According to Article 5 (1) 'personal data should be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);'

Identify, document and implement specific measures that will allow you to demonstrate a systematic and sustainable approach to comply with these requirements.

Pursuant to Article 5 (1) 'personal data should be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’).

The 'Data Retention Policy' provides guidelines on how long personal data should be kept for each processing purpose, which helps implement appropriate measures to ensure storage limitation.

The 'Data Anonymisation/Pseudonymisation Policy' is a document that provides guidelines on how and when to use anonymization and pseudonimisation of personal data.

Create this document to help demonstrate compliance with the 'storage limitation' principle.

Create this document to help demonstrate compliance with the 'storage limitation' and 'integrity and confidentiality' principles mentioned in Article 5(1).

Personal data is just a concept. It doesn’t exist in the real world until it is collected and stored somewhere.

A data supporting asset is the physical form the data takes in order to be created, accessed, modified, transported and eventually destroyed.

Data supporting assets can be hardware (e.g. laptops, networking gear, storage devices), software (e.g. applications, databases, files), documents, transmission channels (e.g. Wifi, mail, internal workflow) and people (e.g. users accessing the data).

A regularly updated data supporting assets inventory is essential to be able to ensure the personal data integrity and confidentiality.

Protecting the data supporting assets in your inventory requires a regular assessment of their vulnerabilities and potential threats that might exploit them.

Once these are identified they can be prioritised and addressed with specifric controls.

Personal data is protected by implementing control measures for 'data supporting assets', in order to address the vulnerabilities and threats identified and prevent events like illegitimate access, unwanted modification or destruction of personal data.

Security audits often come with recommendations, in the form of additional controls to be implemented or improvements to existing controls.

You should make sure a system is in place to follow-up on these recommendations until they are implemented. And then ensure periodical reviews are conducted.

When selecting vendors to process personal data on your behalf it's your responsibility to ensure that their security is adequate.

You should have a procedure to ensure that each vendor undergoes an assessment.

Make sure vendor security assessments are regularly reviewed and updated.

According to Article 32 (1) 'taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk'.

These measures can include policies and procedures like 'Information Security Policy', 'Clear Desk and Clear Screen Policy', 'Bring Your Own Device (BYOD) Policy','Mobile Device and Teleworking Policy' etc.

Your security team should determine your needs and create these policies accordingly.

Pursuant to Article 33 (1) 'in the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.'

To comply with this requirement, you must keep a log of security incidents and maintain a procedure that allows you to promptly determine if an incident represents a data breach that should be reported.

According to Article 13 and 14 whenever you collect personal data you must provide specific information to the data subject.

Even if in some cases (e.g. if the processing is based on legal obligation or contract performance) the data subject might already know about the processing it's best to inform them anyway, if possible.

Privacy notices are probably the most visible part of your compliance status.

It's what the data subjects see when they get in contact with your organization.

You need to have a system that ensures they are regularly updated whenever a change occurs.

Make sure every public-facing person in your organization is able to recognize a data subject request and has access to a procedure that tells them how to handle it - or to whom to send it.

Also keep in mind that your employees are data subjects too.

Ignoring or forgetting to answer a request is a sure way to get a complaint and a visit from your data protection authority.

Determine the practical measures to be implemented so you are able to identify and comply in time with data subjects requests (e.g. a monitoring system that sends notifications when requests are approaching the deadline).

Transferring data to a third country comes with risks that should be considered prior to transferring it. It is recommended to have a system to determine if you or your vendors or partners engage in this type of transfers.

Every third country transfer should be subject to an assessment to determine whether the law or practice of the third country provides enough protection and if supplementary measures are needed or not.

This assessment should be documented and reviewed on a regular basis.

For more details please check EDPB recommendations.

Pursuant to Article 35 'where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.'

DPIAs should be properly documented and updated on a regular basis.

This is a fundamental document that sets out your organization's approach to meeting its obligations under data protection law.

It serves as the basis for your organization's GDPR compliance practices, explains the GDPR requirements for employees and affirms the commitment to become and stay compliant.

Make sure your organization is able to demonstrate its ability to resume at least the activities that have an important impact on data subjects.

This will allow you to demonstrate you took formal steps to ensure the data is adequately protected when it leaves your organization.

It also establishes clear rules of collaboration and responsibilities in case of joint controllers.

Your compliance is as strong as the information you used to document it. It's almost impossible to maintain it without a system in place to monitor changes and ensure regular updates are performed.