5.5 Organisational measures

Any actor shall be allowed to access, manage, or share, personal or confidential data before the data-protection implementation is documented. The actor must fulfil legal requirements and document how to meet requirements. It could also be valuable to get an independent review of the implementation by an external party. Table 14 describes the steps of implementing the organisational measures:

Table 14: Organisational measures for data protection

Data SupervisorAppoint an individual as Data Supervisor. The Data Supervisor is responsible for mapping, implementing, documenting, and following the requirements for data-protection.
Data controller and Data Protection OfficerIf personal data are included, the organisation (in a European context) handling the data assumes the responsibilities of being a Data Controller and must appoint a Data Protection Officer.
LegalEnsure legal compliance with current legislation.
DocumentationCompile data-protection documentation describing the implementation.
EthicsDetermining whether the intended data usage requires approval from a national ethics committee.

Ensure that anyone using or handling data has relevant contracts signed, including non-disclosure agreements.