A company or organisation must not only process personal data in accordance with the General Data Protection Regulation (GDPR), but must also be able to demonstrate compliance. This includes implementing ‘privacy by design’, keeping a data register and, in certain circumstances, carrying out a ‘data protection impact assessment’.

As a controller, you must take appropriate measures and safeguards, both when designing a processing operation and at the time of processing, to ensure that data protection principles are complied with. You must also ensure that, by default, only personal data that is necessary for a specific purpose is processed. This applies, among other things, to the amount of data, the scope of the processing, the retention period and, of course, the accessibility of that data by others within the organisation or company.

In short, a company that applies data protection de facto in its design and as standard (privacy by design) is a company that is concerned about the protection of personal data at every stage of its processing activities. Humidor is a tool for drawing up the data register, enabling your company or organisation to immediately put the principles of ‘privacy by design’ into practice as one of the specific requirements of the GDPR.

Ask yourself the following questions before you start processing personal data. These questions are also included in Humidor:

• What is the nature, context and scope of the intended processing?
• What risks to personal data may arise from the intended processing?
• What technical and organisational steps must we take to limit the potential risks and thus adequately protect personal data?
• What technical and organisational measures or procedures must we put in place to ensure that the processing of personal data is in line with the objectives pursued?