Preliminary considerations for the realisation of projects

Organisational

The following questions should be clarified at organisational level: 

• Does your organisation have guidelines and regulations regarding the handling of personal data? 
  
• Does your organisation have a processing directory that documents the processing of personal data as part of the implementation of projects?
• Have the service providers used (e.g. software providers) been checked by the organisation in terms of data protection law and do data processing agreement exist with the service providers that have been identified as commissioned data processors?

If you are unable to answer the above questions, raise the issue within your organisation. If necessary, raise the issue with those responsible.  

Basic regulations for project implementation

The following questions should be clarified at project level: 

Partnermanagement

As a rule, you work together with your project partners on the project. In this case, your project partners are not processors in the traditional sense. You should nevertheless stipulate compliance with data protection in contracts with your partners. 

Are all project partners based in the EU? If not, you should draw up additional contractual provisions in writing with the project partners who are not based in the EU regarding the processing of personal data. 

Co-operation

Clarify the communication channels with your project partners. Determine which data may and may not be shared on which channels. 

Analyse whether and, if so, which personal data is generated as part of the project and carry out a risk assessment regarding the type of data. Decide together with your partners where which data will be stored, how it will be stored and who will have access to it. 

Responsibility

Determine which partner is responsible for the security of which data. Ask this partner to confirm that sufficient technical and organisational measures have been taken to protect the data. Example: The partner who provides the system for shared document storage must ensure that the data there is adequately protected.

Awareness-raising and data security

Make sure that the project participants are aware of all the basic principles of data protection. If in doubt, go through the relevant provisions of the GDPR together and discuss what this means for the work in your project. 

Realise which categories of data you are processing as part of the project and take measures to protect this data appropriately. This applies in particular if you are processing particularly sensitive data. Agree appropriate regulations regarding the processing of this data with those involved in the project as a matter of urgency.

Third-party provider

It is easiest if you only commission service providers that have already been checked and classified by your organisation from a data protection perspective. This check must be carried out for every new service provider. 

Conclusion 

The issues are the same for every project. If you document your assessments and processes well, you can use this documentation as a basis for all future projects.