Organisational Measures

In many parts of the GDPR it mentions “technical and organisational measures” to protect personal data. While the media are increasingly reporting about organisations being hacked, Wannacry and Equifax being the most recent high profile examples, it is often the case that data breaches happen because of organisational failures. Sending an email to the wrong person is a common example. This happened recently at the University of East Anglia where a highly sensitive unprotected document detailing student bereavements and mental health issues was emailed to more than 300 undergraduates.

This paper looks at some of the simple and practical ways that you can put organisational measures in place to protect and secure personal data.


Data Privacy Notice / Privacy Policy

One of the key tenets of the GDPR is transparency. This means telling people what data you’re collecting, why you’re colleting it, what you’re going to do with it and how long you’re going to keep it for and where (Article 13, GDPR). The main, and best, means of achieving this is through your Data Privacy Notice (otherwise called Privacy Policy). This Data Privacy Notice needs to be written in language easily understood by your target audience (very important for those targeting the very young or old) and prominently displayed on your website. There needs to be more detail in the Data Privacy Notice than I have highlighted above, but this is the starter for ten.

Internal Policies and Procedures

Senior managers need to demonstrate their commitment to data protection and data security and this starts with policies. For your employees to know what to do with these policies, they need to be backed up with detailed procedures, especially when dealing with the Rights of the Data Subject (Articles 15-22, GDPR), some of which are new such as the Right to Erasure and the Right to Portability.

Access Control and Compartmentalising Shared Drives

Many think of access control as being the physical security of the office in general, i.e. the security of the office as a whole, and that is a factor because you must know who is coming in and out of the office and you might want to restrict the areas that they can get in to. But this also applies to your IT systems. Not everyone needs to have access to your HR or customer databases, for example. The same applies to your internal, or cloud-based, shared drives. By making each department’s area on the drive only accessible to those within that department, you are already minimising the risk that the data held there being compromised.


This poster below rather sums it up!!








Another point to consider is to ensure that the same passwords aren’t used for network access to folder and database access. It is a bore having to remember lots of passwords, but you have to make it hard for the hackers!!

Clear Desk Policy

How many times have you walked up to the shared printer to find a document lying there which contains confidential or commercially sensitive information in it? At the end of the working day have you seen paperwork on people’s desks that really should have been locked away, or at least hidden from view in a drawer? A clear desk policy is critical in securing confidential information.


One of the simplest ways of promoting data protection within organisations is to train employees. To be compliant you need to be able to demonstrate what actions you have taken to prevent a breach from occurring and that includes making sure that employees have been properly trained on data protection and data privacy. General awareness training should be given to all staff initially during their induction training and then annually, and for those that handle personal data on a regular basis, for example HR, Sales, Marketing, Customer Service and Payroll staff, they should be given more extensive and regular training. Not least your staff will need to be trained on the new policies and procedures that you have implemented mentioned above – how else would they be implemented?

Implementation and Enforcement

In order for all of this to be effective there needs to be an implementation plan, of which training is one part of it. The benefits of the new policies, procedures and processes need to be properly communicated otherwise your staff won’t buy into it and will either just return to the old way of working, or will find a work around, thereby completely undermining all your good intentions. Formally ensuring that the policies and procedures are being adhered to is also very important. Those organisations that have a compliance or internal audit function have a ready-made taskforce that can check. For smaller organisations, or those that aren’t regulated, someone will have to be given the responsibility of conducting an annual audit to demonstrate compliance.

Data Protection Impact Assessments

Data Protection Impact Assessments (DPIAs) need to be done whenever a company is considering a new processing activity, introducing new technology to process customer or employee personal data, or if the processing “is likely to result in a high risk for the rights and freedoms of natural persons” (Article 35). It is a part of the principle of Data Protection by Design and Default. Its purpose is to ensure that data protection is considered from the concept stage of the design process so that proper consideration is given to data minimisation and must take into account the whole lifecycle of processing from collection to secure deletion.

Contracts with Data Processors

Many organisations will use other companies to process data. This can be either on an infrequent basis, e.g. using a marketing company for a specific campaign, or a regular task such as the monthly payroll. Whenever your organisation sends personal data to another there has to be data protection and confidentiality clauses within the contract. However having such clauses does not absolve the data controller of its responsibilities; it should be remembered that under the GDPR the data controller and data processor are jointly and severally liable for any damage or distress to a data subject. Additionally data processors cannot undertake any activity without the written permission of the data controller and once the activity has been completed, the personal data must either be returned to the data controller, or securely deleted.

Personal Data Breach Plan

Organisations have 72 hours from the time that they are aware of a personal data breach to inform the Supervisory Authority. Even the initial report has to be comprehensive and include a great deal of detail. Unless companies have planned for this in advance, they will struggle to fulfil this requirement properly and this failure will only exacerbate the crisis that they now find themselves in; indeed the supervisory authority may see this as an aggravating factor when considering any fines and sanctions to be imposed as a result of the breach.



Elizabeth Denham, the UK’s Information Commissioner said the following in a speech to the Institute of Directors on 17th October 2017 when comparing the GDPR with the Data Protection Act 1998; “It’s an evolution of the current law and a step change that brings greater accountability, transparency and consumer control. These are the three pillars of data protection law that will give people agency over their information”. To prove accountability you must have these organisational measures in place. Unfortunately there is much else besides that you will need to implement to achieve compliance.

If you think that you need help with this, would like more information on GDPR compliance or just have questions, then please don’t hesitate to contact us at We look forward to hearing from you.

Leave a reply

You must be logged in to post a comment.