Data protection is not just an IT topic—it’s a responsibility shared by every employee. With potential penalties of up to €20 million or 4% of annual revenue, and strict deadlines like 30 days for data requests and 72 hours for incident reporting, even small mistakes can have serious consequences.

Why It Matters

Data is one of the most valuable assets an organization has—but also a major responsibility. Misuse, loss, or unauthorized access can lead to significant financial penalties and long-term reputational damage. This is why proper data protection is essential in everyday work, not just at the system level.

Key Concepts

To handle data properly, it’s important to understand a few basic terms:

• Personal data refers to any information that can identify a person, such as a name, email address, or IP address
• Sensitive data includes health data, political beliefs, biometric data, and similar categories that require additional protection
• Regulation such as GDPR and local laws defines how data is collected, used, and protected

Your Everyday Responsibilities

Handling Data

In daily work, data should always be treated carefully and with purpose:

• Collect only the data that is necessary
• Avoid sharing it unless there is a clear need
• Do not use unsecured channels such as private email or public cloud services

Storage and Deletion

Proper storage and timely deletion are just as important:

• Use only approved systems
• Follow defined retention periods and delete data securely
• Destroy physical documents using a shredder

Access and Security

Protecting access to data is a key part of preventing incidents:

• Use strong passwords and multi-factor authentication (MFA)
• Lock your computer when leaving your workspace
• Never share your access credentials

Data Subject Rights

Individuals have clearly defined rights when it comes to their data. These include the right to access, correct, delete, transfer, and object to the use of their data.

Every request must be forwarded immediately to the DPO or InfoSec team, as the response deadline is 30 days.

Incident Response

Incidents can happen in many forms—sending an email to the wrong recipient, losing a device, unauthorized access, or ransomware.

When this happens, the response must be immediate:

• Stop the activity right away
• Report the incident within 1 hour
• Do not delete any evidence
• Record all relevant details

The organization is required to report certain incidents within 72 hours, which makes your quick reaction essential.

Five Golden Rules

At its core, data protection comes down to a few simple principles:

• Collect only what is necessary
• Protect access (passwords + MFA)
• Share data responsibly
• Report incidents immediately
• If unsure—ask the InfoSec team

Conclusion

Data protection is part of everyday work. By following these principles and reacting quickly when needed, you help protect both the organization and the people behind the data.