Professional Documents
Culture Documents
Nymity GDPR Handbook 2019 PDF
Nymity GDPR Handbook 2019 PDF
This document is provided “as is” without any express or implied warranty. This document does not constitute legal advice and if you
require legal advice you should consult with an attorney. Nymity may not have addressed all legal requirements applicable to your organization and the document may need to be modified
in order to comply with relevant law. Forwarding this document outside your organization is prohibited. Reproduction or use of this document for commercial purposes requires the prior
written permission of Nymity Inc.
GDPR Accountability Handbook
The accountability principle in Article 5(2) of the GDPR requires organisations to demonstrate compliance with the principles of
the GDPR. Article 24 sets out how organisations can do this by requiring the implementation of appropriate technical and
organisational measures to ensure that organisations can demonstrate that the processing of personal data is performed in
accordance with the GDPR.
Nymity’s research has identified 39 Articles under the GDPR that require evidence of a technical or organisational measure to
demonstrate compliance and has mapped these to the Nymity Privacy Management Accountability Framework™ (described
below). The result is the identification of 55 privacy management activities (also called technical or organisational measures)
that if implemented, may produce documentation that will help demonstrate ongoing compliance with GDPR compliance
obligations. Not all 55 measures will apply to every organisation – rather, organisations will put in place the measures that are
appropriate for their organisation (according to the risk-based considerations that run throughout the GDPR).
The principle of Accountability has received renewed attention because the GDPR mandates accountability as a legal obligation.
However, it is not the first privacy law in the world to do so. Canada was the first jurisdiction to write an accountability
requirement in its data protection law, which went into effect in stages and full effect in 2004.1 Nymity, a Canadian-based global
privacy compliance research and privacy compliance software company, was founded in 2002 to support the Privacy Office to
meet the accountability requirements found in this law. Thus, in many ways, Nymity has been preparing to support Privacy
Officers/DPOs for the requirements of the GDPR for the past 15 years.
In 2002, Nymity began its research on accountability and building compliance solutions for the Privacy Office/DPO. In 2011,
Nymity augmented its accountability research with an initiative on demonstrating accountability to regulators. Nymity
1Personal Information Protection and Electronic Document Act (PIPEDA) that came into force in three phases: 2001 for Federal Works and
underpinning, 2002 for federal health care and 2004 for everyone else subject to the law.
conducted workshops with privacy officers and with DPAs across the EU identifying what regulators expect of organisations to
demonstrate accountability. This research revealed that no matter the industry or jurisdiction, Privacy Officers, DPOs and other
privacy leaders in organisations conduct many of the same activities. This led to the development of the Nymity Privacy
Management Accountability Framework™ which is used by thousands of Privacy Officers/DPOs to plan, structure, and report
on their privacy management programmes. The Framework has been made available for free to the privacy community since
2014.
In 2015, Nymity launched a series of practical workshops around the globe on the topic of “Getting to Accountability.” Over 500
Privacy Officers/DPOs in 22 countries attended a no-cost, full-day, hands-on workshop. The workshop was designed to equip
those responsible for privacy management with knowledge on how to operationalise accountability by exploring strategies, tools,
business cases, and a communication framework. The following resources are examples of some of Nymity’s thought leadership
in accountability and compliance and are freely available on the Nymity website under “Resources.”
The knowledge gained from our practical, on the ground workshops and ongoing research is factored into all Nymity’s
research and software solutions.
The results of both projects will be made available for free and organisations can participate in one or both projects with Nymity
by contacting Nymity at info@nymity.com.
The Framework emerged out of our ongoing accountability research as a practical tool for organisations to structure privacy
management in their organisation and operationalise accountability. It is not a checklist of activities that must be completed;
rather it is a menu for accountability that can be adapted to any organisation. It is not based on principles or controls, but on
privacy management activities (technical and organisational measures) that can be monitored and tracked. It is a comprehensive
jurisdiction- and industry-neutral listing of 130+ technical and organisational measures that is structured into 13 data privacy
management categories (e.g. “Manage Third-Party Risk” and “Maintain Training and Awareness Program”).
No two organisations’ accountability requirements are the same, and thus this Framework provides the flexibility necessary for
planning, scaling, and communicating privacy management and is ideally suited to address the risk-based approach inherent in
the GDPR. The appropriate technical or organisational measures to put in place are determined based on the organisation’s legal
and regulatory compliance requirements, risk profile, business objectives, and the context of data processing (type of data
processed, nature of processing, purpose for processing).
Accountability Mechanisms
Organisations that have taken an accountability approach to address privacy risk and privacy compliance put in place appropriate
technical and organisational measures and have necessarily created what Nymity refers to as “Accountability Mechanisms.”
Accountability Mechanisms include policies, procedures, guidelines, checklists, training and awareness activities, transparency
measures, technical safeguards and other mechanisms that mitigate internal and external privacy risk. Taking an accountability
approach to privacy risk compliance and putting in place effective Accountability Mechanisms to maintain appropriate technical
and organisational measures has many advantages. An accountability approach to privacy compliance:
• Generates documentation that can be used as evidence allowing an organisation to demonstrate a compliance
infrastructure to Regulators and business partners;
• Builds a culture of privacy, while minimising organisational privacy risk and maximising compliance;
• Provides the infrastructure for ongoing, efficient privacy management and privacy risk mitigation (specifically for the
individual);
• Embeds privacy risk mitigation throughout the organisation (into business and operational units where data processing
occurs);
• Empowers business units to assume responsibility for ensuring maintenance of Accountability Mechanisms.
This document is designed to support the ability of the Privacy Office in implementing an accountability approach to compliance
with the GDPR. It provides a brief summary of each Article of the GDPR and maps compliance obligations to the Nymity
Privacy Management Accountability Framework™ identifying 55 technical and organisational measures that can assist in
establishing accountabilty within the organisation and ulitimately the ability to demosntrate compliance. It lists examples of
policies, procedures and other mechanisms (i.e. Accountability Mechanisms) that may result from putting in place the listed
technical or organisatinoal measure. Finally it lists example evidence that indicates that the accountability mechanisms have
been implemented and used appropriately.
It is structured as follows:
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotation Mechanisms
Measures
An annotation explaining A list of technical and A listing of possible A listing of sample
the meaning and impact organisational measures policies, procedures, evidence indicating that the
of the Article that once implemented guidelines, checklists, accountability mechanisms
may help: training and awareness have been implemented
1. Achieve ongoing activities, transparency and used appropriately.
compliance with the measures, technical
GDPR and, safeguards and other
2. Produce documentation mechanisms that may
that will help demonstrate mitigate internal and
compliance. external privacy risk.
In some cases, the Accountability
measure may not be Mechanisms are produced
applicable to your when organisations put in
organization. place technical and
organisational measures
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
General Provisions
Article 1 – Subject Matter and Objectives
This Article provides the purpose of the GDPR. There are no accountability obligations formed by this Article.
Article 2 – Material Scope
This Article addresses the activities that are within or outside the scope of the GDPR. There are no accountability
obligations formed by this Article.
Article 3 – Territorial Scope
This Article addresses the application of the GDPR to entities within and outside the European Union. There are no
accountability obligations formed by this Article.
Article 4 – Definitions
This Article defines common terms in the GDPR. There are no accountability obligations formed by this Article.
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotation Mechanisms
Measures
Principles
Article 5 - Principles Conduct PIAs or DPIAs Data privacy policy Record of data processing
relating to personal data for changes to existing activities or the personal
processing programs, systems, or Personal data inventory data inventory documents
processes the legal basis for
Article 5 sets out the Data privacy notices processing and purpose
general principles that all This privacy management for processing
processing activities must activity addresses having Enterprise privacy risk
abide by, including: policies and procedures assessment
Copy of the privacy
to follow when there is a
notice and details on the
• lawfulness, fairness and change to existing Privacy threshold analysis
transparency; processes, programs or
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
• purpose limitation; systems to ensure that Data privacy training placement and timing of
data protection risks are curriculum the notice
• data minimisation;
measured, analysed and
• accuracy; mitigated. Consent forms
Results from DPIAs
• storage or retention showing how
limitation; Conduct PIAs/DPIAs Records retention schedule
determinations were
• integrity and for new programs,
made balancing the
confidentiality; and systems, processes Data accuracy policy and
legitimate interests of the
guidelines
• accountability. This privacy management
data controller against the
interests or fundamental
activity addresses Validation mechanisms in
The accountability rights and freedoms of
guidelines on when a online forms
principle states that data data subjects
DPIA is required as part
controllers are responsible of the development Information security policy
for and able to demonstrate process for new Evidence that the Data
compliance with the data processing. PKI (Encryption) Protection Officer’s
processing principles. Technology & Processes opinion and advice was
Integrate data privacy sought as part of the
The principles are also built into an information Personal data access policy DPIA process
upon in the following security policy
Articles: Information security
A copy of privacy
This privacy management assessment process
• lawfulness – see Articles 6, activity helps the privacy training materials for
9 and 10; office insert privacy and Software tools for data staff and details on the
time and attendance of
• transparency – see Articles data protection masking
participants
13 and 14; consideration into the
information
• purpose limitation – see
security policy. Audit of processing
Article 6;
activities examining that:
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
• integrity and confidentiality Integrate data privacy • Only personal data
– see Article 32; into records retention necessary was collected
practices and processed
• accountability – see Article
• The retention schedule
24.
This privacy management was followed
activity helps the • Personal data maintained
See also Recital 39. organisation embed data is accurate
privacy into the records
retention policy and
procedure to ensure Test results from testing
proper storage of of validation mechanisms
personal data. It helps
organisations put in place Test results from testing
policies and procedures of security mechanisms
to ensure data is not kept
in a form that permits
identification of data Information security
subjects for longer than is assessments showing
necessary for the security risks were
purposes for which it was identified and mitigations
processed unless the data put in place
is being archived for
public interest, scientific, Information security
statistical, or historical programme policies and
purposes. procedures reflecting
alignment with privacy
Maintain a data privacy objectives, legal
policy compliance and risk
This privacy management
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
helps the organisation Audits of access to
create and maintain an personal data to
organisational–level determine if existing
privacy policy to provide procedures are
guidance to employees appropriate based on the
regarding the processing purpose for which the
and protection of data was collected and
personal data to ensure the nature of the access
that such processing
aligns with the
Tests of data masking
obligations of the GDPR.
software validating that
tools are effective
Where relevant (Article
91) it will also address
specific data processing
obligations that apply to
organisations such as
churches and other
religious associations.
Maintain
documentation as
evidence to demonstrate
compliance and/or
accountability
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
documentation of the
technical and
organisational measures it
has put in place in order
to demonstrate
compliance with the
GDPR.
Maintain
policies/procedures for
maintaining data
quality
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
well as how to determine This privacy management provided unambiguous
when further processing is activity addresses having Personal data inventory consent
compatible with the policies and procedures
original purposes for to follow when there is a Consent forms
DPIAs demonstrating that
processing. Such grounds change to existing
the necessary safeguards
for processing are: processes, programs or Web forms using opt-In
were integrated into the
systems to ensure that consent check boxes
data processing
• with the data subject's data protection risks are
consent; measured, analysed and Data privacy notice
mitigated. Results from DPIAs
• for contract performance;
Legitimate interest showing how
• to comply with legal Conduct PIAs/DPIAs assessments determinations were
obligations under Union or for new programs, made balancing the
Member State law; systems, processes Procurement policy legitimate interests of the
• to protect the vital interests data controller against the
of a natural person; This privacy management Procedures for outsourcing interests or fundamental
• to perform a task in the activity addresses rights and freedoms of
public interest set out by guidelines on when a Litigation procedures data subjects
Union or Member State DPIA is required as part
law; or of the development Website terms and
process for new conditions Personal data inventory
• for the purposes of processing.
that sets out what ground
legitimate interests pursued Procedures for responding is relied on when
by the data controller or a processing
Document legal basis to requests from law
third party. for processing personal enforcement
data Records of processing
See Recitals 32, 40-50. activities, including
This privacy management underlying decisions on
activity addresses how interpretation of the
the organisation relevant legal provisions
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
determines the legal basis and grounds for
on which processing processing
takes place and ensuring
a record of this analysis.
Documentation showing
web forms used opt–in
Maintain
consent check boxes or
policies/procedures for
buttons
obtaining valid consent
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
situations when the Legal opinions related to
organisation wishes to the processing
use personal data beyond
the primary purpose.
Evidence that the Data
Secondary uses of data
Protection Officer’s
must be disclosed in
opinion and advice was
information notices under
sought as part of the
Article 13 and 14.
DPIA process
Article 7 - Conditions for Maintain Consent forms Evidence that web forms
consent policies/procedures for used opt-in consent check
obtaining valid consent Web forms using opt-In boxes or buttons
Article 7 sets out the consent check boxes
standard for consent when This privacy management
Completed written
relying on consent as a activity addresses Scripts for providing
consent forms
legal basis for processing the different components notice and obtaining
personal data that makes consent valid consent via phone
(demonstrable consent) and (e.g., freely given, Call center logs and
sensitive personal specific and Procedure for responding recordings
data (explicit consent). unambiguous) and how to to privacy-related queries,
update consent forms and requests and complaints
See Recitals 32, 33, 42, 43, mechanisms to ensure
58. GDPR compliance. Guidance for analysing and
responding to data subject
objections to processing
Maintain procedures to (e.g. operating procedures
respond to requests to or technical processes)
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
opt-out of, restrict or
object to processing
Implementing this
privacy management
activity will help
organisations put in place
processes to ensure that
records of personal data
are used in line with any
restrictions as well as,
including not only uses
by the data controller but
also any restrictions on
use by downstream
recipients.
Article 8 - Conditions Integrate data privacy Social Media and Blogging Completed consent forms
applicable to a child's into the organization’s Practices/Policies
consent in relation to use of social media
Email confirmations
information society practices Technical solutions for
services obtaining verifiable
This privacy management parental consent Call-center recordings
Article 8 provides that activity addresses
where the legal basis of how the organisation uses Parental consent notice and
consent is being relied on social media to collect forms Documentation that
online Social Media
in relation to offering and disseminate
information society information. Policies Data privacy notice
services to minors under around social network
the age of 16 (or to younger use may address the
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
children not younger than collection and processing Scripts for Providing Policies are posted and
13, if the age threshold is of personal data for Notice via Phone kept up to date
lowered by Member State children and minors to
law), consent must be given ensure such collection
Copy of the information
or authorised by the holder and processing adheres to
notice provided
of parental responsibility the GDPR requirement
over the child. The that such consent be
controller must also make obtained by the holder of Documentation showing
reasonable efforts to verify parental responsibility that privacy notice is
consent. over the child. aligned to legal
requirements
See Recitals 38, 58. Maintain a data privacy
notice
Details on the delivery
and timing of the notice
This privacy management
activity ensures that
controllers put in place
policies and procedures
to ensure that the required
information is provided
to data subjects when
their information is
collected.
Maintain
policies/procedures for
collection and use of
children and minors’
personal data
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
Maintain
policies/procedures for
obtaining valid consent
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
Article 9 - Processing of Document legal basis Data classification Completed consent
special categories of for processing personal standard forms/evidence of
personal data data explicit consent
Personal data processing
Article 9 sets out a general This privacy management record
Proof that employees
prohibition on the activity addresses how
have been trained on the
processing of sensitive the organisation Personal data inventory
privacy policy and the
data, followed by legal determines the legal basis
handling of special
grounds on which sensitive on which processing Data privacy policy
categories of personal
personal data can be takes place and ensuring covering the processing of
data
processed. Sensitive data a record of this analysis. special categories of
includes: personal data
Maintain The personal data
• racial or ethnic origin; policies/procedures for Consent forms inventory maintains a log
collection and use of of sensitive data and
• political opinions;
sensitive personal data Web forms using opt-In indicates the basis for
• religious or philosophical (including biometric consent check boxes such processing
beliefs; data)
• trade-union membership; Trade union agreements Relevant statements of
• genetic data; This privacy management claim or defence, or other
activity helps the Works Council agreements documents pertaining to a
• biometric data; organisation put in place legal claim
• data concerning health or in place policies and Litigation procedures
sex life; and procedures to ensure that Documentation
• sexual orientation. that special categories of concerning any law
personal data are enforcement requests or
Grounds upon which processed only in emergencies requiring
sensitive data can be accordance with the legal disclosure of data
processed include: grounds set out in Article
9.
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
• with explicit consent; Legal opinions relating to
the disclosure
• for employment, social
security, and social
protection requirements; Lawful authority setting
• to protect vital interests of a out requirement for
natural person where processing
consent cannot be obtained;
• for legitimate activities of Records of processing
non-profit organisations activities, including
with political, identification of special
philosophical, religious, or categories of personal
trade union aims; data
• the data is made publicly
available by the data
subject;
• establishing, exercising or
defending legal claims;
• for reasons of substantial
public interest;
• for preventive or
occupational medicine,
assessing worker capacity,
medical diagnosis,
provision of health or
social care, or managing
the health or social care
systems and services; or
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
• for reasons of public
interest in areas of:
o public health;
o scientific or historical
research purposes; or
o statistical purposes.
This Article provides that once the purposes of processing have been achieved, data controllers are not required to
maintain identifying data for the purpose of complying with the GDPR. Where identifying data is not maintained, the data
controller is exempt from responding to requests by data subjects to exercise their rights under the GDPR unless the data
subject provides sufficient information that they can be identified.
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
Since this Article is permissive, in that you do not need to maintain data, but you also are not required to destroy it, there
are no accountability obligations formed by this Article.
Data Subject Rights
Article 12 - Transparent Maintain a data privacy Data privacy notice Copy of the data privacy
information, notice notice provided to data
communication and Supporting guidelines subjects and details on
modalities for exercising This privacy management indicating how and when the placement and timing
the rights of the data activity is around privacy notices are of the notice
subject publishing external– communicated to
facing notice of the individuals (just in time
Documentation showing
This Article requires that organisation's processing notice, icons, scripts, etc.)
that the data privacy
when data controllers are activities. These notices
notice is aligned to legal
providing information to need to reflect the GDPR Procedures for handling
requirements
data subjects, whether obligations around clear customer requests to
through privacy notices, in and plain language, as exercise their rights
communications regarding well as be transparent and Workflow for responding
access, rectification, concise. Breach notification to requests demonstrating
correction and objection protocol that addresses use that procedures are being
rights, or as part of breach Maintain of clear and plain language followed
notifications, the policies/procedures for
communication must be in collection and use of
Random audit of files
a concise, transparent, children and minors’
intelligible, and easily personal data demonstrating use of
accessible form, use clear templates in
communications with
and plain language. This privacy management
requesters
Information may be activity helps the
provided in writing, organisation put in place
electronically (where certain policies and
appropriate), or orally (if procedures to ensure that
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
the identity of the data consent is given or Notification letters sent
subject is verified). authorised by the holder following a breach
of parental responsibility
The Article also addresses over the child when
how controllers must information services are
address responding to data offered directly to a child.
subjects’ rights, including
the duty to facilitate the Maintain
exercise of such rights, the policies/procedures to
timing of responses, review processing
identifying data subjects, conducted wholly or
and fees. partially by automated
means
Finally, the Article
confirms that privacy This privacy management
notices may be provided in activity supports
combination with determining whether
standardised icons, which processing activities are
can convey a meaningful captured by the
overview of the processing restriction on automated
activities. decision–making and
presents options for
See Recitals 58-60. achieving compliance. As
part of this activity, data
controllers must
implement measures to
safeguard the data
subject's rights and
freedoms and legitimate
interests. These measures
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
(e.g., providing a right to
express a point of view
and contest the decision)
would need to adhere to
Article 12's requirements
around clarity of
communication, time
frames and appropriate
responses.
Maintain a breach
notification (to affected
individuals) and
reporting (to regulators,
credit agencies, law
enforcement) protocol
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
where personal data controllers put in place Mobile data privacy notice Documentation showing
relating to data subjects are policies and procedures that privacy notice is
collected, controllers must to ensure that the required Short form/condensed data aligned to legal
provide certain minimum information is provided privacy notice requirements
information to those data to data subjects when
subjects through an their information is Translated data privacy
Details on the placement
information notice. It also collected. notice
and timing of the notice
sets out requirements for
timing of the notice and Maintain Data privacy
identifies when exemptions policies/procedures for notice language for hard Copies of contracts
may apply. secondary uses of copy forms showing requirements for
personal data privacy notice language
See Recitals 60-62. Data privacy
This privacy management notice signage
activity addresses having Records of training
policies and procedures Data privacy notice in sessions with call center
that define how to handle marketing communications reps providing instruction
situations when the on how to provide notice
via phone
organisation wishes to Data privacy notice in
use personal data beyond contracts and terms
the primary purpose.
Secondary uses of data Scripts for providing
must be disclosed in notice via phone
information notices under
Article 13 and 14.
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
that define how to handle marketing communications on how to provide notice
situations when the via phone
organisation wishes to Data privacy notice in
use personal data beyond contracts and terms
the primary purpose.
Secondary uses of data Scripts for providing
must be disclosed in notice via phone
information notices under
Article 13 and 14.
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
being processed, where it is procedures needed to Subject access request log Random audit of files that
being processed and have ensure that an demonstrates that
access to the data. organisation can respond templates are used in
Procedures for responding
Additionally, it lists further to access requests in a communications with
to customer requests and
information that should be timely and appropriate requesters
preferences
supplied: manner, providing the
data held on the data Documentation that
• Purpose of processing; subject. If implanted this Customer service/privacy customer service mailbox
activity may demonstrate mailbox is tested to verify that the
• Categories of data;
that the right to access is mailbox is monitored and
• Recipients of data; understood and provided Form for the supply of responded to
• Data storage period; for. additional data required for
• Rights to rectification & access requests Log tracking subject
complaint; access requests validates
that timelines for
• Source of data; responses are met
• Existence of automated
processing, associated logic Completed forms
and consequences; and showing the additional
• Safeguards for transfer to data supplied for access
third countries or requests
international organisations.
The costs and timeframe
for this right are addressed
in Article 12.
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
Article 16 - Right to Maintain procedures to Protocol or procedure for Audit results that the
rectification respond to requests responding to rectification protocols are being
and/or provide a requests adhered to
This Article addresses the mechanism for
right of data subjects to individuals to update or Customer service
Procedures for responding
obtain rectification of correct their personal mailbox is tested to verify
to customer requests and
inaccurate data or data that the mailbox is
preferences
completion of incomplete monitored and responded
data. This privacy management to
activity helps put in place Customer/employee/user
See Recital 65. mechanisms to ensure portal to update data Test results for portal
that appropriate functionality
corrections to records of
personal data are made in Customer service/privacy
a timely and effective mailbox
manner.
Article 17 - Right to Maintain procedures to Protocol or procedure for Audit results that the
erasure ("right to be respond to requests to responding to right to be protocols are being
forgotten") be forgotten or for forgotten requests adhered to
erasure of data
This Article addresses the Customer service
Procedures for responding
right of data subjects to This privacy management mailbox is tested to verify
to customer requests and
obtain from the data activity outlines the that the mailbox is
preferences
controller the erasure of processes to ensure that monitored and responded
personal data based on personal data are deleted to
certain grounds: upon request, where Customer or user portal to
appropriate, in a timely update data Test results for portal
• data are no longer and effective manner. functionality
necessary for processing;
• withdrawal of consent;
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
• objection to processing; Customer service/privacy
mailbox
• data were processed
unlawfully;
• compliance with a legal
obligation; and
• data were collected about
children and minors in
relation to an information
society service.
Exceptions apply.
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
See Recital 67. use by downstream
recipients.
Article 19 - Notification Maintain procedures to Procedures for responding Audit results that the
obligation regarding respond to requests to customer requests and protocols are being
rectification, erasure or and/or provide a preferences adhered to
restriction mechanism for
individuals to update or Communications with
This Article creates an correct their personal Personal data inventory data recipients
obligation to notify each data
recipient to whom data has Personal data inventory
Personal data flow charts
been disclosed of any This privacy management indicates recipients of
rectification, erasure or activity helps put in place data
restriction of processing. mechanisms to ensure Data privacy and security
that appropriate requirements for third Data flows indicate third
There is also an obligation corrections to records of parties party recipients of data
to provide information to personal data are made in
the data subject about these a timely and effective Agreements with third
recipients upon request. manner. parties address
There is an exception to notification regarding any
such notification if it Maintain procedures to requests for rectification,
proves impossible or respond to requests to erasure or restriction
involves disproportionate opt-out of, restrict or
effort. object to processing
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
only records held by the
data controller but also
those held by
downstream recipients.
Maintain procedures to
respond to requests to
be forgotten or for
erasure of data
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
• scientific or historical subjects to review the (e.g. operating procedures forms for submitting
research or statistical organisations or technical processes requests
purposes. privacy notice at the point
When a data subject makes of data collection. Printed advertising
a right to object, the data materials containing
controller must cease Integrate data privacy information on how to
processing the personal into research practices opt-out of receiving
data unless one of the marketing offers
exceptions applies (no This privacy management
exception applies to direct activity generally deals
marketing processing). with how an organisation
maintains procedures for
See Recitals 69, 70. research practices
including processes to
obtain personal data for
research purposes,
ensuring valid consents
are obtained, de–
identifying data where
possible, and taking
measures to ensure that
research data maintained
for scientific, historical or
statistical research is
safeguarded against
improper use.
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
practices
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
or with explicit consent of controllers must
the data subject) and implement measures to
includes suitable safeguard the data
safeguards. subject's rights and
freedoms and legitimate
There is a prohibition interests. These measures
against using sensitive data (e.g., providing a right to
as part of automated express a point of view
decision making unless 1) and contest the decision)
the processing takes place would need to adhere to
with explicit consent of the Article 12's requirements
data subject (unless banned around clarity of
by Member State law) or 2) communication, time
processing is necessary for frames and appropriate
reasons of substantial responses.
public interest, on the basis
of Union or Member State
law.
This Article provides that Union or Member State law may create restrictions on the scope of data subject rights, and thus
the obligations on data controllers.
Controller and Processor General Obligations
Article 24 - Responsibility Conduct an enterprise Data privacy policy All evidence obtained
of the controller privacy risk assessment from complying with the
other articles may be
Article 24 requires the data This privacy management leveraged to support
controller to implement activity enables the demonstrating
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
appropriate technical and privacy office to identify Enterprise privacy risk compliance with the
organisational measures to issues and risks and assessment GDPR overall
ensure and be able to determine, based on the
demonstrate compliance likelihood and impact,
Privacy self-assessment Risk assessments
with the GDPR. where to prioritise
showing risks of
resources to mitigate the
likelihood and severity
The appropriateness of risks. Readiness assessments
for individuals' rights and
these measures is based on
freedoms have been
a risk assessment that takes Note that this privacy
Privacy compliance measured and mitigated
into account the nature, management activity
software tools by the measures put in
scope, context, and refers to high level risk
place
purposes of the processing assessments, not project
as well as the risks of or initiative based risk
varying likelihood and assessments which are Audits and assessments
severity for the rights and addressed in privacy verifying compliance
freedoms of individuals. management category 10. with the data privacy
There is a specific Monitor for New policy and the GDPR
reference that, where Operational Practices.
proportionate in relation to
the processing activities, Maintain a data privacy
data protection policies policy
shall be implemented.
This privacy management
See Recitals 74-77. helps the organisation
create and maintain an
organisational–level
privacy policy to provide
guidance to employees
regarding the processing
and protection of
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
personal data to ensure
that such processing
aligns with the
obligations of the GDPR.
Conduct self-
assessments of privacy
management
Maintain
documentation as
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
evidence to demonstrate
compliance and/or
accountability
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
appropriate technical and PIA/DPIA tool DPIAs consider privacy
organisational measures This privacy management by design as part of the
(e.g., pseudonymisation) to activity addresses having privacy impact mitigation
Application development
implement the data policies and procedures
protocols
protection principles set out to follow when there is a
Information security
in Article 5 (such as data change to existing
assessment demonstrates
minimisation) and integrate processes, programs or Information security
data protection measures
necessary safeguards into systems to ensure that assessment process
were based on an
the processing to meet the data protection risks are
assessment of risk
GDPR requirements. measured, analysed and
Software tools for
mitigated.
Data controllers must also aggregation, data masking,
Verified compliance with
or pseudonymisation
implement data protection Integrate Privacy by policies and procedures
by default, i.e. implement Design into data for data minimisation,
appropriate technical and processing operations Policies for de- pseudonymisation, and
organisational measures to identification of data anonymisation
ensure that, by default, only This privacy management
personal data necessary for activity addresses Test results verifying that
each specific purpose are frameworks to help data sets were
processed. The concept of engineers and application anonymised or
"necessary" informs the developers embed pseudonymized
amount of data collected, privacy–protective
extent of processing, and mechanisms into the Test results showing an
retention and accessibility fundamental design of inability to reidentify data
of data. processing activities. sets
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
personal data are not made
accessible to an indefinite
number of individuals.
Adherence with an
approved certification
mechanism (as described in
Article 42) may be used as
an element to demonstrate
compliance with these
requirements.
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
GDPR. The “essence” of Procedure for responding
the arrangement must be to privacy-related queries,
made available to the data requests and complaints
subject and regardless of
any arrangements to the
See additional measures in
contrary, data subjects may
Article 12 and 15-21
exercise their rights against
either data controller.
Article 27 – Assign responsibility for Defined privacy roles and Written contract or
Representatives of data privacy to an responsibilities agreement with the
controllers not individual (e.g. Privacy representative
established in the Union Officer, General
Contract template for
Counsel, CPO, CISO, Assessment/legal opinion
representative function
In cases where a non-EU EU Representative) of whether a
data controller or data representative must be
processor is offering goods This privacy management appointed
or services (paid or free) to activity addresses how
EU data subjects, or is organisations assign a Written mandate for the
monitoring the behaviour point of contact or Representative to act on
of data subjects within the responsibility for the behalf of the controller or
EU, the data controller or operational aspects of a processor
processor must designate in privacy programme to an
writing a representative in individual. Documentation of
the EU. Representatives are communication of the
legal or natural persons Representative, e.g.
who represent the within a privacy notice or
controller or processor with via a website
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
respect to their obligations
under the GDPR and must
be established in the same
Member State as the data
subjects who are being
monitored or to whom
goods or services are
offered.
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
measures to guarantee diligence is necessary as Contracts with third parties code of conduct or
GDPR compliance and to part of ensuring that processing data certification mechanism
have a contract or binding processing is only done
act that governs the by entities with sufficient Copies of standard
Procurement policy
relationship. The contents data protection contractual clauses used
of such a contract are set guarantees. in processing agreements
out. Vendor self-assessment
Maintain data privacy Due diligence checklists
The Article also limits the requirements for third are completed
ability of processors to parties (e.g., clients, Vendor third party
assurance
subcontract without vendors, processors, Due diligence checklists
consent of the data affiliates) are completed again upon
controller, and what Vendor due diligence contract renewal
guarantees need to be in This privacy management
place in this arrangement. activity helps the
organisation determine Vendor due diligence
See Recital 81. what data protection renewal
requirements are needed
for contracts with third– Contracts for hosted
parties who receive and resources
use the personal data on
behalf of the
organisation. Standard Contractual
Clauses template
Maintain procedures to
execute contracts or Data transfer agreement
agreements with all template
processors
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
activity addresses steps
taken to ensure written or
electronic contracts are in
place with processors.
Article 29 - Processing Maintain procedures to Data privacy and security Data processing
under the authority of the execute contracts or requirements for third agreements or contracts
controller and processor agreements with all parties include limitations on
processors processing
This Article indicates that
Contracts with third parties
processors and staff of This privacy management
processing data Employment contracts
controllers and processors activity addresses steps
address privacy and
must only process personal taken to ensure written or
security obligations on
data in accordance with electronic contracts are in Contracts for hosted
employees
either data controller place with processors. resources
instructions or a
requirement of Union or Audit of HR records
Member State law. Procurement policy
verifies that a random
sample of employees all
See Recital 81. Employment agreement have signed employment
outlining security and contracts in place
privacy responsibilities
Acknowledgement of the
Code of Conduct Code of Conduct is
obtained and maintained
Article 30 - Records of Maintain an inventory Records of processing A record listing the
processing activities of personal data and/or activities purposes of data
processing activities processing, categories of
Article 30 sets out a data and data subjects,
detailed list of information This privacy management categories of recipients
that must be maintained as activity will help the and the country they are
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
records of processing privacy office develop an Personal data inventory located in, applicable
activities carried out by and inventory of processing transfers, retention
on behalf of the controller, activities that addresses periods, and other details
Ad hoc walk-throughs and
as well as the requirement the information required set out in Article 30
assessments
to make the records to be maintained.
available to data subjects Personal data inventory
and Supervisory that includes required
Authorities upon request. fields
This Article introduces an obligation on controllers, processors and representatives to cooperate with supervisory
authorities in the performance of its tasks. This obligation only arises in the context of an action from the supervisory
authority and compliance could take the form of providing requested documents in a timely manner, allowing access to
premises and processing equipment, and not obstructing any investigation. As this activity relates to participation in
enforcement and oversight, no accountability obligations are created.
Data Security
Article 32 - Security of Integrate data privacy Information security Information security
processing into security risk assessment process assessment demonstrates
assessments measures were based on
Article 32 requires an an assessment of risk
Information security policy
“appropriate” level of This privacy management
security based on the state activity addresses the role
Information security
of the art and costs of of the privacy officer in
policies and procedures
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
implementation, processing ensuring privacy and data Data classification reflect alignment with
activities, and risk of protection are taken into standard privacy objectives, legal
varying likelihood and account as part of compliance and risk
severity to individuals' security risk assessments. management
ISO certification
rights and freedoms.
Examples are provided of Maintain measures to
Audit results verify
measures that might be encrypt personal data SOC 2/3 certification
compliance with security
appropriate depending on
policies
the level of risk: This privacy management
ITIL certification
activity helps the privacy
• pseudonymisation or office put in place Contracts with employees
encryption; encryption practices as an IT tools for monitoring and contractors limit the
appropriate technical and processing of personal
• the ability to ensure the organisational measure to
network activity
data
confidentiality, integrity, ensure an appropriate
availability, and resilience PKI (encryption)
level of security.
of systems and services technology & processes Audits of access to
processing personal data; Maintain technical personal data determine if
• the ability to restore security measures (e.g. Symmetric encryption
appropriate access levels
availability of and access to intrusion detection, are maintained and verify
data in the event of an firewalls, monitoring) need-to-know principle is
incident; or Encrypted communication implemented
• regular tests of the This privacy management channels
Register of employees
effectiveness of security activity helps the privacy
and contractors detailing
measures. office assess what Acceptable use policy
technical security access rights to IT
measures are in place to systems and data
Article 32 also requires that
any person with access to ensure an appropriate Information security audit
level of security based on of system access privileges Audits of access to
personal data only
the considerations set out personal data to
processes such data in determine if existing
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
accordance with in Article 32. Personal data access policy procedures are
instructions from the data appropriate based on the
controller. Integrate data privacy purpose for which the
Password parameters
into an information data was collected and
See Recital 83. security policy the nature of the access
Data center security
This privacy management measures (e.g., biometrics, Testing of security
activity helps the privacy access restriction, software validate proper
office insert privacy and monitoring) functioning of the
data protection software
consideration into the
information Electronic badge access Penetration testing
system
security policy.
Verified compliance with
Conduct regular testing Physical records room with policies and procedures
of data security posture locked doors for data minimisation,
pseudonymisation, and
This privacy management anonymisation
activity helps the Restricted access to backup
organisation address the tapes and media Test results verifying that
requirement to put in data sets were
place a technical or Clean desk policy anonymised or
organisational measure to pseudonymized
ensure the security of the
processing of personal Employee agreement Test results showing an
data. outlining security and inability to reidentify data
privacy responsibilities sets
Maintain procedures to
restrict access to Testing of the business
personal data (e.g. role- continuity plan
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
based access, Employee termination
segregation of duties) checklist
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
Article 33 – Notification Maintain a data privacy Data breach response plan Test results of the
of a breach to the DPA incident/breach incident response
response plan protocol demonstrates
Data breach notification
Article 33 makes it that steps taken following
protocol
mandatory to notify This privacy management a data breach ensure the
supervisory authorities in activity helps organisation is in a
the event of a data breach organisations create a Data breach metrics position to provide
that poses a "risk of harm". breach response notification if a risk is
The notification is expected infrastructure that will found
without undue delay and facilitate compliance with Data breach response plan
testing
where feasible within 72 the specific requirements
Notification letters sent in
hours. As well, detailed under Article 33
response to breach events
content requirements are respecting timing Data breach reports
set out for the notification requirements for
Metrics around letters
letter. The circumstances of notification and the
Incident and breach sent and number of
the data breaches must also content of a notification
summary forms events requiring
be documented. letter. It further ensures
notification vs events not
that recordkeeping
Information loss report and requiring notification
See Recitals 85, 87, 88. requirements are
captured. management form
Log entries
demonstrating that the
Maintain a breach
required detail is
notification (to affected
documented
individuals) and
reporting (to regulators,
credit agencies, law Contact list for breach
enforcement) protocol response team
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
organisation identify Completed incident
items that need to be summary forms
addressed in determining
timing and content of
notifications to DPAs.
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
respecting timing Data breach response plan Metrics around letters
requirements for testing sent and number of
notification and the events requiring
content of a notification notification vs events not
letter. It further ensures requiring notification
that recordkeeping
requirements are Test results showing that
captured. the breach response plan
complies with the GDPR
Maintain a breach
notification (to affected
individuals) and
reporting (to regulators,
credit agencies, law
enforcement) protocol
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
controllers to assess the guidelines on how to were integrated into the
impact of processing conduct a DPIA to data processing
PIA/DPIA template
operations on the protection analyse the processing of
of personal data where the personal data and
Threshold analyses
processing is likely to determine risks to such PIA/DPIA tool
demonstrating
result in a high risk for the personal data. It helps
assessments of whether a
rights and freedoms of data organisations ask
Privacy threshold analysis high risk exists such that
subjects. When carrying questions during the
a full DPIA is required
out the DPIA, the controller development of their
must seek the advice of the processing programs to Procedures or guidance on
Data Protection Officer take into account the when to seek DPO input Sample communications
(when designated). available technology, cost between the DPO and the
of implementation, lines of business on
When DPIAs are nature, scope, context, Procedures to consult DPIAs
required: and purposes of stakeholders
The processing activities in processing, and measures
which a DPIA is required that could be applied to Evidence that
Procedures for handling consultations were held
are: protect the rights of data privacy issues in new with affected populations
subjects (e.g., systems
or their representatives
• automated decision- pseudonymisation).
where appropriate (e.g.,
making, including Procedures for handling advocates, community
profiling, that produce legal Conduct PIAs/DPIAs
privacy issues in new groups)
or similarly significant for new programs,
systems, processes products
effects;
• large scale processing of This privacy management
Assessments/reviews of
processing activities in
special categories data Guidelines and policies on
activity addresses when to reach out to the light of new or changes to
referred to in Article 9(1)
guidelines on when a risks
(e.g. health, sex life, race or DPIA is required as part
ethnic origin, or biometric
of the development
data) or data referred to in
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
Article 10, related to process for new supervisory authorities to Evidence that Data
criminal convictions or processing. assess risk mitigation Protection Officer’s
offences; or opinion and advice was
• large scale, systematic Engage external sought as part of the
monitoring of a publicly stakeholders (e.g., DPIA process
accessible area. individuals, privacy
advocates) as part of the Log tracks DPIA
Supervisory authorities PIA/DPIA process outcomes and
have the discretion to make implementation of
a public list of additional This privacy management mitigating controls
kinds of processing that activity helps the
will require DPIAs and organisation develop Evidence that
processing for which guidance on how to consultations were held
DPIAs will not be consult with external with affected populations
required. parties as part of the or their representatives
DPIA process. where appropriate (e.g.,
DPIA content advocates, community
requirements: Conduct PIAs or DPIAs groups)
for changes to existing
DPIAs should contain: programs, systems or Reviews of and updates
processes to existing Accountability
Mechanisms
• a description of the This privacy management
processing activities being activity addresses having
assessed;
policies and procedures
• an assessment of the risks to follow when there is a
to data subjects; or change to existing
• a description of the processes, programs or
measures the controller will systems to ensure that
take to address these risks, data protection risks are
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
including the safeguards, measured, analysed and
security measures and mitigated.
mechanisms that the
controller will implement Track and address data
to ensure compliance with protection issues
the GDPR. identified during
PIAs/DPIAs
Finally, if the risks posed
by the processing change, a This privacy management
review must be conducted activity ensures the
to assess whether organisation treats similar
processing still complies data protection issues
with the DPIA. consistently and allows
for learning from one
See Recitals 84, 89-93. PIA/DPIA to be applied
to subsequent
PIAs/DPIAs.
Article 36 - Prior Report PIA/DPIA Data protection impact DPIAs identify high risk
consultation analysis and results to assessment (“DPIA”) processing
regulators (where guidelines
This Article requires data required) and external Correspondence with the
controllers to consult with stakeholders (if supervisory authority
PIA/DPIA template
the supervisory authority appropriate) seeking advice regarding
when a DPIA indicates that the intended processing
processing would result in This privacy management PIA/DPIA tool
a high risk to data subjects. activity addresses when Responses from the
and how to report supervisory authority
The Article lists the PIAs/DPIAs to Communication templates providing advice
minimum information the supervisory authorities. regarding the processing
data controller needs to Determinations around
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
provide to the supervisory whether such reporting is
authority. Within 8 weeks required and
(an additional 6 weeks may documentation that
be provided for complex consultations were
processing), the executed would
supervisory authority shall demonstrate compliance
give advice on whether the with the GDPR.
intended processing
complies with the GDPR.
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
Additionally, the independence of the Onboarding protocol for The DPO’s contact
appointment may be office, funding and the DPO function details are published on
required by specific Union resourcing the office, the organization’s
or Member State law. The addressing the resolution website
DPO must have expert of conflicts of interest,
knowledge of data and stressing the DPO’s Onboarding protocol
protection law. They may responsibility for includes reporting the
be an employee or third oversight of all DPO contact details to
party under contract. Their processing activities. the supervisory authority
contact details must be
published and given to the Communication with the
Supervisory Authority. supervisory authority
providing the DPO
See Recital 97. contact details
Article 38 - Position of the Appoint a Data PIA/DPIA template DPIA guidelines address
data protection officer Protection Officer when to involve the DPO
(DPO) in an Budget for the DPO in processing decisions
Article 38 positions the independent oversight function
DPO within the role Each required task of the
organisation, requiring Policy on conflict of DPO is a line item in the
involvement in all issues This privacy management interests budget for the DPO
relating to processing activity addresses the Formal reporting structures function
personal data, with appointment of a Data
sufficient resources, acting Protection Officer, Potential conflicts of
Defined privacy roles and
in an independent manner, including assignment of interest are reported and
responsibilities
and with direct reporting to tasks. In order to achieve documented
the highest management GDPR compliance, the
level. They shall also be assignment of Privacy steering committee Sample communications
available to be contacted by responsibility for privacy through established
data subjects. includes the broader reporting structures
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
organisation, Procedure for responding
See Recital 97. guaranteeing the to privacy-related queries, Data privacy notice
independence of the requests and complaints includes the DPOs
office, funding and contact details
resourcing the office, Data privacy notice
addressing the resolution The DPO’s contact
of conflicts of interest, details are published on
Procedures or guidance on
and stressing the DPO’s the organization’s
when to seek DPO input
responsibility for website
oversight of all
processing activities. Sample communications
between the DPO and the
Conduct regular lines of business
communication between
the privacy office,
privacy network and
others
responsible/accountable
for data privacy
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
be involved in all issues
relating to the processing
of personal data.
Article 39 - Tasks of the Maintain roles and Job descriptions for data The job description for
data protection officer responsibilities for protection-related roles the DPO addresses the
individuals responsible specific tasks set out by
Article 39 sets out the tasks for data privacy (e.g. Article 39
Contract templates for
of the DPO: advise the job descriptions)
DPO functions (if
Controller or Processor and A contract with the DPO
outsourcing)
its employees of data This privacy management sets out the specific tasks
protection obligations; activity addresses set out by Article 39
monitor compliance, defining the privacy roles Defined privacy roles and
including assigning in an organisation responsibilities
Documentation showing
responsibilities, training through job descriptions,
the content and delivery
and audits; advising on & by contract or other
Privacy steering committee of a training and
monitoring DP impact methods.
awareness programme
assessments, cooperating
and contacting the Conduct an Enterprise Data privacy training
supervisory authority as Privacy Risk curriculum Board level reports on
required, and reviewing Assessment data protection
processing risk. compliance
This privacy management Data protection as a
See Recital 97. activity enables the regular agenda-item for the
privacy office to identify board Documentation to show
issues and risks and the DPO has kept DPIA
guidance up to date and
determine, based on the Data protection impact
likelihood and impact, that the DPO monitors
assessment templates
where to prioritise DPIA performance
resources to mitigate the
risks. Note that this
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
privacy management Sample communications
activity refers to high between the DPO and the
Data protection impact
level risk assessments, lines of business
assessment tool
not project or initiative-
Procedures or guidance on
based risk assessments Logs showing employee
when to seek DPO input
which are addressed in completion rate of
privacy management privacy training
category 10. Monitor for Process to track privacy
New Operational compliance requirements Subscriptions (free or
Practices. paid) to privacy law
research reporting
Conduct privacy services
training
Certification of
This privacy management attendance at privacy and
activity addresses the data protection
need for the DPO to conferences
provide awareness–
raising and training of Evidence of consultations
staff involved in with law firms
processing operations and
implementing such
activities would produce
documentation that could
serve as evidence of
compliance with this
requirement.
Conduct self-
assessments of privacy
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
management
Maintain PIA/DPIA
guidelines and
templates
Demonstrates advice
from DPO on DPIAs is
asked for and delivered,
and a sign–off procedure
that involves the DPO
would demonstrate that
the DPO is involved in
monitoring DPIAs in the
business.
Identify ongoing
privacy compliance
requirements, e.g., law,
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
case law, codes, etc.
This Article allows for industry associations or bodies to create Codes of Conduct that specify the application of the
GDPR in areas such as pseudonymization, data subject rights, children’s data, security and breach notification, cross-
border transfers, and dispute resolution. These Codes may then be approved by the local DPA or by the European Data
Protection Board in the case of processing in several Member States. The benefit of signing on to such a Code of Conduct
is that the text of Article 40 suggests that such adherence would be considered in the framework of international transfers
as part of whether adequate safeguards for personal data are in place. The creation of these Codes of Conduct is
permissible, and therefore, there are no accountability obligations formed by this Article.
Article 41 – Monitoring of approved codes of conduct
This Article provides that monitoring of compliance with an approved code of conduct may be performed by an
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
accredited industry association or body. The Article goes on to provide when such an association may be accredited.
Therefore, there are no accountability obligations formed by this Article.
Article 42 – Certification
This Article provides that data protection marks or seals are to be encouraged and data controllers may seek certification
of their processing activities. If seeking such certification, the data controller must provide the certification body with all
information and access to its processing activities necessary to conduct the certification procedure. As certification is
voluntary, there are no accountability obligations formed by this Article.
Article 43 – Certification body and procedure
This Article provides for the creation of certification bodies that will be in charge of issuing and renewing the data
protection certifications. Therefore, there are no accountability obligations formed by this Article.
Cross-Border Data Transfers
Article 44 – General principle for transfers
This Article sets out that transfer may only take place if the GDPR provisions around data transfers are complied
with. Thus, an organisation that transfers personal data to a third country or international organisation must retain
evidence of compliance with the provisions below.
Depending on what basis the organisation intends to rely on to legitimise the data transfer, see example types of evidence
under:
• Article 45 – adequacy;
• Article 46 – appropriate safeguards;
• Article 47 – BCRs;
• Article 48 - not authorised by Union law; or
• Article 49 – derogations.
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
Article 45 – Transfers on Maintain Personal data inventory The records of processing
the basis of an adequacy documentation of the activities maintain a log
decision transfer mechanism of data transfers and
Records of processing
used for cross-border indicates the basis for
activities
This Article provides that data flows (e.g., model such transfer
personal data may be clauses, BCRs,
transferred to a third regulator approvals) Procedures for outsourcing Copy of the adequacy
country or international decision supporting such
organisation where the This privacy management transfer
Contract templates
Commission has decided activity supports the
the country or organisation privacy office managing Contracts limit the
ensures an adequate level international data flows Procurement policy location of data
of protection. and tracking their use of processing to countries
cross–border transfer that have received
This ground is one of many mechanisms. positive adequacy
bases on which data may be findings
transferred abroad. In Use adequacy or one of
general, when transferring the derogations (e.g.
personal data to third consent, performance of
countries, organisations a contract, public
will need to track the basis interest) as a data
on which they are transfer mechanism
transferring such data. If
relying on an adequacy This privacy management
decision, organisations activity addresses relying
should keep a record of this on derogations to the
decision and ensure that for requirement to send
the duration of the personal data to third
transfer(s), the adequacy countries which provide
decision is valid. an “adequate” level of
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
protection for personal
See Recitals 103-107. data.
Article 46 – Transfers by Maintain Personal data inventory The record of processing
way of appropriate documentation of the activities maintains a log
safeguards transfer mechanism of data transfers and
Record of processing
used for cross-border indicates the basis for
activities
In cases where a third data flows (e.g., model such transfer
country has not been clauses, BCRs, Approval for the binding
assessed as providing an regulator approvals) Binding corporate rules corporate rules
adequate level of data
protection by the This privacy management Audit results verifying
Commission, this Article activity supports the Privacy Shield adherence to BCRs
Certification
provides that data privacy office managing Contracts using standard
controllers or processors international data flows contractual clauses
may transfer personal data and tracking their use of Approved Codes of
to a third country provided cross–border transfer Conduct
Documentation of
there are in place mechanisms.
compliance with
appropriate safeguards,
Procurement/outsourcing approved certification
enforceable data subject Which of the following
procedure mechanisms
rights and legal remedies. PMAs are relevant
depend on the nature of
Appropriate safeguards the transfer and which Data transfer agreement Documentation of
could be: mechanism the template compliance with
• Legally binding and organisation chooses to approved Codes of
enforceable instruments follow: Conduct
Procurement policy
between public bodies;
Use Binding Corporate
• Binding corporate rules;
Rules as a data transfer Contracts with data
Certification documents
• Standard contractual mechanism
importers/ exporters
clauses;
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
• An approved Code of This privacy management Decisions of the
Conduct; or activity addresses the supervisory authority
implementation, approval approving the transfer
• An approved certification
and monitoring of
mechanism.
binding corporate rules,
which govern data
Reliance on one of those
transfers among members
safeguards would not
of a corporate group and
require a specific can be used as a legal
authorisation of the
mechanism for
supervisory authority.
international data
transfers.
Alternatively, appropriate
safeguards could be Use contracts as a data
adduced through other transfer mechanism
contractual provisions;
(e.g., Standard
however, these would need Contractual Clauses)
to be approved by specific
authorisation of the
This privacy management
supervisory authority. activity addresses the use
of Standard Contractual
See Recitals 108, 109.
Clauses to facilitate the
transfer of personal data
to a third country.
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
activity addresses the
requirements for using
the EU–US or Swiss-US
Privacy Shield as a data
transfer mechanism.
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
international data
transfers.
Article 48 – Transfers or Use adequacy or one of Data privacy policy Data privacy policy states
disclosures not authorised the derogations (e.g. that data may be
by Union law consent, performance of transferred in accordance
Litigation procedures
a contract, public with any requests from
This Article addresses interest) as a data law enforcement or to
when data controllers or transfer mechanism Procedures for responding respond to court orders
processors may rely on a to requests from law
court judgment or tribunal This privacy management enforcement Court order or tribunal
decision in order to transfer activity addresses relying decision requiring the
personal data to a third on derogations to the transfer of personal data
country. requirement to send
personal data to third Legal opinions relating to
See Recital 115. countries which provide the disclosure
an “adequate” level of
protection for personal
data.
Article 49 – Derogations Maintain Personal data inventory The Personal data
for specific situations documentation of the inventory or the record of
transfer mechanism processing activities
Consent forms
This Article enumerates used for cross-border maintains a log of data
circumstances in which data flows (e.g., model transfers and indicates the
personal data may be clauses, BCRs, Data privacy notice basis for such transfer
transferred to a third regulator approvals) (e.g., derogation relied
country even in the absence on)
of an adequacy decision or This privacy management Legitimate interest
assessments
other appropriate activity supports the Consent forms from data
safeguards. Examples privacy office managing subjects
include: international data flows
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
and tracking their use of Procurement policy
cross–border transfer
• With explicit consent of the mechanisms.
Data privacy notices
data subject; Procedures for outsourcing indicate the additional
risk posed by a lack of
• For performance of a Use adequacy or one of
appropriate safeguards
contract or implementation the derogations (e.g. Litigation procedures
of pre-contractual consent, performance of
measures; a contract, public Details of time and
Sales procedures
• For important reasons of interest) as a data placement of privacy
public interest; transfer mechanism notice or website Terms
Website Terms and and Conditions
• For establishment, exercise This privacy management Conditions
or defence of legal claims; activity addresses relying
• In order to protect the vital on derogations to the An assessment balancing
interests of a person; requirement to send Procedures for responding the legitimate interests of
to requests from law the data controller against
• For transfers made from personal data to third
enforcement the rights and freedoms
public registers in certain countries which provide
of the data subjects
cases; an “adequate” level of
• In the compelling
protection for personal
data.
legitimate interests of the Completed contracts or
data controller. pre-contractual
communications
Documentation
concerning any law
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
enforcement requests or
emergencies requiring
disclosure of data
This Article provides that the Commission and supervisory authorities are going to take appropriate steps to develop
mechanisms for international cooperation and mutual assistance in enforcing data protection laws. Therefore, there are no
accountability obligations formed by this Article.
Independent Supervisory Authorities
Article 51 – Supervisory authority
This Article requires Member States to provide for a supervisory authority to be responsible for monitoring the
application of the GDPR in order to protect individuals’ rights and freedoms related to processing of personal
data. Therefore, there are no accountability obligations formed by this Article.
Article 52 – Independence
In his opinion to the Court of Justice of the European Union in Case C-362/14, Advocate General Bot stated that
supervisory authorities are “the guardians of [the] fundamental rights and freedoms” and in accordance with that role,
they must “be able to investigate, with complete independence, the complaints submitted to them.” Over the past few
years, the CJEU has found on several occasions that the DPAs were not functioning with independence, where, e.g., they
were managed by a member of the Federal government (Austria) or where the President had the power to terminate the
head of the DPA (Hungary).
This Article continues to reinforce the “complete” independence of the supervisory authority, “free from external
influence, whether direct or indirect” and who may “neither seek nor take instructions from anybody”. Additionally, the
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
supervisory authority chooses its own staff, who is subject to the exclusive direction of the supervisory authority
member(s). There are no accountability obligations formed by this Article.
Article 53 – General conditions for members of the supervisory authority
This Article provides for the appointment of qualified supervisory authority members by a transparent process, as well as
circumstances for their removal. Therefore, there are no accountability obligations formed by this Article.
Article 54 – Rules on establishment of the supervisory authority
This Article requires Member States to provide by law for the establishment of a supervisory authority, including terms of
office. Therefore, there are no accountability obligations formed by this Article.
Article 55 – Competence
This Article provides that supervisory authorities are competent to perform the tasks and exercise the powers conferred
on them, with the exception of courts acting in their judicial capacity. Therefore, there are no accountability obligations
formed by this Article.
Article 56 – Competence of the lead supervisory authority
This Article sets out that the supervisory authority with competence to deal with complaints, depending on where the
main/single establishment of the data controller is and where the complaint is lodged. Therefore, there are no
accountability obligations formed by this Article.
Article 57 – Tasks
This Article sets out the tasks for each supervisory authority to perform, including:
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
• Adopting standard contractual clauses and approving BCRs;
• Maintaining a list in relation to the requirement for PIAs;
• Encouraging codes of conduct, certifications and seals.
This Article sets out the investigative powers for each supervisory authority, including ordering:
• Provision of information;
• Data protection audits;
• Reviews/withdrawals of certifications;
• Access to premises or data processing equipment;
• Breach notifications to data subjects;
• A ban on processing; and
• Suspension of cross-border data flows.
This Article sets out the requirement for each supervisory authority to publish an annual report of its activities. Therefore,
there are no accountability obligations formed by this Article.
Cooperation and Consistency
Article 60 – Cooperation amongst supervisory authorities
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
In order to reach consensus, this Article sets out how the lead supervisory authority and concerned supervisory authorities
are to cooperate in their decision-making. Therefore, there are no accountability obligations formed by this Article.
Article 61 – Mutual assistance
This Article addresses the sharing of information between supervisory authorities and the provision of mutual assistance
to carry out prior authorisations, consultations, inspections and investigations. Therefore, there are no accountability
obligations formed by this Article.
Article 62 – Joint operations of supervisory authorities
This Article provides that supervisory authorities shall conduct joint operations, particularly where the controller is
established in several Member States or a significant number of data subjects in more than one Member State are likely to
be substantially affected by the processing. Therefore, there are no accountability obligations formed by this Article.
Article 63 – Consistency mechanism
This Article provides that supervisory authorities shall cooperate with each other through a consistency mechanism in
order to ensure consistent application of the GDPR across Member States. Therefore, there are no accountability
obligations formed by this Article.
Article 64 – Opinion by the EDPB
This Article provides cases where the European Data Protection Board (the successor of the Article 29 Working Party)
shall issue an opinion with regard to a draft supervisory authority decision. Therefore, there are no accountability
obligations formed by this Article.
Article 65 – Dispute Resolution by the EDPB
This Article sets out the cases in which the EDPB shall adopt a binding decision, e.g., where there is disagreement
amongst supervisory authorities regarding resolution of an infringement or who is the lead authority. The Article goes on
to provide the time frame in which the EDPB must provide its binding decision. Therefore, there are no accountability
obligations formed by this Article.
Article 66 – Urgency procedure
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
This Article provides that where an urgent need to act to protect the rights and freedoms of a data subject exists, a
supervisory authority may adopt provisional measures with legal effect in its own Member State for a 3-month period.
Supervisory authorities can also make requests for urgent binding decisions from the EDPB. Therefore, there are no
accountability obligations formed by this Article.
Article 67 – Exchange of information
This Article provides that the European Commission can adopt an implementing act regarding the exchange of
information by electronic means between supervisory authorities. Therefore, there are no accountability obligations
formed by this Article.
Article 68 – European Data Protection Board
This Article establishes the European Data Protection Board (“EDPB”) and sets out the voting rights of the European
Data Protection Supervisory. Therefore, there are no accountability obligations formed by this Article.
Article 69 – Independence
This Article provides that the EDPB shall act independently when performing its tasks. Therefore, there are no
accountability obligations formed by this Article.
Article 70 – Tasks of the EDPB
This Article sets out the tasks of the EDPB, including monitoring application of the GDPR, advising the Commission,
and issuing best practices on the right to be forgotten, profiling, data transfers, and data breach notification. Therefore,
there are no accountability obligations formed by this Article.
Article 71 – Reports
The EDPB is required to draw up and publish an annual report. There are no accountability obligations formed by this
Article.
Article 72 – Procedure
This Article sets out that EDPB decisions may be made by simple majority unless otherwise provided for. Therefore,
there are no accountability obligations formed by this Article.
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
Article 73 – Chair
The EDPB shall elect a chair and two deputy chairs from among its members for a 5-year term of office. Therefore, there
are no accountability obligations formed by this Article.
Article 74 – Tasks of the Chair
This Article provides the operational tasks of the Chair. Therefore, there are no accountability obligations formed by this
Article.
Article 75 – Secretariat
This Article establishes the secretariat in charge of analytical, administrative and logistical support to the EDPB.
Therefore, there are no accountability obligations formed by this Article.
Article 76 – Confidentiality
This Article provides that discussions of the EDPB are confidential where the EDPB deems confidentiality necessary.
Therefore, there are no accountability obligations formed by this Article.
Remedies, Liabilities and Sanctions
Article 77 – Right to complain
This Article provides every data subject with the right to complain to a supervisory authority, particularly in the Member
State in which they reside or work, or place of the alleged infringement. Therefore, there are no accountability obligations
formed by this Article.
Article 78 – Right to a judicial remedy against a supervisory authority
This Article provides a right of appeal or some other judicial remedy against legally binding decisions of the supervisory
authority concerning them. Therefore, there are no accountability obligations formed by this Article.
Article 79 – Right to an effective judicial remedy against a controller or processor
Regardless of the right to complain to the Supervisory Authority, this Article provides data subjects with a right to a
judicial remedy if they believe a data controller or processor has not complied with the GDPR. Lawsuits may be filed in
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
the Member State in which the controller or processor is established or where the data subject resides. There are no
accountability obligations formed by this Article.
Article 80 – Representation of data subjects
Under this Article, data subjects may mandate non-profit, public interest organisations such as privacy advocates to lodge
a complaint on his or her behalf. Member States may additionally provide a direct right of action to such privacy
advocates. Therefore, there are no accountability obligations formed by this Article.
Article 81 – Suspension of proceedings
To avoid duplicate and conflicting results, where proceedings were commenced in multiple Member States, the court who
was first seized of the matter may continue its proceedings, and the other courts may suspend their proceedings. The
actions may also be consolidated. There are no accountability obligations formed by this Article.
Article 82 – Right to compensation and liability
This Article provides data subjects with a right to receive compensation from data controllers or processors for material
or immaterial damage suffered as a result of non-compliance with the GDPR. The Article provides for joint and several
liability for all data controllers involved in the processing. Data processors, however, are only liable for damage caused
by processing that does not comply with 1) obligations of the GDPR specifically directed to processors, or 2) the lawful
instructions of the data controller.
Data controllers and processors will not be liable for damages where they can prove that they are not in any way
responsible for the event giving rise to the damage. This underscores the importance of maintaining evidence that
demonstrates compliance with the GDPR. However, there are no accountability obligations formed by this Article.
Article 83 – General conditions for imposing administrative fines
This Article provides for the imposition of effective, proportionate and dissuasive fines for infringements.
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
The Article goes on to provide a cap on the fines that may be assessed at the higher of €10 million or 4% of total
worldwide annual turnover of the preceding financial year. Non-compliance with a supervisory authority’s order may be
fined by as much as €20 million or 4% of total annual turnover. There are no accountability obligations formed by this
Article.
Article 84 – Penalties
This Article provides that penalties for infringements not subject to the administrative fines set out in Article 83 shall be
laid down in rules by the Member States. Therefore, there are no accountability obligations formed by this Article.
Relating to Specific Data Processing Situations
Article 85 – Processing and freedom of expression and information
Member State national law shall address the balance between the Freedom of Expression, Freedom of Information, and
Right to Protection of Personal Data. Exemptions may be provided from some of the obligations for processing for
journalistic, academic, artistic or literary expression. Therefore, there are no accountability obligations formed by this
Article.
Article 86 – Processing of personal data and public access to official documents
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
This Article permits public bodies to disclose personal data found in official documents as part of Freedom of
Information obligations under Union or Member State law. Therefore, there are no accountability obligations formed by
this Article.
Article 87 – Processing of national identification number
Member States may further determine specific conditions for processing national identification numbers or other general
identifiers. Therefore, there are no accountability obligations formed by this Article.
Article 88 – Processing in the employment context
Specific rules for processing employee personal data in the employment context may be determined by Member State law
or collective agreements, including:
• recruitment;
• performance of employment contracts;
• discharge of legal obligations;
• management, planning and organisation of work;
• workplace equality and diversity;
• health and safety; and
• employment rights and benefits.
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
This privacy management Policy and procedure on for data minimisation,
This Article provides that activity generally deals pseudonymisation or pseudonymisation, and
processing for archiving with how an organisation anonymisation anonymisation
purposes in the public maintains procedures for
interest, or for scientific or research practices Test results verifying that
Research Ethics Board
historical research, or for including processes to data sets were
approvals that address data
statistical purposes is obtain personal data for anonymised or
minimisation and privacy
subject to appropriate research purposes, pseudonymized
protections
safeguards, including data ensuring valid consents
minimisation. Thus, are obtained, de– Test results showing an
processing should use identifying data where Software tools for inability to reidentify data
pseudonymised or possible, and taking aggregation, data masking, sets
anonymised data to the measures to ensure that pseudonymisation, or
extent possible. research data maintained anonymisation
for scientific, historical or
The Article goes on to statistical research is
provide that Union law or safeguarded against
Member State law may improper use.
create exemptions from the
provisions around data Integrate data privacy
subject rights when into research practices
processing for these
purposes. This privacy management
activity addresses how
See Recitals 156-162. organisations put in place
a specific technical and
organisational measure to
ensure respect for the
principle of data
minimisation.
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
Article 90 – Obligations of secrecy
Rules governing data controllers and processors subject to obligations of professional secrecy are left to Member States to
determine. Therefore, there are no accountability obligations formed by this Article.
Article 91 – Existing data Maintain a data privacy Data privacy policy Audit results verifying
protection rules of policy implementation and
churches and religious compliance with the data
Church or religious
associations This privacy management privacy policy or rules
association rules around
helps the organisation
data protection
Churches and religious create and maintain an Attestations of adherence
associations and organisational–level to the data privacy policy
communities that apply privacy policy to provide or rules
comprehensive rules guidance to employees
relating to processing regarding the processing
personal data may continue and protection of
to apply such rules, personal data to ensure
provided the rules are that such processing
brought in line with the aligns with the
GDPR. obligations of the GDPR.
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
This Article provides the European Commission with the power to adopt delegated acts under the GDPR, subject to the
European Parliament and Council not objecting. Therefore, there are no accountability obligations formed by this Article.
Article 93 – Committee procedure
This Article provides that the Commission will be assisted by a committee. There are no accountability obligations
formed by this Article.
Article 94 – Repeal of Directive 95/46/EC
This Article repeals the old data protection Directive on a date specified in Article 99 and provides that any references to
that Directive will be construed as a reference to the GDPR. Therefore, there are no accountability obligations formed by
this Article.
Article 95 – Relationship to Directive 2002/58/EC
This Article provides that processing of personal data in connection with publicly available electronic communications
services in public communications networks will continue to be governed by the e-Privacy Directive. There are no
accountability obligations formed by this Article.
Article 96 – Relationship to previously concluded Agreements
This Article provides for the continuation of international agreements involving the transfer of personal data to third
countries that were entered prior to GDPR enactment and in compliance with applicable Union law. This would include
agreements such as PNR agreements, agreements under FATCA, etc. There are no accountability obligations formed by
this Article.
Article 97 – Evaluation
At least every four years, the Commission will be reporting to European Parliament and Council an evaluation and review
of the GDPR. The Commission will submit appropriate amendments if necessary. There are no accountability obligations
formed by this Article.
Article 98 - Review of other EU data protection instruments
The Commission shall submit proposals to amend other EU legal instruments on the protection of personal data if
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotations Mechanisms
Measures
necessary to ensure uniform and consistent protection of individuals. Therefore, there are no accountability obligations
formed by this Article.
Article 99 – Entry into force
The GDPR will enter into force on the 20th day following its publication in the Official Journal of the European Union,
and shall apply from May 25, 2018.There are no accountability obligations formed by this Article.
✔ ✔ ✔ ✔
Enables on-going accountability management and reporting for GDPR.
Nymity helps organisations comply with GDPR through structured accountability based on implementing appropriate
accountability mechanisms such as policies and procedures. Putting in place appropriate accountability mechanisms are the
foundation for complying with the GDPR, as it enables organisations to demonstrate compliance at a project level and at an
organisational level, both required by the GDPR.
Project/Process Compliance
Before addressing your records of processing activities requirements (Article 30) or your Data protection impact assessment
requirements (Article 35) it is important to understand the rational of these two obligations. Their objective is to ensure compliant
processing of personal data. As such, enabling structured accountability at a project/process level results in GDPR compliance.
Nymity’s assessment solutions enable GDPR compliant projects/processes and produces Records
of Processing Activities Data Inventory, regulatory data mapping, PIAs and DPIA reports
No Questionnaires Required
Built on an expert system supported by Nymity team of experts for both content and rules, Nymity ExpertPIA™/ Nymity Data
Transfer Risk Mapping ™ does not solely rely on questionnaires of any kind, reducing the burden on the business and the Privacy
Office/DPO significantly.
1. One Screen
The business may only need to engage for a few
minutes a year and thus doesn’t have time to be
trained on the software. This simplicity is
accomplished with one straight-forward screen,
which also has tips and history of past attestations.
2. Closed Questions
Yes, or No, are the only answers available. Very straight-forward as the questions are based on the usage of an
accountability mechanism which enables compliance.
3. Relevant Questions
No privacy jargon as the questions are based on the accountability mechanisms which are written in the language of
the business.
4. Evidence
Documents produced using the accountability mechanism or the mechanisms themselves are all the evidence
necessary.
Don’t Ask “What are You Doing?” – Ask “Are You Doing as Instructed?”
You have already instructed the business on appropriate accountability mechanisms they must follow. Simply ask questions to
find out if they are doing as instructed. The questions themselves make the accountability mechanism come alive with activity
resulting in ongoing compliance.
accountability component of the BCR complete. Simply engage your law firm of choice for the legal component of the BCR, then
monitor and manage GDPR and BCR.
Nymity Operational Templates & Resources™ enable the rapid deployment of expert
accountability mechanism and helps ensure ongoing compliance without restricting
business
Documentation is an Outcome
Some refer to the GDPR as having documentation requirements in which they are referring to Article 30 Records of Processing
(See Nymity ExpertPIA™/ Nymity Data Transfer Risk Mapping™) or are referring to accountability mechanisms to mitigate risk
and demonstrate compliance. Nymity Operational Templates & Resources™ drive organisational documentation.
Search
Find specific accountability mechanism resources quickly with search and privacy management expert filters further saving time.
courts are getting active. It is important to monitor, research and understand the changing GDPR landscape to ensure ongoing
compliance.
Nymity Research™ enables GPDR compliance monitoring and research to ensure ongoing compliance
Whether it is compliance with the GDPR, the future CCPA, or any of the over 1,900 DSR obligations found in laws in over 115 countries,
Nymity’s Data Subject RequestsTM, will help ensure you both meet your compliance obligations and provide a positive experience for the
individual when they make a data related request to the company. Nymity’s Data Subject RequestsTM solution helps ensure you meet
your legal obligations, while taking the guesswork out of preparing responses saving time and money. Leverage the customizable
response templates that are pre-configured based on jurisdiction, that will help you to meet short GDPR deadlines for dealing
with individual requests. Nymity’s Data Subject RequestsTM solution equips you with the tools that allow you to provide demonstrable
accountability and compliance. Robust reporting ensures that you will always be regulator ready, as reports are dynamically updated based
on changing regulatory expectations allowing you to demonstrate the right compliance for your jurisdiction.
Power Dashboard
Utilize the dashboard to ensure proactive and timely responses to data subject requests, and improve management of data collection
from requestors and employees.
Compliance Panel
Keep up-to-date through every phase of a Data Subject Request through the Compliance Knowledge Panel. Relevant and contextual
information is continually updated.
Response Templates
Save time by taking the guesswork out of preparing responses. Leverage the preconfigured response templates or customize them to fit
your organization’s needs.
Enables GDPR compliance Enables rapid deployment of expert Enables compliant projects/processes that
monitoring and research to ensure accountability mechanism and helps produce Records of Processing Activities
ongoing compliance. ensure ongoing compliance without Data Inventory, PIAs and DPIA reports.
restricting business.
Monitor and manage Data Subject Enables the monitoring and management
Requests efficiently and confidently of GDPR and produces evidenced-based
dashboards and reports.
Learn more about how our GDPR solutions help organisations plan, implement, maintain, and demonstrate compliance to GDPR
at www.nymity.com/GDPR.
W W W. N Y M I T Y. C O M