5.5 Organisational measures
Any actor shall be allowed to access, manage, or share, personal or confidential data before the data-protection implementation is documented. The actor must fulfil legal requirements and document how to meet requirements. It could also be valuable to get an independent review of the implementation by an external party. Table 14 describes the steps of implementing the organisational measures:
Table 14: Organisational measures for data protection
| Measure | Description |
| Data Supervisor | Appoint an individual as Data Supervisor. The Data Supervisor is responsible for mapping, implementing, documenting, and following the requirements for data-protection. |
| Data controller and Data Protection Officer | If personal data are included, the organisation (in a European context) handling the data assumes the responsibilities of being a Data Controller and must appoint a Data Protection Officer. |
| Legal | Ensure legal compliance with current legislation. |
| Documentation | Compile data-protection documentation describing the implementation. |
| Ethics | Determining whether the intended data usage requires approval from a national ethics committee. |
Ensure that anyone using or handling data has relevant contracts signed, including non-disclosure agreements.