Prepare your Certification
In order to prepare a successful certification, here is some advice:
- Commit to personal data protection and communicate your commitment (Privacy Pact).
- Designate a Data Protection Officer and make him/her easily reachable by the public and by your National Supervisory Authority.
- Inventory and document your processing activities.
- Check the lawfulness of your data processing activity.
(if based on consent, make sure that consent is informed, free, clearly expressed, and received before processing the data).
- Assess the risks for the rights and freedom of data subjects and, if applicable perform, a Data Protection Impact Assessment (DPIA).
- Minimise the personal data collection, processing, access and period of retention.
- Secure the data processing with appropriate technological and organisational measures.
- Adopt adequate data protection policy, rules and procedures, including for access control, backups and data retention period, data subject rights, Processor and cross-border transfer of personal data.
- Communicate your data protection policy and procedures.
- Record and document the exercise of data subjects' rights.
- Record and document any data breaches and your reaction.
- Regularly check your technical and organisational measures and update your risk assessment.
- Perform at least once a year a top management review of the internal audit results and risk assessment. The top management should adopt a specific action plan addressing the identified weaknesses.