforms has increased exponentially. This has created a need to establish a set of rules for which kind of personal data that can be stored, and how it should be stored. 

With the rise of social media, there have been several cases of misuse of personal data over time, especially the Cambridge Analytica scandal in 2018 has increased the focus on how personal data can be processed. 

GDPR summarized 

GDPR (General Data Protection Regulation), also known as the Data Protection Regulation or the Personal Data Regulation, is an EU regulation that came into effect on May 25, 2018. 

The purpose of the regulation is to promote the protection of individuals with regard to the processing of personal data in the EU. 

According to the Data Protection Regulation, all European organizations - both private and public - must first and foremost be able to demonstrate that personal data is being processed in accordance with the rules in this area. 

In addition to GDPR, the rules on data protection are also regulated by the Danish Data Protection Act, which implements and supplements GDPR. 

You can read the entire regulation or get the main points explained by reading further in this article.

Do you want to read even more about GDPR? Read our article on that subject: What is GDPR compliance and how does it apply to me?

Wave top

Process for GDPR implementation

  • Get an overview of and prepare an "Article 30 record" of your organization's processing activities (Article 30(1)(2)).
  • Document that your organization complies with the regulation's principles for processing personal data (Article 5).
  • Create data processing agreements with all your data processors (Article 28(3)).
  • Conduct risk assessments of your processing activities.
  • Ensure that your security measures are appropriate to the identified risks - this can help reduce certain risks (Article 24).
  • Identify whether your organization has international data transfers, subsequently consider whether the third country is safe or unsafe, and if the legal basis is in place.
  • Plan an annual schedule to ensure that you and your colleagues carry out your organization's GDPR activities.
Wave Bottom

Personal data

When can you process personal data?  

When processing personal data, there are 7 basic principles that you must always comply with as a data controller. All GDPR requirements are based on these principles, which is why it is important to have an understanding of them. You should be aware that compliance with these principles does not constitute a legal basis for your organization's processing activities. The legal basis can be found in the other legal provisions of the regulation.  


The 7 basic GDPR principles (Article 5): 

  1. Lawfulness, fairness and transparency. 
  2. Purpose limitation.
  3. Data minimization.
  4. Accuracy.
  5. Storage limitation
  6. Integrity and confidentiality
  7. Accountability


1. Lawfulness, fairness and transparency. 

Processing of personal data must be lawful, meaning that your organization must have a valid legal basis in national or EU law to process personal data. For example, the data subject has given consent to the processing of personal data under Article 6(1)(a) or Article 9(2)(a). The lawfulness principle also requires that the purpose of processing must be lawful. 

Fairness means that the data subject's information must be processed in a fair manner. It is not enough that the processing is lawful, it must also be fair to the data subject. Fairness involves protecting the interests of the data subject. This is an expression of the unwritten principle of good data processing practice. 

Transparency means that your organization must clearly communicate what, how, and why you are processing the data subject's personal data. The data subject must be made aware of the risks, rights, rules, and guarantees of the processing in a transparent and understandable way. It is important to communicate in a simple and easily understandable language. 

2. Purpose limitation 

When personal data is collected, the data controller must describe the purposes for which the data is being collected. The data may only be processed for the stated purpose. This means that you may not process the personal data for any other purpose, than the original purpose for which it was collected. The purpose of the processing must be determined prior to the start of the processing activity. The purpose must also be reasonable, which means that the purpose must be legal and within the reasonable scope of your organization. In determining whether a possible disclosure of personal data can be accommodated within the original purpose, the "not incompatible" test under Article 6(4) et seq. of the GDPR and Section 5(2) of the Danish Data Protection Act can be carried out. 

3. Data minimization 

The collected personal data must be sufficient, relevant, and limited to the purpose of the processing. Therefore, it is important that you do not have more information than necessary to fulfill your purpose. 

4. Accuracy 

It is important to ensure that the personal data being processed is accurate. If necessary, the information must be updated, and incorrect data must be updated or deleted immediately. 

5. Storage limitation 

Personal data must be deleted or anonymized when it is no longer necessary to retain them. If the information is still used for the original purpose, it is not necessary to delete it. 

6. Integrity and confidentiality 

Personal data must be protected against unauthorized or illegal processing. It must also be ensured that information is not lost or damaged. To ensure this, your organization must have implemented appropriate organizational and technical measures. 

7. Accountability 

The data controller is responsible for ensuring compliance with the GDPR principles mentioned above. It is also important that you can demonstrate that your organization complies with these principles. However, the regulation does not specify how to document compliance. Nevertheless, the regulation sets out some formal requirements for certain documentation, such as Article 28(9), which states that data processing agreements must be in writing and electronic. The same requirement applies to records under Article 30. 

What is personal data? 

Personal data is any form of information that can be attributed to a specific person. 

The following information is identifiable: 

  • Social security numbers.   
  • Fingerprints.
  • Location data.   
  • Payment information.   
  • Medical records.  

When it is practically possible to identify a person from the information or in combination with other information, the information can be characterized as "personally identifiable". 

There are three categories of personal data in the GDPR: 

  • Ordinary personal data (non-sensitive information).  
  • Special categories of personal data (sensitive information).  
  • Criminal convictions and offenses. 

Ordinary personal data (non-sensitive information) 

Regular personal data are all the information that are not classified as sensitive personal data. This could for example be: 

  • Identification information such as name, address, age, and education.   
  • Economic conditions.  
  • Family relationships.  
  • Housing.  
  • Social problems.  
  • Application and resume. 

Special categories of personal data (sensitive information)  

The special categories of personal data are expressly defined in the data protection regulation, and they include information about:  

  • Race and ethnic origin. 
  • Political opinions. 
  • Religious or philosophical beliefs. 
  • Trade union membership. 
  • Genetic data. 
  • Biometric data for the purpose of uniquely identifying a person.  
  • Health-related information. 
  • Sexual life or orientation. 

Only the information mentioned above constitutes special categories of personal data. 

Convictions and criminal offenses  

Information about criminal offenses is separately regulated in data protection law. This could be information that a person has committed a certain criminal offense. 

The GDPR regulation refers to the need to find a legal basis for the processing of such information in national legislation such as the Danish Data Protection Act. 

National identification number

The GDPR regulation refers to the need to find a legal basis for the processing of CPR numbers or similar information in national legislation such as the Danish Data Protection Act. 
Behandlingsaktiviteter gdpr-1

Processing activities

What is a processing activity?  

A processing activity can be translated as a work process in which you handle personal data. It is primarily electronic processing of information that is covered by the rules. Examples may include collection, registration, systematization, storage, search, use, disclosure or deletion of personal information. 

Examples of internal processing activities:  

  • Payroll.   
  • Recruitment and applications. 
  • HR administration. 

Examples of external processing activities: 

  • Sending newsletters.  
  • Customer administration.    
  • Cookie consent. 

It may involve processing of both ordinary and sensitive personal data, as well as internal information on employees and external information on customers and suppliers. 

Documentation of processing activities 

One of the most important requirements in the GDPR legislation is that if your company processes personal data, you must document your processing activities. A processing activity can be seen as a "work process in which personal data is processed". 

Documentation of your processing activities aims to comply with the "Principles for processing of personal data", “Keeping a record of processing activities" and "risk assessment of processing activities". Therefore, processing activities can be considered as the foundation for your further work with GDPR. 

Registration of processing activities

Registration of processing activities can be done in a static document or in a cloud-based platform where there is an opportunity to work dynamically with the entered information. 

Read more about how you can map your processing activities in the article: Data mapping done simple with our Data mapping tool

You can also read more about our Processing Activity module in Privacy here


Data controller and data processor

What is a data controller?  

The regulation defines a data controller as: "A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data." The data controller determines the why (the purpose) and how (the means) of the processing of personal data. It is also the data controller's responsibility to ensure that there is a legal basis for the processing and that the rights of the data subjects are observed and respected. 

What is a data processor?  

The regulation defines a data processor as: "A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller." The data processor processes personal data on behalf of the data controller and operates under the responsibility of the data controller. If the data processor acts outside of the instructions (and thus outside of the data processing agreement), they become an independent data controller. However, this does not mean that the original data controller cannot be held accountable to the data subject. It is the data controller's responsibility to monitor the data processor (and the data controller is responsible for what the data processor does). 

The data processor is responsible for complying with the data processing agreement with the data controller. 


What is a sub-processor?  

The data processor has the option to pass on one or more tasks to a sub-processor (subcontractor). The sub-processor has at least the same obligations as the data processor. 

The data processor may only use a sub-processor if the data controller has given written approval. Additionally, it is important to emphasize that the sub-processor acts on behalf of the data controller and not on behalf of the data processor. This means that the data processor does not become a data controller for the sub-processor. However, the data processor is responsible for the data protection obligations that the sub-processor has. If the sub-processor does not fulfill these obligations, it is the data processor's responsibility to fulfill these obligations on behalf of the data controller. 

It is important that the responsibility is clearly defined in the data processing agreement. 


What is a data processing agreement?  

It is a legal requirement that as a data controller, you enter into a data processing agreement with all your data processors. The data processing agreement describes how the data processor may process personal data on behalf of the data controller, ensuring that data is processed correctly and securely. The agreement is a legally binding document and must be in writing, including electronically. The agreement must meet certain minimum requirements to be considered valid. 

Minimum requirements for the data processing agreement 

  1. The data processor may only process personal data according to documented instructions from the data controller.  
  2. The data processor must ensure that authorized persons who process personal data have committed to confidentiality or are subject to an appropriate statutory duty of confidentiality.   
  3. The data processor implements technical and organizational measures to ensure a level of security appropriate to the data controller's risk assessment. 
  4. The data processor complies with the conditions for the use of sub-processors.  
  5. The data processor assists the data controller as far as possible in responding to requests from data subjects, such as for access, erasure or rectification.  
  6. The data processor assists the data controller in ensuring data processing security, notifying the supervisory authority/data subject about breaches of personal data security and preparing impact assessments.  
  7. The data processor deletes or returns the personal data to the data controller upon the data controller's choice.  
  8. The data processor makes all information necessary to demonstrate compliance with the data processing agreement available to the data controller and notifies the data controller if an instruction, in the data processor's opinion, conflicts with the regulation.  

The Data Protection Agency provides guidance on how to prepare a data processing agreement. For example, you can use the Data Protection Agency's template to prepare your company's data processing agreement and refer to Article 28(3) of the GDPR for further elaboration. 

Supervision of data processors    

According to the GDPR legislation, as a data controller, you must supervise that the data processor complies with the data processing agreement. Therefore, it is not sufficient to simply have entered into a data processing agreement. You can read more about supervision of data processors here.


Record of processing activities

Why you need a record of processing activities

One of the most important requirements of the GDPR is that all data controllers and processors must maintain an internal record of processing activities (work processes in which personal data is processed). The record ensure that data controllers and processors have the necessary overview and comply with the rules of the regulation. You must be able to present the record of your processing activities to the Data Protection Authority at any time upon request. The record must be available in writing and electronically, and there are no requirements for the format thereof.

What information should an Article 30 record contain?

The Article 30 record is divided into 30.1 and 30.2, which respectively concern information for data controllers and processors.

Record for data controllers (30.1 record)

All companies that process personal data must create an Article 30.1 record. Here, you are the data controller, which means you are responsible for the data being processed. Therefore, you must prepare an Article 30.1 record of your processing activities if you, for example, process data on employees in connection with payroll. The inventory must contain:

  • Name and contact information for the data controller.
  • Purpose with the processing.
  • Categories of data subjects and categories of personal data.
  • Categories of recipients to whom the personal data have been or will be disclosed.
  • Transfers of personal data to a third country or an international organization.
  • Retention schedules for the various categories of data.
  • Description of technical and organizational security measures, if possible.

Inventory for data processors (30.2 record)

Not all companies need to create an Article 30.2 record. The record only needs to be prepared by companies acting as data processors. Being a data processor means that you are not responsible for the personal data being processed, but you process it on behalf of another data controller company.

Examples of typical data processor companies could be an IT supplier or a marketing agency that processes data on behalf of their clients.

*Data processors are also registered on a 30.1 inventory, and all data controller companies must prepare this record. Here, the data processors are registered, while on a 30.2 inventory, the companies that use you as a data processor are registered.

The inventory must contain:

  • Name and contact information for the data processor (you as the supplier) and the data controller (the customer) on whose behalf the data processor is acting.
  • Categories of processing carried out on behalf of the data controller.
  • Transfers to a third country or an international organization.
  • Description of technical and organizational security measures, if possible.


When do you need a record?

Almost all companies and organizations need to maintain a record of their processing activities.


Do you need help creating your record?

Learn how the Privacy platform can assist you in keeping your register up-to-date.


Audit of your data processors

How do I conduct supervision of my data processors?

It is not sufficient to enter into a data processing agreement with your data processors, as a data controller company or authority, you are also obligated to continuously supervise that the data processors comply with the data processing agreement. You must be able to document this supervision at all times to the Danish Data Protection Agency.

How to conduct supervision of your data processors

The Danish Data Protection Agency has established a guidance model that you can rely on when assessing how to supervise your data processors. The model consists of a points scale that can indicate how risky the processing of personal data is. In addition, there are six supervision concepts that gradually place greater demands on the supervision. You can focus on the supervision concept(s) that are relevant to you, based on how many points you have received in the points scale.

Datatilsynets pointscala. Kilde: datatilsynet.dk

Scoring scale

Practical use of the scoring scale

The number of points in the scoring scale depends on four parameters defined by the Data Protection Authority:

  • The number of people whose personal data is being processed by your data processor.
  • Whether your data processor processes special categories of personal data (sensitive data) on your behalf.
  • Whether your data processor processes other personal data of a sensitive nature on your behalf.
  • Whether the processing of personal data is closely related to the privacy of those involved.
Datatilsynets pointscala. Kilde: datatilsynet.dk

Concept 1  
You don't have to do anything unless you become aware that something is wrong with the data processor.

Concept 2  
The data processor confirms - preferably in writing - to you that all requirements of the data processing agreement are still being met.

Concept 3  
The data processor provides you with an annual written status on matters covered by the data processing agreement and other relevant areas (e.g. organizational or product-related changes), either directly or via its website.

Concept 4  
The data processor has a relevant and up-to-date certification or follows a so-called code of conduct that is relevant to your processing activities.

Concept 5  
An independent third party has conducted a documented supervision of the data processor in an area that also covers your processing activities.

Concept 6  
You yourself - or together with others - carry out a documented supervision of the data processor.

Methods for ongoing supervision of data processors  

There are several ways in which you can supervise your data processors, depending on who and how you want the process to be handled.

Who should perform the supervision?

You can choose to take on the task yourself or outsource it to an external partner.

How should the supervision be documented and managed?

You can carry out the supervision in a static document, or you can use a platform for this purpose. 

DPA service

.legal offers to perform the task of supervising your data processors according to the guidelines of the Danish Data Protection Agency. We manage the process and conduct ongoing follow-up with the data processors, so you don't have to take on this heavy and time-consuming task yourself. Our service covers all supervision concepts, and the risk classification can be done directly in the system.

Read more about our Data Processor Audit Service here.

How do you make a structured way to audit your data processors? Read how to make a plan here.

GDPR Risk Assessments

What is the purpose of a risk assessment?

A risk assessment is an essential process that aids companies in making strategic decisions and securing their safety measures. The aim of the risk assessment is to gain an in-depth understanding of any risks associated with the company's operations and to evaluate the likelihood and possible consequences if these risks were to materialize. By examining risks from various perspectives - from workplace safety to financial investment and data protection - the company can anticipate potential challenges and proactively implement solutions to mitigate their impact.

In relation to GDPR, the risk assessment is a crucial tool that assists companies in ensuring reliable and lawful processing of personal data. The purpose of the risk assessment is to identify potential risks of personal data being compromised, thereby ensuring that appropriate safety measures are in place. This requires a tailored approach as risks can vary significantly from one company to another.

How do you conduct a risk assessment?

Performing an effective risk assessment within the framework of GDPR requires a systematic and structured approach. Your organization should have an overarching framework that allows navigating a complex landscape of risks. This enables the identification, categorization, and prioritization of various risks - from security regulations to confidentiality conditions and document storage. It aids in efficiently allocating resources for risk management and ensures your compliance with regulations such as GDPR.

Firstly, you need to identify and list potential threats related to your personal data activities. These could range from risks associated with handling sensitive personal data, consent requirements, data security, to risks related to the transfer of personal data to third countries. Include all relevant stakeholders in this process as it can help ensure that all aspects are covered.

Next, you should evaluate the likelihood of these threats occurring. This requires a realistic assessment of current threats and vulnerabilities. For example, if your organization allows remote work, a potential threat could be a hacker attack on employees' home offices. Assess to what extent this threat is relevant to your organization.

The following step is to assess the consequences if these threats become a reality. Consider the implications for the data subject if this data were to be compromised. What would it mean for the individual? How would it affect your company?

The overall risk assessment for each threat can then be calculated by multiplying the likelihood by the consequence. This quantitative approach can help prioritize which risks require the most attention.

After completing your risk assessment, it is essential to implement appropriate measures to minimize and manage these risks. Throughout this process, ensure documentation so you can demonstrate compliance with GDPR if necessary. Conducting a careful and thorough risk assessment is not only crucial for complying with GDPR but also for protecting your company's reputation and financial stability.

Do you not know how to get started? Read our article about GDPR risk assessments where we provide a framework and examples on how to simplify the task.

Example of a risk: handling personal data via email.

Example: Risk assessment of sharing personal data via email. Threat: An employee accidentally sends an email containing sensitive personal information about 50 clients to the wrong recipient.

Likelihood: As the company uses email daily to communicate with clients and share information internally, there is a medium likelihood that such a mistake could occur. The company has implemented procedures to minimize this risk, but human errors cannot be completely eliminated.

Consequence: The disclosed information could potentially be misused by the wrong recipient, leading to identity theft or other forms of abuse. This is assessed as a high consequence.

Remember, it is important to assess risks for all the company's processing activities, which includes all the different ways you collect, store, use, and share personal information. You can find a detailed list of these activities in your record of processing activities.

Read more about how Privacy's risk module can help you with your risk assessments here.

Security Measures

According to Article 32 of the General Data Protection Regulation (GDPR), it is required that the data controller implements appropriate technical and organizational security measures to address the risks associated with the processing of personal data.

These requirements for appropriate security measures apply to both electronic and physical processing of personal data. This means that the data controller must take the necessary steps to protect personal data from unauthorized access, alteration, disclosure, destruction, or other unlawful processing.

Technical Security Measures

The technical security measures include the implementation of security technologies and solutions, such as:

  • Software updates
  • Firewalls
  • Antivirus software
  • Encryption
  • Backup systems
  • Logging
  • Strong passwords
  • Access rights

Software Updates It is crucial to keep your systems updated to avoid security vulnerabilities. When a software provider discovers a security flaw, they will quickly release a new version that patches the vulnerability.

Firewall A firewall acts as a protective barrier and prevents unwanted traffic from accessing your network. It is recommended to have a firewall configured on all networks to protect against unauthorized access.

Antivirus Software Antivirus is essential for preventing malicious files from infecting your devices. It monitors and blocks suspicious activity and can prevent damage before it occurs.

Encryption By using encryption, your data becomes unreadable to unauthorized persons. Encryption ensures that only those with the correct decryption key can read the confidential information.

Backup Regular backup of your data is important to protect against data loss. If data is lost or damaged, you can restore it from backup copies.

Logging Logging involves recording and monitoring activities on your systems. This allows for tracking and analyzing events, which is useful for detecting and responding to security issues.

Strong Passwords Passwords should be complex and unique to prevent unauthorized access. Avoid simple or easily recognizable patterns and encourage users to choose strong passwords.

Access Rights It is important to assign employees the access rights necessary for their work. Avoid granting full access to systems unless required. This ensures compliance with GDPR and minimizes the risk of misuse of access privileges.

Organizational Security Measures

The organizational security measures involve:

  • Implementing internal policies and procedures
  • Employee training and awareness
  • Restricting access rights
  • Implementing data retention and deletion policies

Implementing Internal Policies and Procedures You should develop and implement clear and comprehensive policies and procedures that establish guidelines for data protection.

Employee Training and Awareness A crucial part of organizational security measures is ensuring that employees are aware of their responsibilities for data protection and have the necessary knowledge and skills to handle personal data securely. This can be achieved through regular training and updates on data protection principles, best practices, and legal requirements. Investing in employee training can strengthen the data protection culture and minimize the risk of errors or negligence in handling personal data.

Restricting Access Rights "Restricting access rights" is an important security measure under GDPR aimed at minimizing the risk of accidental or unauthorized access to personal data. By limiting access rights, it is ensured that only employees who need specific personal information to perform their job tasks have access to these data.

This can be achieved through various technical and organizational methods. On the technical side, this may involve the use of passwords, two-factor authentication, encryption, or user access control systems. On the organizational side, it may involve policies and procedures that determine who has access to what data.

Restricting access rights helps minimize the risk of data breaches, protects personal data, and assists organizations in meeting their obligations under GDPR. It is an essential part of any data protection strategy.

Implementing Data Retention and Deletion Policies It is important to have clear guidelines for how long personal data should be stored and when it should be deleted.


Do you have an overview of your security measures? Let Privacy ISMS help you make an overview.

Data Responsibility

In the digital era, where data is a crucial resource, it's important to understand the various roles one might have in relation to data protection. Under the GDPR (General Data Protection Regulation), these roles are clearly defined to ensure that personal data is handled responsibly and securely. Whether you are an individual, part of a team, or working with other organizations, your data responsibility can vary. Let's delve into the different forms of data responsibility: sole data responsibility, shared data responsibility, and joint data responsibility, and explore what each role entails.

Sole Data Responsibility

When you have sole data responsibility, it means that your organization alone is responsible for the processing of personal data. This entails ensuring that all aspects of data processing comply with GDPR. From the collection of data to storage and eventual deletion, it's your responsibility to implement appropriate security measures. This also includes informing the data subjects about how and why their data is processed, as well as ensuring their rights according to GDPR.

Shared Data Responsibility

Shared data responsibility occurs when your organization collaborates with one or more external parties on data processing. In this scenario, all parties must clearly define their areas of responsibility and ensure that personal data is handled correctly in accordance with GDPR. The collaboration requires an agreement that precisely specifies who is responsible for what, including data protection and handling of any data breaches. It's crucial to have clear communication lines and processes in place to ensure that all parties understand their responsibilities.

Joint Data Responsibility

Joint data responsibility refers to situations where two or more organizations together determine the purposes of and means for data processing. This requires close collaboration to ensure that personal data is processed in compliance with GDPR. The organizations must enter into an agreement that details their respective obligations, including how the data subjects' rights are secured. It's also important that the data subjects are clearly informed about whom they can contact regarding their data, and how their rights can be exercised.

By creating a clear data mapping, you can get a better overview of your roles and obligations. Read how to do so here.

Transfers to Third Countries

In a globalized world, the transfer of personal data across national borders is a common practice. However, it's important to be aware that not all countries offer the same level of data protection as the EU under GDPR. An "unsafe third country" refers to a country outside the EU/EEA that the EU has not recognized as having an adequate level of data protection.

Why is it important?

Transferring personal data to an unsafe third country can pose risks to the rights and freedoms of the data subjects because these countries may not have strict data protection laws that match the standards of the GDPR. This can make personal data vulnerable to unauthorized access and misuse.

Special Attention is Needed

To protect personal data and comply with GDPR, organizations must pay special attention when transferring data to third countries. This includes:

Assessing the Level of Data Protection in the Country: Before a transfer takes place, a thorough assessment should be conducted to understand whether the country offers an adequate level of data protection.

Applying Appropriate Safeguards: If the country does not offer an adequate protection level, the organization must implement appropriate safeguards. This could include standard contractual clauses approved by the EU, binding corporate rules, or specific exceptions in limited situations.

Transparent Communication: It is important to inform the data subjects about the transfer of their data to a third country and the measures taken to protect their data.

By taking these steps, organizations can ensure that they navigate safely in transfers of personal data to third countries, protect the data subjects' data, and comply with the requirements of GDPR. This underscores the organization's commitment to data protection and strengthens trust among both users and partners.

Are you using any of the major Cloud services? Then it's likely that the data processor is located in an unsafe third country. You can read more about GDPR in relation to Cloud services here 

Policies and Procedures - The Foundation of Data Protection

At the heart of any effective data protection strategy lie clearly defined policies and procedures. These documents are not just formal requirements; they are fundamental to ensuring that personal data is handled responsibly, transparently, and in accordance with applicable laws like the GDPR.

The Importance of Well-Defined Policies and Procedures

By establishing and maintaining comprehensive policies and procedures, an organization ensures that all employees understand their roles and responsibilities in relation to data protection. This ensures a consistent approach to handling personal data and helps to prevent data breaches and other security risks. Moreover, it demonstrates to regulatory authorities, partners, and most importantly, to users, that the organization takes data protection seriously and operates with a high degree of integrity and accountability.

Example: Privacy Policy

A concrete example of an important policy is the privacy policy. This policy plays a central role in informing users about how their personal data is collected, used, protected, and shared by the organization. An effective privacy policy should clearly state:

  • The purposes of data collection
  • Categories of personal data collected
  • How data is used and shared with third parties
  • The user's rights regarding their data, including how they can access, correct, or delete their personal data
  • Contact information for further questions about data protection

A well-crafted privacy policy not only ensures compliance with GDPR but also strengthens users' trust by showing that the organization values their privacy.

What documents do you need to have in place at a minimum to be GDPR compliant? You can read more about the mandatory GDPR documents in our article here.

Awareness and Training

In an era where digital threats and data breaches are becoming increasingly sophisticated, having the right policies and procedures in place is not enough. It is equally important to ensure that everyone in the organization understands their significance and knows how to act in practice. Therefore, awareness and training on data protection are crucial for strengthening the organization's security posture.

Why are awareness and training important?

  • Preventing Data Breaches: Employees trained in data protection are less likely to make mistakes that could lead to data breaches, such as clicking on phishing emails or carelessly sharing sensitive information.
  • Compliance with Legislation: Understanding GDPR and other relevant data protection laws ensures that employees act in accordance with the law in their daily work.
  • Strengthening Customer and User Trust: Organizations that demonstrate a clear focus on data protection through education and awareness build greater trust among customers and users.

Implementing Effective Awareness and Training

  • Regular Training Sessions: Conduct regular training sessions to ensure employees are up-to-date with the latest data protection practices and threats.
  • Customized Learning Paths: Develop learning paths tailored to different roles within the organization, as different departments may need specific knowledge about data protection.
  • Using Realistic Scenarios: Apply realistic scenarios and case studies in training to make learning relevant and engaging for employees.
  • Creating a Culture of Data Protection: Promote an organizational culture where data protection is seen as an integral part of everyday life, and employees feel responsible for protecting personal information.

Are you a DPO or responsible for data protection in your company?

Did you know that one of your obligations is to issue and document awareness training?

You can read more about our DPO tool here.

Or learn more about what the DPO's obligations actually are, in this article.

Privacy by Design and Privacy by Default

The principles of Privacy by Design and Privacy by Default incorporate data protection from the beginning of the development of a product or service.

Privacy by Design

Privacy by Design is a key principle for the processing of personal data, set out in Article 25 of the General Data Protection Regulation (GDPR). It involves a proactive approach to data protection, focusing on risk management and covering all aspects of data processing, including IT systems, work processes, and physical infrastructure (e.g., hardware).

Privacy by Design requires that personal data security is protected throughout the entire lifecycle of data processing, whether it concerns a system, a hardware or software product, a service, or a process. It is crucial to implement security measures early in the project phases to ensure that data protection becomes an integral part of the development process and not just an addition later on. In this way, the protection of personal data security is embedded in the very processing of personal data.

Privacy by Default

Privacy by Default is a key principle that ensures products and services are set from the outset to maintain the highest degree of personal data protection.

Privacy by Default requires that the default settings of a product or service are designed to ensure optimal protection of personal data. This means that all privacy-relevant settings and configurations are set to protect the user's personal data by default. The user must then actively change the settings if they wish to adjust the level of privacy protection.

In this manner, personal data is protected from the beginning and is embedded in the design and functionality of a product or service. Privacy by Default is thus a crucial principle for achieving a high standard of data protection and building trust with users.

Adhering to Data Processing Principles

Ensuring responsible and lawful handling of personal data is crucial for any organization, necessitating compliance with the fundamental principles of data processing as defined by the GDPR. These principles form the core of data protection legislation and should guide all aspects of how personal data is collected, processed, and stored.

The Fundamental Principles

  • Lawfulness, Fairness, and Transparency: Data must be processed lawfully, fairly, and in a transparent manner in relation to the data subject.
  • Purpose Limitation: Data must be collected for specific, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
  • Data Minimization: Only data that is necessary for the purposes for which it is processed should be collected and processed.
  • Accuracy: Data must be accurate and, where necessary, kept up to date.
  • Storage Limitation: Data should be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
  • Integrity and Confidentiality: Data must be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.
  • Accountability: The data controller must be responsible for, and able to demonstrate compliance with, the above principles.

Implementation in Practice

To comply with these principles, organizations should:

  • Conduct Regular Data Protection Assessments: To identify and minimize risks associated with data processing activities.
  • Educate Employees: Ensure all employees understand the data processing principles and their significance for the organization's daily operations.
  • Implement and Maintain Appropriate Security Measures: To protect personal data against security breaches.
  • Update Policies and Procedures: To reflect changes in legislation, best practices, or the organization’s internal circumstances.

By integrating these principles into the organization's DNA, not only is compliance with the GDPR ensured, but personal data is also treated with the utmost respect and protection. This builds trust among users, customers, and partners and supports a culture of data protection and security.

Are you compliant with the GDPR? Or do you need help getting an overview? Our free Compliance wheel can help you on your way.

Learn more about Privacy's free Compliance Wheel here.

What activities should you plan for it? You can start with these activities that were focused on in 2023.

Handling a Security Breach

When it comes to handling a security breach, it's crucial to have a clear and effective process in place. Here are some key steps to manage a security breach:

  1. Identify a Security Breach

    • Be alert and identify when a security breach has occurred. This can be detected through monitoring systems, alerts, or reports from users or internal resources.
  2. Clarify the Extent of the Security Breach and Conduct a Risk Assessment

    • Understand the extent of the security breach and assess the potential risks associated with it. This involves analyzing which data has been compromised and what consequences it may have for the affected individuals and the organization as a whole.
  3. Stop the Security Breach and Involve Data Processors

    • If possible, take steps to halt the security breach and prevent further unauthorized access or dissemination of data. It may also be necessary to involve relevant data processors or third parties to manage the breach and minimize damage.
  4. Inform the Affected Parties and Possibly the Data Protection Authority

    • It's crucial to inform the affected individuals about the security breach and its consequences. This may involve providing clear information about which data has been compromised, what steps they can take to protect themselves, and how the organization is handling the situation. If the breach is of a certain severity, it must also be reported to the Data Protection Authority.
  5. Document All Security Breaches

    • Document all details of the security breach, including the time of discovery, the steps taken to address the breach, and the preventative measures implemented to avoid recurrence. This ensures a comprehensive overview of the breach and can be useful in future investigations and reporting.

When Should You Report a Security Breach?

  • You must report a security breach to the Data Protection Authority as soon as possible and within 72 hours of discovering the security breach.

By following these steps, organizations can ensure they handle security breaches responsibly, mitigate potential damages, and maintain trust with their stakeholders.

Compliance software for GDPR

Compliance software for GDPR compliance is an essential tool for organizations aiming to ensure they meet the stringent requirements set out by the General Data Protection Regulation (GDPR). If you're looking for assistance with your GDPR compliance efforts, .legal offers a Compliance platform named Privacy. This platform can be used free of charge to start with your documentation tasks.

.legal's Compliance Platform: Privacy

  • Privacy is designed to streamline the process of becoming and staying GDPR compliant. It offers an organized and efficient way to manage your data protection obligations.

Privacy GDPR Prices and Plans

  • Privacy provides various pricing and plan options to cater to the needs of different organizations, including a free tier to help you get started with compliance efforts without any initial investment.

Getting Started for Free with Our Compliance Platform

  • The platform allows you to begin your compliance journey at no cost, offering basic features that can significantly aid in managing your GDPR documentation and compliance tasks.

Benefits of Privacy Pro for Larger Organizations

  • For larger organizations, Privacy Pro offers advanced features and capabilities designed to handle the complex and extensive data protection requirements such organizations face. These features can include advanced role management and extended reporting.

Do I Need a Compliance Platform? How to Determine

  • To determine whether you need a Compliance platform, consider factors such as the size of your organization, the volume and complexity of personal data you process, and your current compliance status. A Compliance platform can simplify and automate many aspects of GDPR compliance, making it an invaluable tool for many organizations.

The Difference Between Using a Compliance Platform and Excel

  • Unlike Excel, which is a general-purpose spreadsheet tool, a dedicated Compliance platform is specifically designed for GDPR compliance, offering structured processes, automated workflows, and built-in compliance guidelines. This can significantly reduce the risk of errors and omissions and make compliance efforts more efficient and effective.

About Our Data Privacy Management Software

  • Our Data Privacy Management Software is tailored to help organizations manage their data privacy obligations comprehensively. It provides tools for data mapping, risk assessments, managing data subject requests, and documenting compliance efforts in a manner that aligns with GDPR requirements.

For more detailed information about the platform, its features, pricing, and how it can help your organization achieve and maintain GDPR compliance, visiting the .legal website or reaching out to their support team would be beneficial.


+230 large and small companies use .legal