In order to prepare a successful certification, here is some advice:

• Commit to personal data protection and communicate your commitment (i.e., Privacy Pact).
• Designate a Data Protection Officer and make him/her easily reachable by the public and by your National Supervisory Authority.
• Inventory and document your processing activities.
• Check the lawfulness of your data processing activity (if based on consent, make sure that consent is informed, free, clearly expressed, and received before processing the data).
• Assess the risks for the rights and freedom of data subjects and, if applicable, perform, a Data Protection Impact Assessment (DPIA).
• Minimise the personal data collection, processing, access and period of retention.
• Secure the data processing with appropriate technological and organisational measures.
• Adopt an adequate data protection policy, rules and procedures, including for access control, backups and data retention period, data subject rights, processors, and cross-border transfer of personal data.
• Communicate your data protection policy and procedures.
• Record and document the exercise of data subjects' rights.
• Record and document any data breaches and your reaction.
• Regularly check your technical and organisational measures and update your risk assessment.
• Perform, at least once a year, a top management review of the internal audit results and risk assessment. The top management should adopt a specific action plan addressing the identified weaknesses.