Skip to content
Step 1 /
hub The essentials

Rule 3 of 4

You collect as little as possible (rule 1) and you communicate transparently about it (rule 2). The data you do have, you must secure well.

group Personal data
  1. check Data minimisation
  2. check Transparency
  3. 3 Security this module
  4. 4 Rights of data subjects
flag Introduction

Security

Protect personal data with technical and organisational measures against unauthorised access, loss, or damage.

target What you will learn in this module
  • check_circle Why security needs a holistic approach
  • check_circle How to protect systems, data, and environment
  • check_circle Why people are often the weakest link
menu_book Theory · 1 of 4

A holistic approach

Security is a broad subject and only works with a Holistic approach Looking at security as a whole: technology, people, and organisation together. One isolated measure is not enough; every link in the chain must hold. Data security: where to start?arrow_forward .

You cannot do “a bit” of security: your defence is only as strong as the weakest link.

That is why we look at security on four fronts:

  • System and software security Secure your systems and software: strong logins and passwords, limited access rights, and regular backups. Security for systems and softwarearrow_forward : logins, passwords, access rights, and backups.
  • Data security Protect the data itself, mainly through encryption, both at rest and in transit. Encryption: do I need to encrypt?arrow_forward : encryption at rest and in transit.
  • Environmental security The physical environment counts too: limit access to offices, filing cabinets, and printers, and keep paper records under lock and key. Data security for paper documentsarrow_forward : physical access to offices, cabinets, and printers.
  • The human factor Most data breaches start with employees: a wrong click, a lost laptop. Awareness and training are therefore essential. Why data breaches start with employeesarrow_forward : awareness, because people are often the weakest link.
menu_book Theory · 2 of 4

System and software security menu_bookKnowledge Base

  • Secure everything with a login; require Strong passwords At least 12 characters, never reused, and stored in a password manager, no post-its or shared spreadsheets. Change passwords after a breach, not on a fixed schedule. Password policy: best practicearrow_forward and turn on 2FA where possible.
  • Do not share accounts: give every employee their own login. That way you know who did what and you can revoke access in a targeted way.
  • Keep all software up to date: most cyber attacks exploit known vulnerabilities that an update would have fixed.
  • Limit Limiting user rights Give everyone only the access strictly necessary for the job (the 'least privilege' principle). Also review those rights periodically; people change roles or leave. Periodic access reviewsarrow_forward to what is strictly necessary, with periodic reviews.
  • Make sure you have regular backups against accidental loss of data.
lan Two principles that are often forgotten

Segment your network: your guest wifi does not need to reach your business data. And turn on logging, so that after an incident you can find out what exactly happened.

menu_book Theory · 3 of 4

Data and environmental security

lock Data security menu_bookKnowledge Base

Personal data is always encrypted, both at rest (PC, server, smartphone, cloud) and in transit (email, https traffic). And: regular backups.

meeting_room Environmental security menu_bookKnowledge Base

Limit physical access to offices, Paper records The GDPR is not only about digital data. Paper records with personal data also belong under lock and key, and access to printers and archive rooms stays restricted. , printers, and computer rooms, via badges, locks, and so on.

menu_book Theory · 4 of 4

The human factor menu_bookKnowledge Base

People are often the weakest link: someone clicks on a malicious link, leaves a laptop on the train, or emails the wrong attachment to everyone.

That is why awareness and training are essential; technology alone is not enough.

checklist In practice: remember

Require strong passwords and 2FA, give only the necessary access rights, encrypt all personal data, make sure smartphones and PCs can be wiped remotely, and lock filing cabinets.

cases Example · 1 of 2

The laptop on the train

Case 1 An employee loses a work laptop

“A colleague leaves their work laptop with customer data on the train.”

check_circle Risk of a data breach. So: a strong login, disk encryption, and the ability to wipe the device remotely. And report a breach in time.

What do you do if it does go wrong? Read Data breach A data breach is any incident where personal data is lost or ends up in the wrong hands: a lost laptop, a hacked mailbox, a file sent to the wrong recipient. You often have to report within 72 hours. Data breach: what it is and what to doarrow_forward .

cases Example · 2 of 2

”Everyone can access everything”

Case 2 No access restrictions

“All our employees have access to all software and all customer data, it makes things easy.”

check_circle Too broad. Restrict access to what each role strictly needs (least privilege) and review the rights periodically, especially when someone changes role or leaves.
quiz Practice · question 1 of 2
info Not for points, choose the correct answer to continue
"What does it mean that your security is only as strong as the weakest link?"
Correct: you cannot do 'a bit' of security. Technology, people, and organisation must all hold together; the weakest link determines your real protection.
quiz Practice · question 2 of 2
"When must personal data be encrypted?"
Correct: encrypt personal data both at rest (PC, server, smartphone, cloud) and in transit (email, https traffic).
summarize Summary

What you take away from module 5

  • bolt Security needs a holistic approach: you are as strong as the weakest link.
  • bolt System and software: strong passwords + 2FA, limited access rights with reviews, and backups.
  • bolt Encrypt personal data at rest and in transit; also secure the physical environment.
  • bolt People are often the weakest link; awareness and training are essential.
workspace_premium Module complete

Module 5 complete 🎉

You now know how to protect personal data technically and organisationally. In module 6 we close out the four rules with the rights of data subjects.

lock_open 5 of 8 modules

On your way to your “GDPR essentials for SMEs” certificate

Complete all 8 modules and pass the final exam (at least 70%) to receive a personal certificate in your name, with a verifiable code.

check_circle Modules 1-5 completeradio_button_unchecked Modules 6-8radio_button_unchecked Final exam ≥ 70%
workspace_premium