Nymity GDPR Handbook 2019 PDF

Copyright ©2019 by Nymity Inc. All rights reserved.
This document is provided “as is” without any express or implied warranty. This document does not constitute legal advice and if you
require legal advice you should consult with an attorney. Nymity may not have addressed all legal requirements applicable to your organization and the document may need to be modified
in order to comply with relevant law. Forwarding this document outside your organization is prohibited. Reproduction or use of this document for commercial purposes requires the prior
written permission of Nymity Inc.
GDPR Accountability Handbook
Accountability Under the GDPR
The accountability principle in Article 5(2) of the GDPR requires organisations to demonstrate compliance with the principles of
the GDPR. Article 24 sets out how organisations can do this by requiring the implementation of appropriate technical and
organisational measures to ensure that organisations can demonstrate that the processing of personal data is performed in
accordance with the GDPR.
Nymity’s research has identified 39 Articles under the GDPR that require evidence of a technical or organisational measure to
demonstrate compliance and has mapped these to the Nymity Privacy Management Accountability Framework™ (described
below). The result is the identification of 55 privacy management activities (also called technical or organisational measures)
that if implemented, may produce documentation that will help demonstrate ongoing compliance with GDPR compliance
obligations. Not all 55 measures will apply to every organisation – rather, organisations will put in place the measures that are
appropriate for their organisation (according to the risk-based considerations that run throughout the GDPR).
GDPR is not the First Accountability-based Privacy Law
The principle of Accountability has received renewed attention because the GDPR mandates accountability as a legal obligation.
However, it is not the first privacy law in the world to do so. Canada was the first jurisdiction to write an accountability
requirement in its data protection law, which went into effect in stages and full effect in 2004.1 Nymity, a Canadian-based global
privacy compliance research and privacy compliance software company, was founded in 2002 to support the Privacy Office to
meet the accountability requirements found in this law. Thus, in many ways, Nymity has been preparing to support Privacy
Officers/DPOs for the requirements of the GDPR for the past 15 years.
Nymity’s Expertise in Accountability
In 2002, Nymity began its research on accountability and building compliance solutions for the Privacy Office/DPO. In 2011,
Nymity augmented its accountability research with an initiative on demonstrating accountability to regulators. Nymity
1Personal Information Protection and Electronic Document Act (PIPEDA) that came into force in three phases: 2001 for Federal Works and
underpinning, 2002 for federal health care and 2004 for everyone else subject to the law.
© 2019 Nymity Inc. 2

conducted workshops with privacy officers and with DPAs across the EU identifying what regulators expect of organisations to
demonstrate accountability. This research revealed that no matter the industry or jurisdiction, Privacy Officers, DPOs and other
privacy leaders in organisations conduct many of the same activities. This led to the development of the Nymity Privacy
Management Accountability Framework™ which is used by thousands of Privacy Officers/DPOs to plan, structure, and report
on their privacy management programmes. The Framework has been made available for free to the privacy community since
2014.
In 2015, Nymity launched a series of practical workshops around the globe on the topic of “Getting to Accountability.” Over 500
Privacy Officers/DPOs in 22 countries attended a no-cost, full-day, hands-on workshop. The workshop was designed to equip
those responsible for privacy management with knowledge on how to operationalise accountability by exploring strategies, tools,
business cases, and a communication framework. The following resources are examples of some of Nymity’s thought leadership
in accountability and compliance and are freely available on the Nymity website under “Resources.”
1. Nymity Privacy Management Accountability Framework™

The Framework is a menu of privacy management activities (technical and organisational measures). When
maintained, privacy management activities create Accountability Mechanisms.
2. A Structured Approach to Privacy Management: Getting Started

This manual and supporting workbook provide an outline for a privacy management program embedded throughout
the organisation resulting in an accountable organisation. Accountable organisations can leverage their investment in
privacy management to use the Nymity PIA Methodology.
3. A Structured Approach to Privacy Management: Demonstrating Compliance

Through this approach, accountable organisations can use existing documentation to demonstrate compliance.
4. The Nymity GDPR Compliance Toolkit

Three free resources to help organisations understand the GDPR in order to plan, structure, and report on their privacy
management programmes and to be able to demonstrate compliance under the GDPR (accountability).

The knowledge gained from our practical, on the ground workshops and ongoing research is factored into all Nymity’s
research and software solutions.
Currently, Nymity is conducting two accountability research projects:
1. Demonstrating Compliance to Regulators

This project commenced in 2016 and will be completed in 2018. This research investigates an Accountability approach
to demonstrating compliance to regulators as well as certifications.
2. An Alternative Approach to PIAs/DPIAs

This project investigates a new concept called an Accountability PIA. It is based on a simple premise: if both
accountability and traditional PIAs are designed to mitigate risk and address compliance, why not use accountability in
the PIA?
The results of both projects will be made available for free and organisations can participate in one or both projects with Nymity
by contacting Nymity at info@nymity.com.
The Nymity Privacy Management Accountability Framework™ (the “Framework”)
The Framework emerged out of our ongoing accountability research as a practical tool for organisations to structure privacy
management in their organisation and operationalise accountability. It is not a checklist of activities that must be completed;
rather it is a menu for accountability that can be adapted to any organisation. It is not based on principles or controls, but on
privacy management activities (technical and organisational measures) that can be monitored and tracked. It is a comprehensive
jurisdiction- and industry-neutral listing of 130+ technical and organisational measures that is structured into 13 data privacy
management categories (e.g. “Manage Third-Party Risk” and “Maintain Training and Awareness Program”).

No two organisations’ accountability requirements are the same, and thus this Framework provides the flexibility necessary for
planning, scaling, and communicating privacy management and is ideally suited to address the risk-based approach inherent in
the GDPR. The appropriate technical or organisational measures to put in place are determined based on the organisation’s legal

and regulatory compliance requirements, risk profile, business objectives, and the context of data processing (type of data
processed, nature of processing, purpose for processing).
Accountability Mechanisms
Organisations that have taken an accountability approach to address privacy risk and privacy compliance put in place appropriate
technical and organisational measures and have necessarily created what Nymity refers to as “Accountability Mechanisms.”
Accountability Mechanisms include policies, procedures, guidelines, checklists, training and awareness activities, transparency
measures, technical safeguards and other mechanisms that mitigate internal and external privacy risk. Taking an accountability
approach to privacy risk compliance and putting in place effective Accountability Mechanisms to maintain appropriate technical
and organisational measures has many advantages. An accountability approach to privacy compliance:
• Generates documentation that can be used as evidence allowing an organisation to demonstrate a compliance
infrastructure to Regulators and business partners;
• Builds a culture of privacy, while minimising organisational privacy risk and maximising compliance;
• Provides the infrastructure for ongoing, efficient privacy management and privacy risk mitigation (specifically for the
individual);
• Embeds privacy risk mitigation throughout the organisation (into business and operational units where data processing
occurs);
• Empowers business units to assume responsibility for ensuring maintenance of Accountability Mechanisms.
Purpose of the Nymity GDPR Accountability Handbook:
This document is designed to support the ability of the Privacy Office in implementing an accountability approach to compliance
with the GDPR. It provides a brief summary of each Article of the GDPR and maps compliance obligations to the Nymity
Privacy Management Accountability Framework™ identifying 55 technical and organisational measures that can assist in

establishing accountabilty within the organisation and ulitimately the ability to demosntrate compliance. It lists examples of
policies, procedures and other mechanisms (i.e. Accountability Mechanisms) that may result from putting in place the listed
technical or organisatinoal measure. Finally it lists example evidence that indicates that the accountability mechanisms have
been implemented and used appropriately.
It is structured as follows:
Technical and
Accountability Example Accountability
Organisational Example Evidence
Annotation Mechanisms
Measures
An annotation explaining A list of technical and A listing of possible A listing of sample
the meaning and impact organisational measures policies, procedures, evidence indicating that the
of the Article that once implemented guidelines, checklists, accountability mechanisms
may help: training and awareness have been implemented
1. Achieve ongoing activities, transparency and used appropriately.
compliance with the measures, technical
GDPR and, safeguards and other
2. Produce documentation mechanisms that may
that will help demonstrate mitigate internal and
compliance. external privacy risk.
In some cases, the Accountability
measure may not be Mechanisms are produced
applicable to your when organisations put in
organization. place technical and
organisational measures

Technical and
Annotations Mechanisms
Measures
General Provisions
Article 1 – Subject Matter and Objectives
This Article provides the purpose of the GDPR. There are no accountability obligations formed by this Article.
Article 2 – Material Scope
This Article addresses the activities that are within or outside the scope of the GDPR. There are no accountability
obligations formed by this Article.
Article 3 – Territorial Scope
This Article addresses the application of the GDPR to entities within and outside the European Union. There are no
accountability obligations formed by this Article.
Article 4 – Definitions
This Article defines common terms in the GDPR. There are no accountability obligations formed by this Article.
Technical and
Annotation Mechanisms
Measures
Principles
Article 5 - Principles Conduct PIAs or DPIAs Data privacy policy Record of data processing
relating to personal data for changes to existing activities or the personal
processing programs, systems, or Personal data inventory data inventory documents
processes the legal basis for
Article 5 sets out the Data privacy notices processing and purpose
general principles that all This privacy management for processing
processing activities must activity addresses having Enterprise privacy risk
abide by, including: policies and procedures assessment
Copy of the privacy
to follow when there is a
notice and details on the
• lawfulness, fairness and change to existing Privacy threshold analysis
transparency; processes, programs or

Technical and
Measures
• purpose limitation; systems to ensure that Data privacy training placement and timing of
data protection risks are curriculum the notice
• data minimisation;
measured, analysed and
• accuracy; mitigated. Consent forms
Results from DPIAs
• storage or retention showing how
limitation; Conduct PIAs/DPIAs Records retention schedule
determinations were
• integrity and for new programs,
made balancing the
confidentiality; and systems, processes Data accuracy policy and
legitimate interests of the
guidelines
• accountability. This privacy management
data controller against the
interests or fundamental
activity addresses Validation mechanisms in
The accountability rights and freedoms of
guidelines on when a online forms
principle states that data data subjects
DPIA is required as part
controllers are responsible of the development Information security policy
for and able to demonstrate process for new Evidence that the Data
compliance with the data processing. PKI (Encryption) Protection Officer’s
processing principles. Technology & Processes opinion and advice was
Integrate data privacy sought as part of the
The principles are also built into an information Personal data access policy DPIA process
upon in the following security policy
Articles: Information security
A copy of privacy
This privacy management assessment process
• lawfulness – see Articles 6, activity helps the privacy training materials for
9 and 10; office insert privacy and Software tools for data staff and details on the
time and attendance of
• transparency – see Articles data protection masking
participants
13 and 14; consideration into the
information
• purpose limitation – see
security policy. Audit of processing
Article 6;
activities examining that:

Technical and
Measures
• integrity and confidentiality Integrate data privacy • Only personal data
– see Article 32; into records retention necessary was collected
practices and processed
• accountability – see Article
• The retention schedule
24.
This privacy management was followed
activity helps the • Personal data maintained
See also Recital 39. organisation embed data is accurate
privacy into the records
retention policy and
procedure to ensure Test results from testing
proper storage of of validation mechanisms
personal data. It helps
organisations put in place Test results from testing
policies and procedures of security mechanisms
to ensure data is not kept
in a form that permits
identification of data Information security
subjects for longer than is assessments showing
necessary for the security risks were
purposes for which it was identified and mitigations
processed unless the data put in place
is being archived for
public interest, scientific, Information security
statistical, or historical programme policies and
purposes. procedures reflecting
alignment with privacy
Maintain a data privacy objectives, legal
policy compliance and risk
This privacy management

Technical and
Measures
helps the organisation Audits of access to
create and maintain an personal data to
organisational–level determine if existing
privacy policy to provide procedures are
guidance to employees appropriate based on the
regarding the processing purpose for which the
and protection of data was collected and
personal data to ensure the nature of the access
that such processing
aligns with the
Tests of data masking
obligations of the GDPR.
software validating that
tools are effective
Where relevant (Article
91) it will also address
specific data processing
obligations that apply to
organisations such as
churches and other
religious associations.
Maintain
documentation as
evidence to demonstrate
compliance and/or
accountability

activity supports the
organisation creating a
process for maintaining

Technical and
Measures
documentation of the
technical and
organisational measures it
has put in place in order
to demonstrate
compliance with the
GDPR.
Maintain
policies/procedures for
maintaining data
quality

activity relates to putting
in place policies and
procedures to ensure data
is accurate and, where
necessary, kept up–to–
date, and for data that is
inaccurate in light of the
purposes for which they
are processed, the data is
erased or rectified.
Article 6 - lawfulness of Conduct PIAs or DPIAs PIA/DPIA template Log for recording the
processing for changes to existing legal basis for processing
programs, systems, or PIA/DPIA tool personal data, including
Article 6 provides the legal processes where applicable a
grounds on which personal Records of processing detailed log of the
data can be processed, as activities

Technical and
Measures
well as how to determine This privacy management provided unambiguous
when further processing is activity addresses having Personal data inventory consent
compatible with the policies and procedures
original purposes for to follow when there is a Consent forms
DPIAs demonstrating that
processing. Such grounds change to existing
the necessary safeguards
for processing are: processes, programs or Web forms using opt-In
were integrated into the
systems to ensure that consent check boxes
data processing
• with the data subject's data protection risks are
consent; measured, analysed and Data privacy notice
mitigated. Results from DPIAs
• for contract performance;
Legitimate interest showing how
• to comply with legal Conduct PIAs/DPIAs assessments determinations were
obligations under Union or for new programs, made balancing the
Member State law; systems, processes Procurement policy legitimate interests of the
• to protect the vital interests data controller against the
of a natural person; This privacy management Procedures for outsourcing interests or fundamental
• to perform a task in the activity addresses rights and freedoms of
public interest set out by guidelines on when a Litigation procedures data subjects
Union or Member State DPIA is required as part
law; or of the development Website terms and
process for new conditions Personal data inventory
• for the purposes of processing.
that sets out what ground
legitimate interests pursued Procedures for responding is relied on when
by the data controller or a processing
Document legal basis to requests from law
third party. for processing personal enforcement
data Records of processing
See Recitals 32, 40-50. activities, including
This privacy management underlying decisions on
activity addresses how interpretation of the
the organisation relevant legal provisions

Technical and
Measures
determines the legal basis and grounds for
on which processing processing
takes place and ensuring
a record of this analysis.
Documentation showing
web forms used opt–in
Maintain
consent check boxes or
buttons
obtaining valid consent
This privacy management Copies of signed consent

activity addresses forms (written or
the different components electronic)
that makes consent valid
(e.g., freely given,
specific and Contracts or requests to
enter a contract
unambiguous) and how to
update consent forms and
mechanisms to ensure Relevant statements of
GDPR compliance. claim or defence, or other
documents pertaining to a
Maintain legal claim
secondary uses of
personal data Documentation
concerning any law
enforcement requests or
This privacy management emergencies requiring
activity addresses having disclosure of data
policies and procedures
that define how to handle

Technical and
Measures
situations when the Legal opinions related to
organisation wishes to the processing
use personal data beyond
the primary purpose.
Evidence that the Data
Secondary uses of data
Protection Officer’s
must be disclosed in
opinion and advice was
information notices under
sought as part of the
Article 13 and 14.
DPIA process
Article 7 - Conditions for Maintain Consent forms Evidence that web forms
consent policies/procedures for used opt-in consent check
obtaining valid consent Web forms using opt-In boxes or buttons
Article 7 sets out the consent check boxes
standard for consent when This privacy management
Completed written
relying on consent as a activity addresses Scripts for providing
consent forms
legal basis for processing the different components notice and obtaining
personal data that makes consent valid consent via phone
(demonstrable consent) and (e.g., freely given, Call center logs and
sensitive personal specific and Procedure for responding recordings
data (explicit consent). unambiguous) and how to to privacy-related queries,
update consent forms and requests and complaints
See Recitals 32, 33, 42, 43, mechanisms to ensure
58. GDPR compliance. Guidance for analysing and
responding to data subject
objections to processing
Maintain procedures to (e.g. operating procedures
respond to requests to or technical processes)

Technical and
Measures
opt-out of, restrict or
object to processing
Implementing this
privacy management
activity will help
organisations put in place
processes to ensure that
records of personal data
are used in line with any
restrictions as well as,
including not only uses
by the data controller but
also any restrictions on
use by downstream
recipients.
Article 8 - Conditions Integrate data privacy Social Media and Blogging Completed consent forms
applicable to a child's into the organization’s Practices/Policies
consent in relation to use of social media
Email confirmations
information society practices Technical solutions for
services obtaining verifiable
This privacy management parental consent Call-center recordings
Article 8 provides that activity addresses
where the legal basis of how the organisation uses Parental consent notice and
consent is being relied on social media to collect forms Documentation that
online Social Media
in relation to offering and disseminate
information society information. Policies Data privacy notice
services to minors under around social network
the age of 16 (or to younger use may address the

Technical and
Measures
children not younger than collection and processing Scripts for Providing Policies are posted and
13, if the age threshold is of personal data for Notice via Phone kept up to date
lowered by Member State children and minors to
law), consent must be given ensure such collection
Copy of the information
or authorised by the holder and processing adheres to
notice provided
of parental responsibility the GDPR requirement
over the child. The that such consent be
controller must also make obtained by the holder of Documentation showing
reasonable efforts to verify parental responsibility that privacy notice is
consent. over the child. aligned to legal
requirements
See Recitals 38, 58. Maintain a data privacy
notice
Details on the delivery
and timing of the notice
activity ensures that
controllers put in place
to ensure that the required
information is provided
to data subjects when
their information is
collected.
Maintain
collection and use of
children and minors’
personal data

Technical and
Measures

activity helps the
organisation put in place
certain policies and
procedures to ensure that
consent is given or
authorised by the holder
of parental responsibility
over the child when
information services are
offered directly to a child.
Maintain
obtaining valid consent

activity addresses
the different components
that makes consent valid
(e.g., freely given,
specific and
unambiguous) and how to
update consent forms and
mechanisms to ensure
GDPR compliance.

Technical and
Measures
Article 9 - Processing of Document legal basis Data classification Completed consent
special categories of for processing personal standard forms/evidence of
personal data data explicit consent
Personal data processing
Article 9 sets out a general This privacy management record
Proof that employees
prohibition on the activity addresses how
have been trained on the
processing of sensitive the organisation Personal data inventory
privacy policy and the
data, followed by legal determines the legal basis
handling of special
grounds on which sensitive on which processing Data privacy policy
categories of personal
personal data can be takes place and ensuring covering the processing of
data
processed. Sensitive data a record of this analysis. special categories of
includes: personal data
Maintain The personal data
• racial or ethnic origin; policies/procedures for Consent forms inventory maintains a log
collection and use of of sensitive data and
• political opinions;
sensitive personal data Web forms using opt-In indicates the basis for
• religious or philosophical (including biometric consent check boxes such processing
beliefs; data)
• trade-union membership; Trade union agreements Relevant statements of
• genetic data; This privacy management claim or defence, or other
activity helps the Works Council agreements documents pertaining to a
• biometric data; organisation put in place legal claim
• data concerning health or in place policies and Litigation procedures
sex life; and procedures to ensure that Documentation
• sexual orientation. that special categories of concerning any law
personal data are enforcement requests or
Grounds upon which processed only in emergencies requiring
sensitive data can be accordance with the legal disclosure of data
processed include: grounds set out in Article
9.

Technical and
Measures
• with explicit consent; Legal opinions relating to
the disclosure
• for employment, social
security, and social
protection requirements; Lawful authority setting
• to protect vital interests of a out requirement for
natural person where processing
consent cannot be obtained;
• for legitimate activities of Records of processing
non-profit organisations activities, including
with political, identification of special
philosophical, religious, or categories of personal
trade union aims; data
• the data is made publicly
available by the data
subject;
• establishing, exercising or
defending legal claims;
• for reasons of substantial
public interest;
• for preventive or
occupational medicine,
assessing worker capacity,
medical diagnosis,
provision of health or
social care, or managing
the health or social care
systems and services; or

Technical and
Measures
• for reasons of public
interest in areas of:
o public health;
o scientific or historical
research purposes; or
o statistical purposes.
See Recitals 51-56.

Article 10 - Processing of Document legal basis Personal data inventory Personal data inventory
data relating to criminal for processing personal documents whether
convictions and offences data Procedure for conducting criminal convictions and
This privacy management background checks offences data is processed
Article 10 provides the activity addresses how and upon what legal
legal basis upon which the organisation authority
personal data relating to determines the legal basis
criminal convictions and on which processing
Documentation around
offences may be processed. takes place and ensuring
the authority for such
a record of this analysis.
processing
Audit results indicate that

the background check
policy was followed
Article 11 - Processing not requiring identification
This Article provides that once the purposes of processing have been achieved, data controllers are not required to
maintain identifying data for the purpose of complying with the GDPR. Where identifying data is not maintained, the data
controller is exempt from responding to requests by data subjects to exercise their rights under the GDPR unless the data
subject provides sufficient information that they can be identified.

Technical and
Measures
Since this Article is permissive, in that you do not need to maintain data, but you also are not required to destroy it, there
are no accountability obligations formed by this Article.
Data Subject Rights
Article 12 - Transparent Maintain a data privacy Data privacy notice Copy of the data privacy
information, notice notice provided to data
communication and Supporting guidelines subjects and details on
modalities for exercising This privacy management indicating how and when the placement and timing
the rights of the data activity is around privacy notices are of the notice
subject publishing external– communicated to
facing notice of the individuals (just in time
This Article requires that organisation's processing notice, icons, scripts, etc.)
that the data privacy
when data controllers are activities. These notices
notice is aligned to legal
providing information to need to reflect the GDPR Procedures for handling
requirements
data subjects, whether obligations around clear customer requests to
through privacy notices, in and plain language, as exercise their rights
communications regarding well as be transparent and Workflow for responding
access, rectification, concise. Breach notification to requests demonstrating
correction and objection protocol that addresses use that procedures are being
rights, or as part of breach Maintain of clear and plain language followed
notifications, the policies/procedures for
communication must be in collection and use of
Random audit of files
a concise, transparent, children and minors’
intelligible, and easily personal data demonstrating use of
accessible form, use clear templates in
communications with
and plain language. This privacy management
requesters
Information may be activity helps the
provided in writing, organisation put in place
electronically (where certain policies and
appropriate), or orally (if procedures to ensure that

Technical and
Measures
the identity of the data consent is given or Notification letters sent
subject is verified). authorised by the holder following a breach
of parental responsibility
The Article also addresses over the child when
how controllers must information services are
address responding to data offered directly to a child.
subjects’ rights, including
the duty to facilitate the Maintain
exercise of such rights, the policies/procedures to
timing of responses, review processing
identifying data subjects, conducted wholly or
and fees. partially by automated
means
Finally, the Article
confirms that privacy This privacy management
notices may be provided in activity supports
combination with determining whether
standardised icons, which processing activities are
can convey a meaningful captured by the
overview of the processing restriction on automated
activities. decision–making and
presents options for
See Recitals 58-60. achieving compliance. As
part of this activity, data
controllers must
implement measures to
safeguard the data
subject's rights and
freedoms and legitimate
interests. These measures

Technical and
Measures
(e.g., providing a right to
express a point of view
and contest the decision)
would need to adhere to
Article 12's requirements
around clarity of
communication, time
frames and appropriate
responses.
Maintain a breach
notification (to affected
individuals) and
reporting (to regulators,
credit agencies, law
enforcement) protocol

activity helps the
organisation identify
items that need to be
addressed in determining
timing and content of
notifications to DPAs.
Article 13 - Controllers Maintain a data privacy Data privacy notice Copy of the information
obligations to provide notice notice provided to data
notice to data subjects Just in time data privacy subjects
This privacy management notice
Article 13 provides that activity ensures that

Technical and
Measures
where personal data controllers put in place Mobile data privacy notice Documentation showing
relating to data subjects are policies and procedures that privacy notice is
collected, controllers must to ensure that the required Short form/condensed data aligned to legal
provide certain minimum information is provided privacy notice requirements
information to those data to data subjects when
subjects through an their information is Translated data privacy
Details on the placement
information notice. It also collected. notice
and timing of the notice
sets out requirements for
timing of the notice and Maintain Data privacy
identifies when exemptions policies/procedures for notice language for hard Copies of contracts
may apply. secondary uses of copy forms showing requirements for
personal data privacy notice language
See Recitals 60-62. Data privacy
This privacy management notice signage
activity addresses having Records of training
policies and procedures Data privacy notice in sessions with call center
that define how to handle marketing communications reps providing instruction
situations when the on how to provide notice
via phone
organisation wishes to Data privacy notice in
use personal data beyond contracts and terms
Secondary uses of data Scripts for providing
must be disclosed in notice via phone
Article 13 and 14.
Provide data privacy

notice at all points
where personal data is
collected

Technical and
Measures

activity addresses how an
organisation provides an
opportunity for data
subjects to review the
organisations
privacy notice at the point
of data collection.
Article 14 – Controllers Maintain a data privacy Data privacy notice Copy of the information
obligations to provide notice notice provided to data
notice where data have Just in time data privacy subjects
not been obtained from This privacy management notice
the data subject activity ensures that
controllers put in place Mobile data privacy notice
that privacy notice is
Article 14 specifies what policies and procedures
aligned to legal
information is required to to ensure that the required Short form/condensed data
requirements
be provided to data subjects information is provided privacy notice
when that information is to data subjects when
not obtained by the their information is Translated data privacy Details on the placement
controller. collected. notice and timing of the notice
See Recitals 60-62. Maintain Data privacy

policies/procedures for notice language for hard Copies of contracts
secondary uses of copy forms showing requirements for
privacy notice language
personal data
Data privacy
This privacy management notice signage Records of training
activity addresses having sessions with call center
policies and procedures Data privacy notice in reps providing instruction

Technical and
Measures
that define how to handle marketing communications on how to provide notice
situations when the via phone
organisation wishes to Data privacy notice in
use personal data beyond contracts and terms
Secondary uses of data Scripts for providing
must be disclosed in notice via phone
Article 13 and 14.
Provide data privacy

collected

activity addresses how an
organisation provides an
opportunity for data
subjects to review the
organisations
privacy notice at the point
of data collection.
Article 15 - Right of Maintain procedures to Process for responding to Documentation that
access for the data subject respond to requests for data subject access workflows for access
access to personal data requests requests demonstrate that
This Article addresses the procedures are being
right of data subjects to: This privacy management followed
Template letters for
obtain confirmation of activity addresses the
responding to requests
whether their personal is primary process and

Technical and
Measures
being processed, where it is procedures needed to Subject access request log Random audit of files that
being processed and have ensure that an demonstrates that
access to the data. organisation can respond templates are used in
Procedures for responding
Additionally, it lists further to access requests in a communications with
to customer requests and
information that should be timely and appropriate requesters
preferences
supplied: manner, providing the
data held on the data Documentation that
• Purpose of processing; subject. If implanted this Customer service/privacy customer service mailbox
activity may demonstrate mailbox is tested to verify that the
• Categories of data;
that the right to access is mailbox is monitored and
• Recipients of data; understood and provided Form for the supply of responded to
• Data storage period; for. additional data required for
• Rights to rectification & access requests Log tracking subject
complaint; access requests validates
that timelines for
• Source of data; responses are met
• Existence of automated
processing, associated logic Completed forms
and consequences; and showing the additional
• Safeguards for transfer to data supplied for access
third countries or requests
international organisations.
The costs and timeframe
for this right are addressed
in Article 12.
See Recitals 63, 64.

Technical and
Measures
Article 16 - Right to Maintain procedures to Protocol or procedure for Audit results that the
rectification respond to requests responding to rectification protocols are being
and/or provide a requests adhered to
This Article addresses the mechanism for
right of data subjects to individuals to update or Customer service
obtain rectification of correct their personal mailbox is tested to verify
inaccurate data or data that the mailbox is
preferences
completion of incomplete monitored and responded
data. This privacy management to
activity helps put in place Customer/employee/user
See Recital 65. mechanisms to ensure portal to update data Test results for portal
that appropriate functionality
corrections to records of
personal data are made in Customer service/privacy
a timely and effective mailbox
manner.
Article 17 - Right to Maintain procedures to Protocol or procedure for Audit results that the
erasure ("right to be respond to requests to responding to right to be protocols are being
forgotten") be forgotten or for forgotten requests adhered to
erasure of data
This Article addresses the Customer service
right of data subjects to This privacy management mailbox is tested to verify
obtain from the data activity outlines the that the mailbox is
preferences
controller the erasure of processes to ensure that monitored and responded
personal data based on personal data are deleted to
certain grounds: upon request, where Customer or user portal to
appropriate, in a timely update data Test results for portal
• data are no longer and effective manner. functionality
necessary for processing;
• withdrawal of consent;

Technical and
Measures
• objection to processing; Customer service/privacy
mailbox
• data were processed
unlawfully;
• compliance with a legal
obligation; and
• data were collected about
children and minors in
relation to an information
society service.
Exceptions apply.

Article 18 - Right to Maintain procedures to Procedure for responding Audit results that the
restriction of processing respond to requests to to privacy-related queries, protocols are being
opt-out of, restrict or requests and complaints adhered to
This Article addresses the object to processing
right of a data subject to Customer service
obtain a restriction (i.e., Implementing this mailbox is tested to verify
marking stored personal privacy management that the mailbox is
preferences
data for the purpose of activity will help monitored and responded
limiting their processing in organisations put in place to
the future) on the processes to ensure that Customer or user portal to
processing of personal data records of personal data update data Test results for portal
in cases such as pending are used in line with any functionality
verification of a legal restrictions as well as,
Customer service/privacy
ground to process or where including not only uses
accuracy of the data is by the data controller but mailbox
disputed. also any restrictions on

Technical and
Measures
See Recital 67. use by downstream
recipients.
Article 19 - Notification Maintain procedures to Procedures for responding Audit results that the
obligation regarding respond to requests to customer requests and protocols are being
rectification, erasure or and/or provide a preferences adhered to
restriction mechanism for
individuals to update or Communications with
This Article creates an correct their personal Personal data inventory data recipients
obligation to notify each data
recipient to whom data has Personal data inventory
Personal data flow charts
been disclosed of any This privacy management indicates recipients of
rectification, erasure or activity helps put in place data
restriction of processing. mechanisms to ensure Data privacy and security
that appropriate requirements for third Data flows indicate third
There is also an obligation corrections to records of parties party recipients of data
to provide information to personal data are made in
the data subject about these a timely and effective Agreements with third
recipients upon request. manner. parties address
There is an exception to notification regarding any
such notification if it Maintain procedures to requests for rectification,
proves impossible or respond to requests to erasure or restriction
involves disproportionate opt-out of, restrict or
effort. object to processing
See Recital 66. This privacy management

activity outlines the
appropriate corrections to
records of personal data
are made, including not

Technical and
Measures
only records held by the
data controller but also
those held by
downstream recipients.
Maintain procedures to
respond to requests to
be forgotten or for
erasure of data

activity outlines the
personal data are deleted
upon request, where
appropriate, in a timely
and effective manner.
Article 20 - Right to data Maintain procedures to Procedures for responding Audit results that the
portability respond to requests for to customer requests and protocols are being
data portability preferences adhered to
This Article provides data
subjects with a right to, in This privacy management Testing of technical
Technical solution for
certain circumstances, activity addresses the solution validates that
processing data portability
receive personal data concept of data data is being exported
requests
concerning him or her, in portability and how to properly
a structured and commonly operationalise that
used and machine–readable concept within the
format, and to transmit organisation.
such data to another data
controller.

Technical and
Measures
See Recital 68.

Article 21 - Right to Maintain procedures to Guidance for analysing and Reviews of customer
object respond to requests to responding to data subject service interactions
opt-out of, restrict or objections to processing validating that guidelines
This Article addresses the object to processing (e.g. operating procedures are being followed
right of data subjects to or technical processes)
object to the processing of Implementing this
Complaint resolution
his or her personal data. privacy management
Procedures for responding report
The grounds for objecting activity will help
must relate to the particular organisations put in place
preferences
situation of the data subject processes to ensure that URL for or hard copy of
and the right to object only records of personal data privacy notice that
applies to processing, are used in line with any Customer or user portal to includes information on
including profiling, that is restrictions as well as, update data right to object and contact
for: including not only uses information
by the data controller but
Customer service/privacy
• performance of a task also any restrictions on
mailbox
Customer service
carried out in the public use by downstream mailbox is tested to verify
interest or in the exercise of recipients. that the mailbox is
official authority vested in Procedure for responding monitored and responded
the data controller; Provide data privacy to privacy-related queries, to
• purposes of the legitimate
requests and complaints
Documentation that
interests pursued by the
collected relevant employees have
data controller or a third Guidance for analysing and been provided training on
party; This privacy management responding to data subject
guidance documents
• direct marketing purposes; activity addresses how an objections to processing
or organisation provides an Webpages showing
opportunity for data contact information or

Technical and
Measures
• scientific or historical subjects to review the (e.g. operating procedures forms for submitting
research or statistical organisations or technical processes requests
purposes. privacy notice at the point
When a data subject makes of data collection. Printed advertising
a right to object, the data materials containing
controller must cease Integrate data privacy information on how to
processing the personal into research practices opt-out of receiving
data unless one of the marketing offers
exceptions applies (no This privacy management
exception applies to direct activity generally deals
marketing processing). with how an organisation
maintains procedures for
See Recitals 69, 70. research practices
including processes to
obtain personal data for
research purposes,
ensuring valid consents
are obtained, de–
identifying data where
possible, and taking
measures to ensure that
research data maintained
for scientific, historical or
statistical research is
safeguarded against
improper use.
Integrate data privacy

into direct marketing

Technical and
Measures
practices

activity addresses the
policies/ procedures that
organisations put in place
to ensure that the right of
the data subject to object
to direct marketing are
honoured in an
organisation’s practices
respecting direct
marketing.
Article 22 - Automated Maintain Personal data processing Personal data processing
individual decision policies/procedures to register register that identifies
making, including review processing automated processing and
profiling conducted wholly or states a legal basis for
Personal data inventory
partially by automated such processing
This Article addresses the means
right of data subjects to not Procedure for automated
Evidence of a manual
be subject to a decision This privacy management processing
intervention/human check
based solely on automated activity supports
in decision making
processing, where such determining whether
process
decisions would have a processing activities are
legal or significant effect captured by the
concerning him or her. restriction on automated
decision–making and
It also sets out when the presents options for
right does not apply (e.g., achieving compliance. As
as necessary for a contract part of this activity, data

Technical and
Measures
or with explicit consent of controllers must
the data subject) and implement measures to
includes suitable safeguard the data
safeguards. subject's rights and
freedoms and legitimate
There is a prohibition interests. These measures
against using sensitive data (e.g., providing a right to
as part of automated express a point of view
decision making unless 1) and contest the decision)
the processing takes place would need to adhere to
with explicit consent of the Article 12's requirements
data subject (unless banned around clarity of
by Member State law) or 2) communication, time
processing is necessary for frames and appropriate
reasons of substantial responses.
public interest, on the basis
of Union or Member State
law.

Article 23 - Restrictions
This Article provides that Union or Member State law may create restrictions on the scope of data subject rights, and thus
the obligations on data controllers.
Controller and Processor General Obligations
Article 24 - Responsibility Conduct an enterprise Data privacy policy All evidence obtained
of the controller privacy risk assessment from complying with the
other articles may be
Article 24 requires the data This privacy management leveraged to support
controller to implement activity enables the demonstrating

Technical and
Measures
appropriate technical and privacy office to identify Enterprise privacy risk compliance with the
organisational measures to issues and risks and assessment GDPR overall
ensure and be able to determine, based on the
demonstrate compliance likelihood and impact,
Privacy self-assessment Risk assessments
with the GDPR. where to prioritise
showing risks of
resources to mitigate the
likelihood and severity
The appropriateness of risks. Readiness assessments
for individuals' rights and
these measures is based on
freedoms have been
a risk assessment that takes Note that this privacy
Privacy compliance measured and mitigated
into account the nature, management activity
software tools by the measures put in
scope, context, and refers to high level risk
place
purposes of the processing assessments, not project
as well as the risks of or initiative based risk
varying likelihood and assessments which are Audits and assessments
severity for the rights and addressed in privacy verifying compliance
freedoms of individuals. management category 10. with the data privacy
There is a specific Monitor for New policy and the GDPR
reference that, where Operational Practices.
proportionate in relation to
the processing activities, Maintain a data privacy
data protection policies policy
shall be implemented.
See Recitals 74-77. helps the organisation
create and maintain an
organisational–level
privacy policy to provide
guidance to employees
regarding the processing
and protection of

Technical and
Measures
personal data to ensure
that such processing
aligns with the
obligations of the GDPR.
Where relevant (Article

churches and other
Conduct self-
assessments of privacy
management

activity helps the privacy
office establish a
procedure to ensure the
ability to demonstrate
that appropriate technical
and organisational
measures have been put
in place for compliance
with the GDPR.
Maintain
documentation as

Technical and
Measures
evidence to demonstrate
compliance and/or
accountability

activity supports the
organisation creating a
process for maintaining
documentation of the
technical and
organisational measures it
has put in place in order
to demonstrate
compliance with the
GDPR.
Article 25 - Data Conduct PIAs/DPIAs PbD audit certification Audit results verify
protection by design and for new programs, compliance with privacy
by default systems, processes by design methodology
Privacy by Design
methodology
This Article introduces new This privacy management
Audits of processing
responsibilities for the activity addresses
activities verifies that
controller and requires data guidelines on when a Data privacy policy
only the necessary
protection by design and by DPIA is required as part
personal data is collected
default. of the development
Records retention schedule and the retention
process for new
schedule was followed
Data controllers must, at processing.
the time of determining the PIA/DPIA template
means of processing as Conduct PIAs/DPIAs
well as when actually for existing programs,
processing, implement systems, processes

Technical and
Measures
appropriate technical and PIA/DPIA tool DPIAs consider privacy
organisational measures This privacy management by design as part of the
(e.g., pseudonymisation) to activity addresses having privacy impact mitigation
Application development
implement the data policies and procedures
protocols
protection principles set out to follow when there is a
Information security
in Article 5 (such as data change to existing
assessment demonstrates
minimisation) and integrate processes, programs or Information security
data protection measures
necessary safeguards into systems to ensure that assessment process
were based on an
the processing to meet the data protection risks are
assessment of risk
GDPR requirements. measured, analysed and
Software tools for
mitigated.
Data controllers must also aggregation, data masking,
Verified compliance with
or pseudonymisation
implement data protection Integrate Privacy by policies and procedures
by default, i.e. implement Design into data for data minimisation,
appropriate technical and processing operations Policies for de- pseudonymisation, and
organisational measures to identification of data anonymisation
ensure that, by default, only This privacy management
personal data necessary for activity addresses Test results verifying that
each specific purpose are frameworks to help data sets were
processed. The concept of engineers and application anonymised or
"necessary" informs the developers embed pseudonymized
amount of data collected, privacy–protective
extent of processing, and mechanisms into the Test results showing an
retention and accessibility fundamental design of inability to reidentify data
of data. processing activities. sets
In particular, absent the

intervention of the data
subject, controllers must
ensure that by default,

Technical and
Measures
personal data are not made
accessible to an indefinite
number of individuals.
Adherence with an
approved certification
mechanism (as described in
Article 42) may be used as
an element to demonstrate
compliance with these
requirements.
See Recital 78.

Article 26 - Joint See Article 12 and Data privacy notice that URL for or hard copy of
controllers 15 relating to provides transparency data privacy notice that
transparency and around the joint controller provides transparency
The GDPR provides that providing information to relationship and identifies around the joint
where two or more data subjects. a point-of-contact for data controller relationship
controllers jointly subject requests and identifies a point-of-
determine the purposes and See contact for data subject
means of the processing of Articles 15, 16, 17, 18, 19 requests
Joint controller agreement
personal data, they are joint , 20, and 21 for privacy
controllers. management activities See additional evidence
related to responding to Process for responding to in Article 12 and 15-21
In a transparent manner, the requests exercising data data subject access
data controllers must, by subject rights. requests
way of an arrangement
between them, determine
their respective obligations
for complying with the

Technical and
Measures
GDPR. The “essence” of Procedure for responding
the arrangement must be to privacy-related queries,
made available to the data requests and complaints
subject and regardless of
any arrangements to the
See additional measures in
contrary, data subjects may
Article 12 and 15-21
exercise their rights against
either data controller.
See Recital 79.
Article 27 – Assign responsibility for Defined privacy roles and Written contract or
Representatives of data privacy to an responsibilities agreement with the
controllers not individual (e.g. Privacy representative
established in the Union Officer, General
Contract template for
Counsel, CPO, CISO, Assessment/legal opinion
representative function
In cases where a non-EU EU Representative) of whether a
data controller or data representative must be
processor is offering goods This privacy management appointed
or services (paid or free) to activity addresses how
EU data subjects, or is organisations assign a Written mandate for the
monitoring the behaviour point of contact or Representative to act on
of data subjects within the responsibility for the behalf of the controller or
EU, the data controller or operational aspects of a processor
processor must designate in privacy programme to an
writing a representative in individual. Documentation of
the EU. Representatives are communication of the
legal or natural persons Representative, e.g.
who represent the within a privacy notice or
controller or processor with via a website

Technical and
Measures
respect to their obligations
under the GDPR and must
be established in the same
Member State as the data
subjects who are being
monitored or to whom
goods or services are
offered.
Exceptions apply if the data

controller or processor:
• is a public sector body; or

• only processes on occasion,
does not process large
amounts of special data,
and is unlikely to result in a
risk for the rights and
freedoms of individuals.
See Recital 80.

Article 28 - Processor Conduct due diligence Data privacy and security Data processing
around the data privacy requirements for third agreements or contracts
This Article creates an and security posture of parties are consistent with legal
obligation on data potential obligations and privacy
controllers to only vendors/processors risk management
Vendor risk assessment
outsource processing to activities
process
those entities that have This privacy management
sufficient guarantees to addresses that Adherence of the
implement appropriate requirement that due processor to an approved

Technical and
Measures
measures to guarantee diligence is necessary as Contracts with third parties code of conduct or
GDPR compliance and to part of ensuring that processing data certification mechanism
have a contract or binding processing is only done
act that governs the by entities with sufficient Copies of standard
Procurement policy
relationship. The contents data protection contractual clauses used
of such a contract are set guarantees. in processing agreements
out. Vendor self-assessment
Maintain data privacy Due diligence checklists
The Article also limits the requirements for third are completed
ability of processors to parties (e.g., clients, Vendor third party
assurance
subcontract without vendors, processors, Due diligence checklists
consent of the data affiliates) are completed again upon
controller, and what Vendor due diligence contract renewal
guarantees need to be in This privacy management
place in this arrangement. activity helps the
organisation determine Vendor due diligence
See Recital 81. what data protection renewal
requirements are needed
for contracts with third– Contracts for hosted
parties who receive and resources
use the personal data on
behalf of the
organisation. Standard Contractual
Clauses template
execute contracts or Data transfer agreement
agreements with all template
processors

Technical and
Measures
activity addresses steps
taken to ensure written or
electronic contracts are in
place with processors.
Article 29 - Processing Maintain procedures to Data privacy and security Data processing
under the authority of the execute contracts or requirements for third agreements or contracts
controller and processor agreements with all parties include limitations on
processors processing
This Article indicates that
Contracts with third parties
processors and staff of This privacy management
processing data Employment contracts
controllers and processors activity addresses steps
address privacy and
must only process personal taken to ensure written or
security obligations on
data in accordance with electronic contracts are in Contracts for hosted
employees
either data controller place with processors. resources
instructions or a
requirement of Union or Audit of HR records
Member State law. Procurement policy
verifies that a random
sample of employees all
See Recital 81. Employment agreement have signed employment
outlining security and contracts in place
privacy responsibilities
Acknowledgement of the
Code of Conduct Code of Conduct is
obtained and maintained
Article 30 - Records of Maintain an inventory Records of processing A record listing the
processing activities of personal data and/or activities purposes of data
processing activities processing, categories of
Article 30 sets out a data and data subjects,
detailed list of information This privacy management categories of recipients
that must be maintained as activity will help the and the country they are

Technical and
Measures
records of processing privacy office develop an Personal data inventory located in, applicable
activities carried out by and inventory of processing transfers, retention
on behalf of the controller, activities that addresses periods, and other details
Ad hoc walk-throughs and
as well as the requirement the information required set out in Article 30
assessments
to make the records to be maintained.
available to data subjects Personal data inventory
and Supervisory that includes required
Authorities upon request. fields
See Recital 82. Ad hoc assessments of

business practices verify
that all processing
activities are included in
the personal data
inventory
Article 31 - Co-operation with the supervisory authority
This Article introduces an obligation on controllers, processors and representatives to cooperate with supervisory
authorities in the performance of its tasks. This obligation only arises in the context of an action from the supervisory
authority and compliance could take the form of providing requested documents in a timely manner, allowing access to
premises and processing equipment, and not obstructing any investigation. As this activity relates to participation in
enforcement and oversight, no accountability obligations are created.
Data Security
Article 32 - Security of Integrate data privacy Information security Information security
processing into security risk assessment process assessment demonstrates
assessments measures were based on
Article 32 requires an an assessment of risk
Information security policy
“appropriate” level of This privacy management
security based on the state activity addresses the role
Information security
of the art and costs of of the privacy officer in

Technical and
Measures
implementation, processing ensuring privacy and data Data classification reflect alignment with
activities, and risk of protection are taken into standard privacy objectives, legal
varying likelihood and account as part of compliance and risk
severity to individuals' security risk assessments. management
ISO certification
rights and freedoms.
Examples are provided of Maintain measures to
Audit results verify
measures that might be encrypt personal data SOC 2/3 certification
compliance with security
appropriate depending on
policies
the level of risk: This privacy management
ITIL certification
• pseudonymisation or office put in place Contracts with employees
encryption; encryption practices as an IT tools for monitoring and contractors limit the
appropriate technical and processing of personal
• the ability to ensure the organisational measure to
network activity
data
confidentiality, integrity, ensure an appropriate
availability, and resilience PKI (encryption)
level of security.
of systems and services technology & processes Audits of access to
processing personal data; Maintain technical personal data determine if
• the ability to restore security measures (e.g. Symmetric encryption
appropriate access levels
availability of and access to intrusion detection, are maintained and verify
data in the event of an firewalls, monitoring) need-to-know principle is
incident; or Encrypted communication implemented
• regular tests of the This privacy management channels
Register of employees
effectiveness of security activity helps the privacy
and contractors detailing
measures. office assess what Acceptable use policy
technical security access rights to IT
measures are in place to systems and data
Article 32 also requires that
any person with access to ensure an appropriate Information security audit
level of security based on of system access privileges Audits of access to
personal data only
the considerations set out personal data to
processes such data in determine if existing

Technical and
Measures
accordance with in Article 32. Personal data access policy procedures are
instructions from the data appropriate based on the
controller. Integrate data privacy purpose for which the
Password parameters
into an information data was collected and
See Recital 83. security policy the nature of the access
Data center security
This privacy management measures (e.g., biometrics, Testing of security
activity helps the privacy access restriction, software validate proper
office insert privacy and monitoring) functioning of the
data protection software
consideration into the
information Electronic badge access Penetration testing
system
security policy.
Verified compliance with
Conduct regular testing Physical records room with policies and procedures
of data security posture locked doors for data minimisation,
pseudonymisation, and
This privacy management anonymisation
activity helps the Restricted access to backup
organisation address the tapes and media Test results verifying that
requirement to put in data sets were
place a technical or Clean desk policy anonymised or
organisational measure to pseudonymized
ensure the security of the
processing of personal Employee agreement Test results showing an
data. outlining security and inability to reidentify data
privacy responsibilities sets
restrict access to Testing of the business
personal data (e.g. role- continuity plan

Technical and
Measures
based access, Employee termination
segregation of duties) checklist

Procedures for conducting
activity helps the
background checks
organisation address how
organisations restrict
access to personal data to Data loss prevention
those employees and (DLP) software
users who have a
legitimate business need
to access the data. Data privacy and security
requirements for third
Maintain data privacy parties
requirements for third
parties (e.g. clients, Contracts with third parties
vendors, processors and processing data
affiliates)
This privacy management Software tools for

activity helps the aggregation, data masking,
organisation determine pseudonymisation, or
what data protection anonymization
requirements are needed
for contracts with third– Policy and procedure on
parties who receive and pseudonymisation or
use the personal data on anonymization
behalf of the
organisation. Business continuity plan

Technical and
Measures
Article 33 – Notification Maintain a data privacy Data breach response plan Test results of the
of a breach to the DPA incident/breach incident response
response plan protocol demonstrates
Data breach notification
Article 33 makes it that steps taken following
protocol
mandatory to notify This privacy management a data breach ensure the
supervisory authorities in activity helps organisation is in a
the event of a data breach organisations create a Data breach metrics position to provide
that poses a "risk of harm". breach response notification if a risk is
The notification is expected infrastructure that will found
without undue delay and facilitate compliance with Data breach response plan
testing
where feasible within 72 the specific requirements
Notification letters sent in
hours. As well, detailed under Article 33
response to breach events
content requirements are respecting timing Data breach reports
set out for the notification requirements for
Metrics around letters
letter. The circumstances of notification and the
Incident and breach sent and number of
the data breaches must also content of a notification
summary forms events requiring
be documented. letter. It further ensures
notification vs events not
that recordkeeping
Information loss report and requiring notification
See Recitals 85, 87, 88. requirements are
captured. management form
Log entries
demonstrating that the
Maintain a breach
required detail is
documented
individuals) and
credit agencies, law Contact list for breach
enforcement) protocol response team

activity helps the

Technical and
Measures
organisation identify Completed incident
items that need to be summary forms
Maintain a log to track

data privacy
incidents/breaches

activity helps the
organisation address the
specific requirement
under Article 33.5
requiring that a controller
document personal data
breaches.
Article 34 – Maintain a data privacy Data breach response plan Documentation of the
Communication of a data incident/breach determination of whether
breach to the data subject response plan a breach posed a
Data breach notification
sufficiently high risk to
protocol
Article 34 requires This privacy management warrant notification or
notification to data subjects activity helps not
of breaches that result in a organisations create a Template breach
"high risk" for the rights breach response notification letters Notification letters sent in
and freedoms of infrastructure that will response to high risk
individuals. facilitate compliance with events
Data breach metrics
the specific requirements
See Recitals 86, 87. under Article 33

Technical and
Measures
respecting timing Data breach response plan Metrics around letters
requirements for testing sent and number of
notification and the events requiring
content of a notification notification vs events not
letter. It further ensures requiring notification
that recordkeeping
requirements are Test results showing that
captured. the breach response plan
complies with the GDPR
Maintain a breach
individuals) and
credit agencies, law
enforcement) protocol

activity helps the
organisation identify
items that need to be
Data Protection Impact Assessments
Article 35 - Data Maintain PIA/DPIA Data protection impact DPIA reports including
protection impact guidelines and assessment (“DPIA”) required content
assessment (DPIA) templates guidelines
DPIAs demonstrating that
General requirement: This privacy management
the necessary safeguards
This Article requires data activity addresses

Technical and
Measures
controllers to assess the guidelines on how to were integrated into the
impact of processing conduct a DPIA to data processing
PIA/DPIA template
operations on the protection analyse the processing of
of personal data where the personal data and
Threshold analyses
processing is likely to determine risks to such PIA/DPIA tool
demonstrating
result in a high risk for the personal data. It helps
assessments of whether a
rights and freedoms of data organisations ask
Privacy threshold analysis high risk exists such that
subjects. When carrying questions during the
a full DPIA is required
out the DPIA, the controller development of their
must seek the advice of the processing programs to Procedures or guidance on
Data Protection Officer take into account the when to seek DPO input Sample communications
(when designated). available technology, cost between the DPO and the
of implementation, lines of business on
When DPIAs are nature, scope, context, Procedures to consult DPIAs
required: and purposes of stakeholders
The processing activities in processing, and measures
which a DPIA is required that could be applied to Evidence that
Procedures for handling consultations were held
are: protect the rights of data privacy issues in new with affected populations
subjects (e.g., systems
or their representatives
• automated decision- pseudonymisation).
where appropriate (e.g.,
making, including Procedures for handling advocates, community
profiling, that produce legal Conduct PIAs/DPIAs
privacy issues in new groups)
or similarly significant for new programs,
systems, processes products
effects;
• large scale processing of This privacy management
Assessments/reviews of
processing activities in
special categories data Guidelines and policies on
activity addresses when to reach out to the light of new or changes to
referred to in Article 9(1)
guidelines on when a risks
(e.g. health, sex life, race or DPIA is required as part
ethnic origin, or biometric
of the development
data) or data referred to in

Technical and
Measures
Article 10, related to process for new supervisory authorities to Evidence that Data
criminal convictions or processing. assess risk mitigation Protection Officer’s
offences; or opinion and advice was
• large scale, systematic Engage external sought as part of the
monitoring of a publicly stakeholders (e.g., DPIA process
accessible area. individuals, privacy
advocates) as part of the Log tracks DPIA
Supervisory authorities PIA/DPIA process outcomes and
have the discretion to make implementation of
a public list of additional This privacy management mitigating controls
kinds of processing that activity helps the
will require DPIAs and organisation develop Evidence that
processing for which guidance on how to consultations were held
DPIAs will not be consult with external with affected populations
required. parties as part of the or their representatives
DPIA process. where appropriate (e.g.,
DPIA content advocates, community
requirements: Conduct PIAs or DPIAs groups)
for changes to existing
DPIAs should contain: programs, systems or Reviews of and updates
processes to existing Accountability
Mechanisms
• a description of the This privacy management
processing activities being activity addresses having
assessed;
• an assessment of the risks to follow when there is a
to data subjects; or change to existing
• a description of the processes, programs or
measures the controller will systems to ensure that
take to address these risks, data protection risks are

Technical and
Measures
including the safeguards, measured, analysed and
security measures and mitigated.
mechanisms that the
controller will implement Track and address data
to ensure compliance with protection issues
the GDPR. identified during
PIAs/DPIAs
Finally, if the risks posed
by the processing change, a This privacy management
review must be conducted activity ensures the
to assess whether organisation treats similar
processing still complies data protection issues
with the DPIA. consistently and allows
for learning from one
See Recitals 84, 89-93. PIA/DPIA to be applied
to subsequent
PIAs/DPIAs.
Article 36 - Prior Report PIA/DPIA Data protection impact DPIAs identify high risk
consultation analysis and results to assessment (“DPIA”) processing
regulators (where guidelines
This Article requires data required) and external Correspondence with the
controllers to consult with stakeholders (if supervisory authority
PIA/DPIA template
the supervisory authority appropriate) seeking advice regarding
when a DPIA indicates that the intended processing
processing would result in This privacy management PIA/DPIA tool
a high risk to data subjects. activity addresses when Responses from the
and how to report supervisory authority
The Article lists the PIAs/DPIAs to Communication templates providing advice
minimum information the supervisory authorities. regarding the processing
data controller needs to Determinations around

Technical and
Measures
provide to the supervisory whether such reporting is
authority. Within 8 weeks required and
(an additional 6 weeks may documentation that
be provided for complex consultations were
processing), the executed would
supervisory authority shall demonstrate compliance
give advice on whether the with the GDPR.
intended processing
complies with the GDPR.
See Recitals 94-96.

Data Protection Officers
Article 37 - Designation of Appoint a Data Job descriptions for data An organisational chart
the data protection officer Protection Officer protection-related roles showing the DPO role
(DPO) in an
Article 37 provides that the independent oversight
Contract templates for The job description for
data controller or the data role
DPO functions (if the DPO addresses the
processor shall designate a
outsourcing) qualifications required by
data protection officer This privacy management
the office holder
("DPO") in three activity addresses the
circumstances – if they: appointment of a Data Defined privacy roles and
A contract with the DPO
• are a public sector body; Protection Officer, responsibilities
sets out the qualifications
• are a body which processes including assignment of
required by the office
large amounts of special tasks. In order to achieve
Privacy steering committee holder
data (Articles 9 & 10); or GDPR compliance, the
• undertake large scale, assignment of
Data privacy notice
regular & systematic responsibility for privacy Data privacy notice
includes the DPOs
monitoring of data subjects. includes the broader
contact details
organisation,
guaranteeing the

Technical and
Measures
Additionally, the independence of the Onboarding protocol for The DPO’s contact
appointment may be office, funding and the DPO function details are published on
required by specific Union resourcing the office, the organization’s
or Member State law. The addressing the resolution website
DPO must have expert of conflicts of interest,
knowledge of data and stressing the DPO’s Onboarding protocol
protection law. They may responsibility for includes reporting the
be an employee or third oversight of all DPO contact details to
party under contract. Their processing activities. the supervisory authority
contact details must be
published and given to the Communication with the
Supervisory Authority. supervisory authority
providing the DPO
See Recital 97. contact details
Article 38 - Position of the Appoint a Data PIA/DPIA template DPIA guidelines address
data protection officer Protection Officer when to involve the DPO
(DPO) in an Budget for the DPO in processing decisions
Article 38 positions the independent oversight function
DPO within the role Each required task of the
organisation, requiring Policy on conflict of DPO is a line item in the
involvement in all issues This privacy management interests budget for the DPO
relating to processing activity addresses the Formal reporting structures function
personal data, with appointment of a Data
sufficient resources, acting Protection Officer, Potential conflicts of
Defined privacy roles and
in an independent manner, including assignment of interest are reported and
responsibilities
and with direct reporting to tasks. In order to achieve documented
the highest management GDPR compliance, the
level. They shall also be assignment of Privacy steering committee Sample communications
available to be contacted by responsibility for privacy through established
data subjects. includes the broader reporting structures

Technical and
Measures
organisation, Procedure for responding
See Recital 97. guaranteeing the to privacy-related queries, Data privacy notice
independence of the requests and complaints includes the DPOs
office, funding and contact details
resourcing the office, Data privacy notice
addressing the resolution The DPO’s contact
of conflicts of interest, details are published on
Procedures or guidance on
and stressing the DPO’s the organization’s
when to seek DPO input
responsibility for website
oversight of all
processing activities. Sample communications
between the DPO and the
Conduct regular lines of business
communication between
the privacy office,
privacy network and
others
responsible/accountable
for data privacy

activity addresses how
individuals who are
accountable and
responsible for data
privacy regularly
communicate with each
other. This
communication is
essential for the DPO to

Technical and
Measures
be involved in all issues
relating to the processing
of personal data.
Article 39 - Tasks of the Maintain roles and Job descriptions for data The job description for
data protection officer responsibilities for protection-related roles the DPO addresses the
individuals responsible specific tasks set out by
Article 39 sets out the tasks for data privacy (e.g. Article 39
Contract templates for
of the DPO: advise the job descriptions)
DPO functions (if
Controller or Processor and A contract with the DPO
outsourcing)
its employees of data This privacy management sets out the specific tasks
protection obligations; activity addresses set out by Article 39
monitor compliance, defining the privacy roles Defined privacy roles and
including assigning in an organisation responsibilities
responsibilities, training through job descriptions,
the content and delivery
and audits; advising on & by contract or other
Privacy steering committee of a training and
monitoring DP impact methods.
awareness programme
assessments, cooperating
and contacting the Conduct an Enterprise Data privacy training
supervisory authority as Privacy Risk curriculum Board level reports on
required, and reviewing Assessment data protection
processing risk. compliance
This privacy management Data protection as a
See Recital 97. activity enables the regular agenda-item for the
privacy office to identify board Documentation to show
issues and risks and the DPO has kept DPIA
guidance up to date and
determine, based on the Data protection impact
likelihood and impact, that the DPO monitors
assessment templates
where to prioritise DPIA performance
resources to mitigate the
risks. Note that this

Technical and
Measures
privacy management Sample communications
activity refers to high between the DPO and the
Data protection impact
level risk assessments, lines of business
assessment tool
not project or initiative-
Procedures or guidance on
based risk assessments Logs showing employee
when to seek DPO input
which are addressed in completion rate of
privacy management privacy training
category 10. Monitor for Process to track privacy
New Operational compliance requirements Subscriptions (free or
Practices. paid) to privacy law
research reporting
Conduct privacy services
training
Certification of
This privacy management attendance at privacy and
activity addresses the data protection
need for the DPO to conferences
provide awareness–
raising and training of Evidence of consultations
staff involved in with law firms
processing operations and
implementing such
activities would produce
documentation that could
serve as evidence of
compliance with this
requirement.
Conduct self-
assessments of privacy

Technical and
Measures
management

office establish a
procedure to ensure the
ability to demonstrate
that appropriate technical
and organisational
measures have been put
in place for compliance
with the GDPR.
Maintain PIA/DPIA
guidelines and
templates
Demonstrates advice
from DPO on DPIAs is
asked for and delivered,
and a sign–off procedure
that involves the DPO
would demonstrate that
the DPO is involved in
monitoring DPIAs in the
business.
Identify ongoing
privacy compliance
requirements, e.g., law,

Technical and
Measures
case law, codes, etc.

the DPO conducts
research regularly to
maintain expert
knowledge with respect
to privacy and data
protection law and
practices in order to
determine what, if any,
changes to the privacy
program need to be made
as a result of any legal or
regulatory developments.
Codes of Conduct and Certification
Article 40 – Codes of Conduct
This Article allows for industry associations or bodies to create Codes of Conduct that specify the application of the
GDPR in areas such as pseudonymization, data subject rights, children’s data, security and breach notification, cross-
border transfers, and dispute resolution. These Codes may then be approved by the local DPA or by the European Data
Protection Board in the case of processing in several Member States. The benefit of signing on to such a Code of Conduct
is that the text of Article 40 suggests that such adherence would be considered in the framework of international transfers
as part of whether adequate safeguards for personal data are in place. The creation of these Codes of Conduct is
permissible, and therefore, there are no accountability obligations formed by this Article.
Article 41 – Monitoring of approved codes of conduct
This Article provides that monitoring of compliance with an approved code of conduct may be performed by an

Technical and
Measures
accredited industry association or body. The Article goes on to provide when such an association may be accredited.
Therefore, there are no accountability obligations formed by this Article.
Article 42 – Certification
This Article provides that data protection marks or seals are to be encouraged and data controllers may seek certification
of their processing activities. If seeking such certification, the data controller must provide the certification body with all
information and access to its processing activities necessary to conduct the certification procedure. As certification is
voluntary, there are no accountability obligations formed by this Article.
Article 43 – Certification body and procedure
This Article provides for the creation of certification bodies that will be in charge of issuing and renewing the data
protection certifications. Therefore, there are no accountability obligations formed by this Article.
Cross-Border Data Transfers
Article 44 – General principle for transfers
This Article sets out that transfer may only take place if the GDPR provisions around data transfers are complied
with. Thus, an organisation that transfers personal data to a third country or international organisation must retain
evidence of compliance with the provisions below.
Depending on what basis the organisation intends to rely on to legitimise the data transfer, see example types of evidence
under:
• Article 45 – adequacy;
• Article 46 – appropriate safeguards;
• Article 47 – BCRs;
• Article 48 - not authorised by Union law; or
• Article 49 – derogations.

Technical and
Measures
Article 45 – Transfers on Maintain Personal data inventory The records of processing
the basis of an adequacy documentation of the activities maintain a log
decision transfer mechanism of data transfers and
Records of processing
used for cross-border indicates the basis for
activities
This Article provides that data flows (e.g., model such transfer
personal data may be clauses, BCRs,
transferred to a third regulator approvals) Procedures for outsourcing Copy of the adequacy
country or international decision supporting such
organisation where the This privacy management transfer
Contract templates
Commission has decided activity supports the
the country or organisation privacy office managing Contracts limit the
ensures an adequate level international data flows Procurement policy location of data
of protection. and tracking their use of processing to countries
cross–border transfer that have received
This ground is one of many mechanisms. positive adequacy
bases on which data may be findings
transferred abroad. In Use adequacy or one of
general, when transferring the derogations (e.g.
personal data to third consent, performance of
countries, organisations a contract, public
will need to track the basis interest) as a data
on which they are transfer mechanism
transferring such data. If
relying on an adequacy This privacy management
decision, organisations activity addresses relying
should keep a record of this on derogations to the
decision and ensure that for requirement to send
the duration of the personal data to third
transfer(s), the adequacy countries which provide
decision is valid. an “adequate” level of

Technical and
Measures
protection for personal
See Recitals 103-107. data.
Article 46 – Transfers by Maintain Personal data inventory The record of processing
way of appropriate documentation of the activities maintains a log
safeguards transfer mechanism of data transfers and
Record of processing
used for cross-border indicates the basis for
activities
In cases where a third data flows (e.g., model such transfer
country has not been clauses, BCRs, Approval for the binding
assessed as providing an regulator approvals) Binding corporate rules corporate rules
adequate level of data
protection by the This privacy management Audit results verifying
Commission, this Article activity supports the Privacy Shield adherence to BCRs
Certification
provides that data privacy office managing Contracts using standard
controllers or processors international data flows contractual clauses
may transfer personal data and tracking their use of Approved Codes of
to a third country provided cross–border transfer Conduct
Documentation of
there are in place mechanisms.
compliance with
appropriate safeguards,
Procurement/outsourcing approved certification
enforceable data subject Which of the following
procedure mechanisms
rights and legal remedies. PMAs are relevant
depend on the nature of
Appropriate safeguards the transfer and which Data transfer agreement Documentation of
could be: mechanism the template compliance with
• Legally binding and organisation chooses to approved Codes of
enforceable instruments follow: Conduct
Procurement policy
between public bodies;
Use Binding Corporate
• Binding corporate rules;
Rules as a data transfer Contracts with data
Certification documents
• Standard contractual mechanism
importers/ exporters
clauses;

Technical and
Measures
• An approved Code of This privacy management Decisions of the
Conduct; or activity addresses the supervisory authority
implementation, approval approving the transfer
• An approved certification
and monitoring of
mechanism.
binding corporate rules,
which govern data
Reliance on one of those
transfers among members
safeguards would not
of a corporate group and
require a specific can be used as a legal
authorisation of the
mechanism for
supervisory authority.
international data
transfers.
Alternatively, appropriate
safeguards could be Use contracts as a data
adduced through other transfer mechanism
contractual provisions;
(e.g., Standard
however, these would need Contractual Clauses)
to be approved by specific
authorisation of the
supervisory authority. activity addresses the use
of Standard Contractual
Clauses to facilitate the
transfer of personal data
to a third country.
Use the Privacy Shield

as a data transfer
mechanism

Technical and
Measures
activity addresses the
requirements for using
the EU–US or Swiss-US
Privacy Shield as a data
transfer mechanism.
Use regulator approval

as a data transfer
mechanism

activity addresses the use
of regulator approval to
facilitate the transfer of
personal data to a third
country.
Article 47 – Binding Use Binding Corporate Binding corporate rules Audit results verifying
corporate rules Rules as a data transfer adherence to BCRs
mechanism
This Article provides the Approved binding
requirements for approval This privacy management corporate rules
of BCRs. If relying on activity addresses the
BCRs as a data transfer implementation, approval Results of BCR
mechanism, applications and monitoring of monitoring activities
for approval will need to binding corporate rules,
ensure the BCRs meet the which govern data
content requirements transfers among members
specified. of a corporate group and
can be used as a legal
See Recital 110. mechanism for

Technical and
Measures
international data
transfers.
Article 48 – Transfers or Use adequacy or one of Data privacy policy Data privacy policy states
disclosures not authorised the derogations (e.g. that data may be
by Union law consent, performance of transferred in accordance
Litigation procedures
a contract, public with any requests from
This Article addresses interest) as a data law enforcement or to
when data controllers or transfer mechanism Procedures for responding respond to court orders
processors may rely on a to requests from law
court judgment or tribunal This privacy management enforcement Court order or tribunal
decision in order to transfer activity addresses relying decision requiring the
personal data to a third on derogations to the transfer of personal data
country. requirement to send
personal data to third Legal opinions relating to
See Recital 115. countries which provide the disclosure
an “adequate” level of
data.
Article 49 – Derogations Maintain Personal data inventory The Personal data
for specific situations documentation of the inventory or the record of
transfer mechanism processing activities
Consent forms
This Article enumerates used for cross-border maintains a log of data
circumstances in which data flows (e.g., model transfers and indicates the
personal data may be clauses, BCRs, Data privacy notice basis for such transfer
transferred to a third regulator approvals) (e.g., derogation relied
country even in the absence on)
of an adequacy decision or This privacy management Legitimate interest
assessments
other appropriate activity supports the Consent forms from data
safeguards. Examples privacy office managing subjects
include: international data flows

Technical and
Measures
and tracking their use of Procurement policy
cross–border transfer
• With explicit consent of the mechanisms.
Data privacy notices
data subject; Procedures for outsourcing indicate the additional
risk posed by a lack of
• For performance of a Use adequacy or one of
appropriate safeguards
contract or implementation the derogations (e.g. Litigation procedures
of pre-contractual consent, performance of
measures; a contract, public Details of time and
Sales procedures
• For important reasons of interest) as a data placement of privacy
public interest; transfer mechanism notice or website Terms
Website Terms and and Conditions
• For establishment, exercise This privacy management Conditions
or defence of legal claims; activity addresses relying
• In order to protect the vital on derogations to the An assessment balancing
interests of a person; requirement to send Procedures for responding the legitimate interests of
to requests from law the data controller against
• For transfers made from personal data to third
enforcement the rights and freedoms
public registers in certain countries which provide
of the data subjects
cases; an “adequate” level of
• In the compelling
data.
legitimate interests of the Completed contracts or
data controller. pre-contractual
communications
See Recitals 111-114. Relevant statements of

claim or defence, or other
documents pertaining to a
legal claim
Documentation
concerning any law

Technical and
Measures
enforcement requests or
emergencies requiring
disclosure of data
Legal opinions relating to

the disclosure
Article 50 – International cooperation
This Article provides that the Commission and supervisory authorities are going to take appropriate steps to develop
mechanisms for international cooperation and mutual assistance in enforcing data protection laws. Therefore, there are no
Independent Supervisory Authorities
Article 51 – Supervisory authority
This Article requires Member States to provide for a supervisory authority to be responsible for monitoring the
application of the GDPR in order to protect individuals’ rights and freedoms related to processing of personal
data. Therefore, there are no accountability obligations formed by this Article.
Article 52 – Independence
In his opinion to the Court of Justice of the European Union in Case C-362/14, Advocate General Bot stated that
supervisory authorities are “the guardians of [the] fundamental rights and freedoms” and in accordance with that role,
they must “be able to investigate, with complete independence, the complaints submitted to them.” Over the past few
years, the CJEU has found on several occasions that the DPAs were not functioning with independence, where, e.g., they
were managed by a member of the Federal government (Austria) or where the President had the power to terminate the
head of the DPA (Hungary).
This Article continues to reinforce the “complete” independence of the supervisory authority, “free from external
influence, whether direct or indirect” and who may “neither seek nor take instructions from anybody”. Additionally, the

Technical and
Measures
supervisory authority chooses its own staff, who is subject to the exclusive direction of the supervisory authority
member(s). There are no accountability obligations formed by this Article.
Article 53 – General conditions for members of the supervisory authority
This Article provides for the appointment of qualified supervisory authority members by a transparent process, as well as
circumstances for their removal. Therefore, there are no accountability obligations formed by this Article.
Article 54 – Rules on establishment of the supervisory authority
This Article requires Member States to provide by law for the establishment of a supervisory authority, including terms of
office. Therefore, there are no accountability obligations formed by this Article.
Article 55 – Competence
This Article provides that supervisory authorities are competent to perform the tasks and exercise the powers conferred
on them, with the exception of courts acting in their judicial capacity. Therefore, there are no accountability obligations
formed by this Article.
Article 56 – Competence of the lead supervisory authority
This Article sets out that the supervisory authority with competence to deal with complaints, depending on where the
main/single establishment of the data controller is and where the complaint is lodged. Therefore, there are no
Article 57 – Tasks
This Article sets out the tasks for each supervisory authority to perform, including:
• Monitoring and enforcing the GDPR;

• Promoting awareness and giving advice to data controllers and processors of their obligations;
• Dealing with complaints and conducting investigations;
• Monitoring the impact of technologies and commercial practices on data protection;

Technical and
Measures
• Adopting standard contractual clauses and approving BCRs;
• Maintaining a list in relation to the requirement for PIAs;
• Encouraging codes of conduct, certifications and seals.

Article 58 – Powers
This Article sets out the investigative powers for each supervisory authority, including ordering:
• Provision of information;
• Data protection audits;
• Reviews/withdrawals of certifications;
• Access to premises or data processing equipment;
• Breach notifications to data subjects;
• A ban on processing; and
• Suspension of cross-border data flows.

Article 59 – Activity report
This Article sets out the requirement for each supervisory authority to publish an annual report of its activities. Therefore,
there are no accountability obligations formed by this Article.
Cooperation and Consistency
Article 60 – Cooperation amongst supervisory authorities

Technical and
Measures
In order to reach consensus, this Article sets out how the lead supervisory authority and concerned supervisory authorities
are to cooperate in their decision-making. Therefore, there are no accountability obligations formed by this Article.
Article 61 – Mutual assistance
This Article addresses the sharing of information between supervisory authorities and the provision of mutual assistance
to carry out prior authorisations, consultations, inspections and investigations. Therefore, there are no accountability
Article 62 – Joint operations of supervisory authorities
This Article provides that supervisory authorities shall conduct joint operations, particularly where the controller is
established in several Member States or a significant number of data subjects in more than one Member State are likely to
be substantially affected by the processing. Therefore, there are no accountability obligations formed by this Article.
Article 63 – Consistency mechanism
This Article provides that supervisory authorities shall cooperate with each other through a consistency mechanism in
order to ensure consistent application of the GDPR across Member States. Therefore, there are no accountability
Article 64 – Opinion by the EDPB
This Article provides cases where the European Data Protection Board (the successor of the Article 29 Working Party)
shall issue an opinion with regard to a draft supervisory authority decision. Therefore, there are no accountability
Article 65 – Dispute Resolution by the EDPB
This Article sets out the cases in which the EDPB shall adopt a binding decision, e.g., where there is disagreement
amongst supervisory authorities regarding resolution of an infringement or who is the lead authority. The Article goes on
to provide the time frame in which the EDPB must provide its binding decision. Therefore, there are no accountability
Article 66 – Urgency procedure

Technical and
Measures
This Article provides that where an urgent need to act to protect the rights and freedoms of a data subject exists, a
supervisory authority may adopt provisional measures with legal effect in its own Member State for a 3-month period.
Supervisory authorities can also make requests for urgent binding decisions from the EDPB. Therefore, there are no
Article 67 – Exchange of information
This Article provides that the European Commission can adopt an implementing act regarding the exchange of
information by electronic means between supervisory authorities. Therefore, there are no accountability obligations
Article 68 – European Data Protection Board
This Article establishes the European Data Protection Board (“EDPB”) and sets out the voting rights of the European
Data Protection Supervisory. Therefore, there are no accountability obligations formed by this Article.
Article 69 – Independence
This Article provides that the EDPB shall act independently when performing its tasks. Therefore, there are no
Article 70 – Tasks of the EDPB
This Article sets out the tasks of the EDPB, including monitoring application of the GDPR, advising the Commission,
and issuing best practices on the right to be forgotten, profiling, data transfers, and data breach notification. Therefore,
Article 71 – Reports
The EDPB is required to draw up and publish an annual report. There are no accountability obligations formed by this
Article.
Article 72 – Procedure
This Article sets out that EDPB decisions may be made by simple majority unless otherwise provided for. Therefore,

Technical and
Measures
Article 73 – Chair
The EDPB shall elect a chair and two deputy chairs from among its members for a 5-year term of office. Therefore, there
are no accountability obligations formed by this Article.
Article 74 – Tasks of the Chair
This Article provides the operational tasks of the Chair. Therefore, there are no accountability obligations formed by this
Article.
Article 75 – Secretariat
This Article establishes the secretariat in charge of analytical, administrative and logistical support to the EDPB.
Article 76 – Confidentiality
This Article provides that discussions of the EDPB are confidential where the EDPB deems confidentiality necessary.
Remedies, Liabilities and Sanctions
Article 77 – Right to complain
This Article provides every data subject with the right to complain to a supervisory authority, particularly in the Member
State in which they reside or work, or place of the alleged infringement. Therefore, there are no accountability obligations
Article 78 – Right to a judicial remedy against a supervisory authority
This Article provides a right of appeal or some other judicial remedy against legally binding decisions of the supervisory
authority concerning them. Therefore, there are no accountability obligations formed by this Article.
Article 79 – Right to an effective judicial remedy against a controller or processor
Regardless of the right to complain to the Supervisory Authority, this Article provides data subjects with a right to a
judicial remedy if they believe a data controller or processor has not complied with the GDPR. Lawsuits may be filed in

Technical and
Measures
the Member State in which the controller or processor is established or where the data subject resides. There are no
Article 80 – Representation of data subjects
Under this Article, data subjects may mandate non-profit, public interest organisations such as privacy advocates to lodge
a complaint on his or her behalf. Member States may additionally provide a direct right of action to such privacy
advocates. Therefore, there are no accountability obligations formed by this Article.
Article 81 – Suspension of proceedings
To avoid duplicate and conflicting results, where proceedings were commenced in multiple Member States, the court who
was first seized of the matter may continue its proceedings, and the other courts may suspend their proceedings. The
actions may also be consolidated. There are no accountability obligations formed by this Article.
Article 82 – Right to compensation and liability
This Article provides data subjects with a right to receive compensation from data controllers or processors for material
or immaterial damage suffered as a result of non-compliance with the GDPR. The Article provides for joint and several
liability for all data controllers involved in the processing. Data processors, however, are only liable for damage caused
by processing that does not comply with 1) obligations of the GDPR specifically directed to processors, or 2) the lawful
instructions of the data controller.
Data controllers and processors will not be liable for damages where they can prove that they are not in any way
responsible for the event giving rise to the damage. This underscores the importance of maintaining evidence that
demonstrates compliance with the GDPR. However, there are no accountability obligations formed by this Article.
Article 83 – General conditions for imposing administrative fines
This Article provides for the imposition of effective, proportionate and dissuasive fines for infringements.
The amount of a fine will be based on factors including:

Technical and
Measures
1. Nature, gravity and duration of infringement; Intentional or negligent character;

2. Actions taken to mitigate harm;
3. Degree of responsibility having regard to the security measures in place;
4. Any previous relevant infringements;
5. Degree of cooperation with the supervisory authority;
6. Categories of personal data affected;
7. The manner in which the infringement became known to the DPA (self-reported?);
8. Compliance with any previous measures ordered against the controller or processor;
9. Adherence to an approved code of conduct or approved certification mechanism;
10. Any other relevant factor, such as financial benefits gained or losses avoided.
The Article goes on to provide a cap on the fines that may be assessed at the higher of €10 million or 4% of total
worldwide annual turnover of the preceding financial year. Non-compliance with a supervisory authority’s order may be
fined by as much as €20 million or 4% of total annual turnover. There are no accountability obligations formed by this
Article.
Article 84 – Penalties
This Article provides that penalties for infringements not subject to the administrative fines set out in Article 83 shall be
laid down in rules by the Member States. Therefore, there are no accountability obligations formed by this Article.
Relating to Specific Data Processing Situations
Article 85 – Processing and freedom of expression and information
Member State national law shall address the balance between the Freedom of Expression, Freedom of Information, and
Right to Protection of Personal Data. Exemptions may be provided from some of the obligations for processing for
journalistic, academic, artistic or literary expression. Therefore, there are no accountability obligations formed by this
Article.
Article 86 – Processing of personal data and public access to official documents

Technical and
Measures
This Article permits public bodies to disclose personal data found in official documents as part of Freedom of
Information obligations under Union or Member State law. Therefore, there are no accountability obligations formed by
this Article.
Article 87 – Processing of national identification number
Member States may further determine specific conditions for processing national identification numbers or other general
identifiers. Therefore, there are no accountability obligations formed by this Article.
Article 88 – Processing in the employment context
Specific rules for processing employee personal data in the employment context may be determined by Member State law
or collective agreements, including:
• recruitment;
• performance of employment contracts;
• discharge of legal obligations;
• management, planning and organisation of work;
• workplace equality and diversity;
• health and safety; and
• employment rights and benefits.

Article 89 – Safeguards Maintain Data privacy policy Data privacy policy
and derogations for policies/procedures addresses data
archiving, statistics, for the de-identification minimisation
and scientific and of personal data
historical Verified compliance with
research purposes policies and procedures

Technical and
Measures
This privacy management Policy and procedure on for data minimisation,
This Article provides that activity generally deals pseudonymisation or pseudonymisation, and
processing for archiving with how an organisation anonymisation anonymisation
purposes in the public maintains procedures for
interest, or for scientific or research practices Test results verifying that
Research Ethics Board
historical research, or for including processes to data sets were
approvals that address data
statistical purposes is obtain personal data for anonymised or
minimisation and privacy
subject to appropriate research purposes, pseudonymized
protections
safeguards, including data ensuring valid consents
minimisation. Thus, are obtained, de– Test results showing an
processing should use identifying data where Software tools for inability to reidentify data
pseudonymised or possible, and taking aggregation, data masking, sets
anonymised data to the measures to ensure that pseudonymisation, or
extent possible. research data maintained anonymisation
for scientific, historical or
The Article goes on to statistical research is
provide that Union law or safeguarded against
Member State law may improper use.
create exemptions from the
provisions around data Integrate data privacy
subject rights when into research practices
processing for these
purposes. This privacy management
See Recitals 156-162. organisations put in place
a specific technical and
organisational measure to
ensure respect for the
principle of data
minimisation.

Technical and
Measures
Article 90 – Obligations of secrecy
Rules governing data controllers and processors subject to obligations of professional secrecy are left to Member States to
determine. Therefore, there are no accountability obligations formed by this Article.
Article 91 – Existing data Maintain a data privacy Data privacy policy Audit results verifying
protection rules of policy implementation and
churches and religious compliance with the data
Church or religious
associations This privacy management privacy policy or rules
association rules around
helps the organisation
data protection
Churches and religious create and maintain an Attestations of adherence
associations and organisational–level to the data privacy policy
communities that apply privacy policy to provide or rules
comprehensive rules guidance to employees
relating to processing regarding the processing
personal data may continue and protection of
to apply such rules, personal data to ensure
provided the rules are that such processing
brought in line with the aligns with the
GDPR. obligations of the GDPR.
See Recital 165. Where relevant (Article

churches and other
Delegated Acts, Implementing Acts and Final Provisions
Article 92 – Delegations of power

Technical and
Measures
This Article provides the European Commission with the power to adopt delegated acts under the GDPR, subject to the
European Parliament and Council not objecting. Therefore, there are no accountability obligations formed by this Article.
Article 93 – Committee procedure
This Article provides that the Commission will be assisted by a committee. There are no accountability obligations
Article 94 – Repeal of Directive 95/46/EC
This Article repeals the old data protection Directive on a date specified in Article 99 and provides that any references to
that Directive will be construed as a reference to the GDPR. Therefore, there are no accountability obligations formed by
this Article.
Article 95 – Relationship to Directive 2002/58/EC
This Article provides that processing of personal data in connection with publicly available electronic communications
services in public communications networks will continue to be governed by the e-Privacy Directive. There are no
Article 96 – Relationship to previously concluded Agreements
This Article provides for the continuation of international agreements involving the transfer of personal data to third
countries that were entered prior to GDPR enactment and in compliance with applicable Union law. This would include
agreements such as PNR agreements, agreements under FATCA, etc. There are no accountability obligations formed by
this Article.
Article 97 – Evaluation
At least every four years, the Commission will be reporting to European Parliament and Council an evaluation and review
of the GDPR. The Commission will submit appropriate amendments if necessary. There are no accountability obligations
Article 98 - Review of other EU data protection instruments
The Commission shall submit proposals to amend other EU legal instruments on the protection of personal data if

Technical and
Measures
necessary to ensure uniform and consistent protection of individuals. Therefore, there are no accountability obligations
Article 99 – Entry into force
The GDPR will enter into force on the 20th day following its publication in the Official Journal of the European Union,
and shall apply from May 25, 2018.There are no accountability obligations formed by this Article.

How Nymity Solutions Help

GDPR Compliance - How Nymity Solutions Help

Solution Plan Implement Maintain Demonstrate
Enables compliant projects/processes that produce Records of

✔ ✔ ✔
Processing Activities Data Inventory, PIAs and DPIA reports.
Enables to visually document data processing activities and demonstrate ✔ ✔ ✔

GDPR compliance
Enables the monitoring and management of GDPR and produces

✔ ✔
evidenced-based dashboards and reports.
Enables rapid deployment of expert accountability mechanisms and

✔ ✔
helps ensure ongoing compliance without restricting business.
✔ ✔ ✔ ✔
Enables on-going accountability management and reporting for GDPR.
Enables GDPR compliance monitoring and research to ensure ongoing

✔ ✔ ✔
compliance.

Structured Accountability Enables GDPR Compliance

Structured accountability results in demonstrable compliance. This paper outlines how Nymity can help your organisation with
structured accountability for the General Data Protection Regulation (GPDR) compliance. Over the last 16 years, Nymity has
helped organisations comply with over 880 privacy laws, regulations and codes and since 2012, helping organisations plan,
implement, maintain and demonstrate GDPR compliance. For example, in 2012 Nymity conducted a project with EU DPAs and
EU Justice on demonstrating accountability, now codified as demonstrating compliance in the GDPR. The GDPR also embodies
and codifies concepts found in Binding Corporate Rules (BCRs) for which Nymity has been helping organisations plan,
implement, maintain and demonstrate BCR compliance since 2013. Over the last 16 years Nymity has developed multiple
solutions that will help you plan, implement, maintain and demonstrate GDPR compliance through structured accountability. Use
one, two, or all depending on your organisational needs. Structured Accountability results in Demonstrable GDPR
Compliance
Nymity helps organisations comply with GDPR through structured accountability based on implementing appropriate
accountability mechanisms such as policies and procedures. Putting in place appropriate accountability mechanisms are the
foundation for complying with the GDPR, as it enables organisations to demonstrate compliance at a project level and at an
organisational level, both required by the GDPR.
All Nymity solutions enable the use of effective

accountability mechanisms resulting in GDPR Compliance
GDPR Mandates Risk-Based Accountability

GDPR is considered an accountability and risk-based regulation. This means organisations must implement appropriate policies
and procedures and other accountability mechanisms taking a risk-based approach. The GDPR mentions mechanism 31 times and
risk 88 times. In fact, the GDPR mentions accountability mechanism in several forms including appropriate measures (12),
appropriate and technical measures (12), appropriate safeguards (35) and polices or procedures (32).
Plan, Implement, Maintain and Demonstrate

Structured accountability for GDPR compliance can be planned, implemented and maintained. In fact, once accountability is
structured, GDPR compliance can be straight-forward.

This paper outlines how Nymity can help.
Plan Implement Maintain Demonstrate
Enables compliant projects/processes that produce Records of ✔ ✔ ✔

Processing Activities Data Inventory, PIAs and DPIA reports .
Enables to visually document data processing activities and

✔ ✔ ✔
demonstrate GDPR compliance
Project/Process Compliance
Before addressing your records of processing activities requirements (Article 30) or your Data protection impact assessment
requirements (Article 35) it is important to understand the rational of these two obligations. Their objective is to ensure compliant
processing of personal data. As such, enabling structured accountability at a project/process level results in GDPR compliance.
Nymity’s assessment solutions enable GDPR compliant projects/processes and produces Records
of Processing Activities Data Inventory, regulatory data mapping, PIAs and DPIA reports
✔ Implement GDPR Compliance

The GDPR came into effect on May 25th, 2018. Article 30 mandates that organisations maintain a records of processing activities
for current processing activities in your organisation. Aligned with the risk-based approach in the GDPR, Nymity ExpertPIA™/
Nymity Data Transfer Risk Mapping™ take a risk-based approach to document past projects/processing and does not rely on the
traditional approach of conducting questionnaires to identify the necessary information. Plus, the records of processing data
inventory enables data mapping.

✔ Maintain GDPR Compliance

Beyond May 25th, 2018, many organisations recognize that
have resource constraints, making it difficult to maintain a Data
Inventory and conduct PIAs. Nymity’s Assessment solutions
anticipate an organisation’s limited resources. First, it combines
the process of creating new records of processing activity into
the Data Inventory as a process to trigger a PIA/DPIA. Then it
takes a light-touch approach to minimize the time required and
does so without any time-consuming questionnaires.
✔ Demonstrate GDPR Compliance

On-demand compliance reports for: Article 30 Records of
processing activity, legally triggered DPIAs, accountability
chosen PIAs, Privacy by Design, Legitimate Interest balancing
test.
Implement One Solution, Not Two

Nymity ExpertPIA™/ Nymity Data Transfer Risk Mapping™
are solutions for records of processing activities, Data
Inventory (Article 30), regulatory data mapping, PIAs and
DPIA reports (Article 35) reducing the workload significantly.
No Questionnaires Required
Built on an expert system supported by Nymity team of experts for both content and rules, Nymity ExpertPIA™/ Nymity Data
Transfer Risk Mapping ™ does not solely rely on questionnaires of any kind, reducing the burden on the business and the Privacy
Office/DPO significantly.
Tell Them, Don’t Ask

Provide the business with instructions as to how to mitigate the risk in business terms by providing them the appropriate
accountability mechanism that instructs them to mitigate the risk, resulting in GDPR compliance. As the appropriate
accountability mechanisms are already required by the GDPR, the Nymity ExpertPIA™/ Nymity Data Transfer Risk Mapping™
repurposes them for use in an Accountability PIA.

Provide Just-in-Time Policy

As there are no questions, Nymity ExpertPIA™/ Nymity Data Transfer Risk Mapping™ serves up the appropriate policy and
other accountability mechanism at the right time to instruct the business to mitigate the risk.
Identify Gaps between Policy and Processing

The business applies the appropriate accountability mechanism to the project and identifies gaps in the policy or new aspects of
processing not addressed in the appropriate accountability mechanism assigned. The Privacy Office/DPO /DPO then engages and
advises the business accordingly.
Agile Accountability™ is an Outcome

As the business is continuously using the appropriate accountability mechanism using the next generation accountability PIA
methodology, the business will be keeping a constant pressure on the Privacy Office/DPO to ensure the policies and other
accountability mechanisms are up-to-date.
Records of Processing Activities Data Inventory is an Outcome

Traditional data inventories are near impossible to be kept up-to-by the Privacy Office/DPO. Nymity ExpertPIA™/ Nymity Data
Transfer Risk Mapping™ enables a record of processing activities data inventory without the use of questions avoiding the
traditional challenges which meets or exceeds GDPR requirements
Motivated Business is An Outcome

For any data inventory or PIA solution to be successful there must be motivation for the business to use the system. Nymity
ExpertPIA™/ Nymity Data Transfer Risk Mapping™ provides many levels of motivation as it enables the business to do more
processing of personal data (legitimate interest) and produces evidence that the project/process is compliant.
Does not Require Privacy Champions in the Business

Privacy expertise generally resides in the Privacy Office/DPO as it is ever changing especially in the world of GDPR. While it
may be ideal to have privacy, expertise embedded within the organisation, Nymity ExpertPIA™/ Nymity Data Transfer Risk
Mapping™ does not require the business to become privacy experts as it uses an expert system. There are no traditional
questionnaires and the accountability mechanisms are written in the language the business can understand.
Mitigate Risk First and Avoid Documented Non-Compliance

With Nymity ExpertPIA™/ Nymity Data Transfer Risk Mapping™, privacy risk is mitigated first, like privacy by design, which
results in less documented non-compliance.

Demonstrate Risk Mitigation

Nymity ExpertPIA™/ Nymity Data Transfer Risk Mapping™ documents, visualises and reports the risks that are mitigated to
individuals and the risk that is mitigated to the organisation’s data processing which is great for management and regulator
reporting.
Enables the monitoring and management of GDPR and ✔ ✔

produces evidenced-based dashboards and reports.
Monitor and Manage Organisational GDPR

Structured accountability results in GDPR compliance. Once structured accountability has been implemented, just like once your
BCRs have been implemented, it needs to be monitored and managed. Not doing so will result in stagnant accountability that will
lose its relevancy and effectiveness.
Nymity Assessment & Attestations™ enables the monitoring and management

of GDPR and produces evidenced-based dashboards and reports


Monitor that the right accountability mechanism(s) are in place
in an extremely efficient manner. Simple closed-ended
questions for the business, in the language of the business, that
identify if the business is doing what has been instructed to
them in the accountability mechanism(s).
✔ Demonstrate GDPR Compliance

The Privacy Office/DPO can visualise GDPR compliance
through a powerful dashboard and then present it to anyone.
Provide Quick, Simple Assessments for the Business

It is paramount that when engaging the business that it is done
with extreme efficiency. Nymity Attestor™ does so by:
1. One Screen
The business may only need to engage for a few
minutes a year and thus doesn’t have time to be
trained on the software. This simplicity is
accomplished with one straight-forward screen,
which also has tips and history of past attestations.
2. Closed Questions
Yes, or No, are the only answers available. Very straight-forward as the questions are based on the usage of an
accountability mechanism which enables compliance.
3. Relevant Questions
No privacy jargon as the questions are based on the accountability mechanisms which are written in the language of
the business.

4. Evidence
Documents produced using the accountability mechanism or the mechanisms themselves are all the evidence
necessary.
Don’t Ask “What are You Doing?” – Ask “Are You Doing as Instructed?”
You have already instructed the business on appropriate accountability mechanisms they must follow. Simply ask questions to
find out if they are doing as instructed. The questions themselves make the accountability mechanism come alive with activity
resulting in ongoing compliance.
Turn Key GDPR Implementations

Nymity privacy professionals have already written the GDPR questions so you do not need to invest the time. Enhance them if
you wish, but you are ready to go.
Better Use of Your Resources

It take very little time for the business and the Privacy Office/DPO for the assessing, monitoring and manage GDPR thus allowing
more resources available for accountability mechanisms management. With this better resource allocation, more risk is mitigated.
Drill-down Attestations with Evidence

The Privacy Office/DPO from one single screen can demonstrate GDPR compliance with drill-down evidence to support the
attestation.
Assess Compliance with Delegated Acts

GDPR is just the first of several new laws in the EU. Future proof your assessment by mapping your accountability mechanism
directly to the new laws when they are enacted and assess compliance immediately. No data entry and no need to engage the
business (unless the new law requires).
Minimal Ongoing Resources Required

A “light-touch” easy to use with minimal resources is critical as it is likely that Privacy Office/DPOs will be resource constrained
in the future.
BCR Made Easy

If you don’t currently have a BCR, once you have implemented the appropriate accountability mechanisms you will have the

accountability component of the BCR complete. Simply engage your law firm of choice for the legal component of the BCR, then
monitor and manage GDPR and BCR.
Stand Ready for Regulators

On-demand, drill down demonstration of compliance with appropriate accountability mechanisms identified as required. You are
ready for any Regulator engagement whether it is a dawn raid or proactive outreach.
Show that the Business is going Beyond Compliance

Most parts of an organisation that are processing personal data have additional accountability mechanisms in place that go beyond
what is required by the GDPR. Also, legal, procurement, IT, Security and the other functions that are supporting the processing of
personal data have accountability mechanisms that go beyond GDPR compliance. Attest to going beyond the law and get credit
for your advanced accountability.
Enables the rapid deployment of expert accountability

mechanisms and helps ensure ongoing compliance without ✔ ✔
restricting business.
Structured Accountability Ensures Ongoing GDPR Compliance

GDPR compliance requires organisations to implement and maintain the appropriate accountability mechanisms. Accountability
mechanisms include policies, procedures, guidelines, handbooks, notices, training and awareness, technical safeguards, and other
mechanisms that reduce privacy risk for individuals and the organisation. Structured accountability enables these accountability
mechanisms to be used to demonstrate compliance from a bottom-up project/process perspective or from a top-down
organisational perspective.
Nymity Operational Templates & Resources™ enable the rapid deployment of expert
accountability mechanism and helps ensure ongoing compliance without restricting
business


Accountability mechanisms need to be created and implemented for GDPR compliance. Nymity Operational Templates &
Resources ™ is made up of over 700 documents that fast-track very effective accountability mechanism implementation.

Accountability mechanisms are typically reviewed once a year. The business may change and so can the GDPR compliance
expectations, not to mention degraded acts, case law, Regulator actions. Nymity updates the accountability mechanisms in Nymity
Templates™ annually as well.
Maximise Return on Resources Available

Organisations preparing for GDPR should first invest their resources in creating and implementing accountability mechanisms.
Not only are they required by law, but they provide the complete foundation of GDRP compliance as they can be repurposed in
PIAs, DPIAs, records of process activities data inventories, assessments, and as evidence in demonstrating compliance.
Accountability mechanisms serve as the backbone of the GDPR Compliance and thus should be an organisation’s top priority.
Leverage 100s of Years of Experience

The 700 plus downloadable documents are written by former Privacy Officers and DPOs that collectively represent hundreds of
years of experience. These are not theoretical documents as each is written and reviewed by privacy practitioners.
Documentation is an Outcome
Some refer to the GDPR as having documentation requirements in which they are referring to Article 30 Records of Processing
(See Nymity ExpertPIA™/ Nymity Data Transfer Risk Mapping™) or are referring to accountability mechanisms to mitigate risk
and demonstrate compliance. Nymity Operational Templates & Resources™ drive organisational documentation.
Convert Existing PIAs into Policy

Many organisations are moving from the traditional approach to PIAs to the next generation Accountability PIA. This shift results
in them converting traditional PIA documentation to policy, procedures or some form of accountability mechanisms that instructs
the business of the rules of processing and make them accountable.

Search
Find specific accountability mechanism resources quickly with search and privacy management expert filters further saving time.
Review GDPR Article by Article

Every article of the GDPR is analysed to determine what privacy management actions are required. Specific resources are then
provided to operationalise compliance with the GDPR.
Risk Mitigation is an Outcome

Nymity Operational Templates & Resources™ goes beyond strictly compliance as each of the over 700 downloadable resources
also help mitigate privacy risk to individuals and the organisation.
Ensure No Unnecessary Business Restrictions

As the downloadable resources found in Nymity Operational Templates & Resources™ are written from a practical and
compliance standpoint they do not result in implementation of unnecessary restrictions on the business because of perceived risk
or legal obligations.
Learn What Others are Prioritising

Understand which of the downloadable documents are being used most by other subscribers, thus helping build a better privacy
management accountability program.

Enables on-going accountability management and reporting and

allows your organisation to better prioritise and communicate ✔ ✔ ✔ ✔
your GDPR compliance plan.
Prioritise GPDR Structured Accountability

GDPR is a risk-based accountability regulation that requires putting in place appropriate accountability mechanisms.
Understanding what organisations are implementing to achieve demonstrable GDPR compliance is beneficial for prioritising and
reporting your structured accountability. Understand what other organisations of your size, industry and region are prioritising as
appropriate and produce management reports that help achieve budgets and the necessary resources for your GDPR program.
Nymity Accountability Planning & Benchmarks™ enables on-going structured

accountability and reporting for GDPR
✔ Plan GDPR Compliance

Develop the optimal structured accountability plan for your GDPR
compliance privacy program by understanding what other
organisations are planning and prioritising.

Quarterly or annually review your privacy management activities as
compared to other organisations, and report to management your
accountability as compared to others.
Map Accountability to GDPR

Facilitates mapping your planned privacy management activities to
GDPR.

Conduct Industry Comparisons

Compare yourself to your peers
in your industry or compare one
industry to another as to GDPR
priorities and status.
Benchmarking against other
subscribers helps identify gaps
within your privacy management
and allows you to prioritise
activities in line with industry
best practices.
Compare Yourself to Same Size

Organisations
Compare yourself to your organisations with similar number employees for GDPR priorities and status.
Stay Up-to-Date with GDPR Comparative Reports

Download or have a monthly GDPR comparison report sent to you by email and monitor how your program changes as compared
to others.
Create Custom GDPR Dashboard

Select your industry, size of organisation and region or create multiple combinations and save them for future reporting.
Drill-Down GDPR Comparisons

Do specific comparisons from 132 privacy management activities, for example, appointing a DPO, to gain in-depth
understanding.

Ongoing GDPR Structured Accountability

GDPR compliance often starts as project that turns into
an ongoing maintenance plan. Often, there are several
members making up an organisation’s Privacy
Office/DPO. That could include the Privacy
Office/DPO, privacy stewards in the operations, legal,
compliance, IT and security. These individuals need to
work together in an effective and structured manner to
maintain structured accountability resulting in ongoing
demonstrable compliance.

Create a structured accountability plan by assigning
privacy management activities to owners with priorities and target dates. Defined what is mandatory for GDPR compliance and
justify resources.

Manage the team responsible and the specific activities required to achieve GDPR compliance. Map out next steps and
interconnected dependencies to ensure an efficient GDPR compliance implementation.

Schedule and manage the reviews and enhancements of accountability mechanisms and report on how your privacy management
program is managed to ensure ongoing GDPR compliance.
Engage Stakeholders with Reminder Reporting

Monthly reports show the progress in accountability management and keeps all stakeholders focused on the activities to which
they are responsible.

Produce Management Reports

Download graphical management reports to support both team meetings and management reporting.
Justify GDPR Budgets

Every year report on the progress from the past year and justify next year’s expenditures. Justify existing and additional resources
supported by graphical representations.
Be Prepared for Regulator Reporting

When beneficial, report the status of your structured accountability management over time showing a steady progress and
dedication to GDPR compliance.
Gain Understanding from Risk Reporting

Report on the risk that is being mitigated to both individuals and to the organisation over time.
Enables GDPR compliance monitoring and research to ✔ ✔ ✔

ensure ongoing compliance.
Ongoing GDPR Compliance

The GDPR compliance landscape is dynamic. GDPR provides 26 delegated acts and 22 implementing acts which represent many
opportunities for member states to create new laws that could impact your GDPR compliance. In 2016, EU DPAs issued 582
decisions and papers impacting compliance in the EU. If you add the courts, EU Commission, Article 29 Working Party, and
Government, there is an additional 159 authority documents for a total in 2016 of 741 compliance developments that may have
impacted your organisation’s EU operations. This is expected to increase in 2017 and beyond as Regulators are hiring and the

courts are getting active. It is important to monitor, research and understand the changing GDPR landscape to ensure ongoing
compliance.
Nymity Research™ enables GPDR compliance monitoring and research to ensure ongoing compliance

Understand the Article 29 Working Party, Data Protection Authorities (DPAs), other authorities and leading experts on how best
to approach GDPR compliance.

Understand the specific compliance obligations and how to achieve these legal requirements and how to best operationalise
compliance.

Stay informed of developments that will impact your GDPR compliance and research GDPR expectations when business is
conducting new processing of personal data.
Stay Informed with GDPR Alerts

Stay on top of new developments in GDPR compliance through our expert analysis that is sent to you in an email alert.
Stay Relevant with Top 10 GDPR Reports

Receive a monthly report on the top 10 developments in GDPR compliance based on your peers and gain an understanding of top
issues.
Gain from Comprehensive Monthly Report on all GDPR Developments

Stay informed of all developments relevant to GDPR monthly. Edit the report and use it internally for management reporting and
team reviews.
Create Specific GDPR Reports

Create a monthly report for GDPR specifically for your needs, for example: for your countries in the EU or your industry or on a
subject matter such as BCR, notice or data portability.

Get Compliance Expertise On-Demand

Use expert filters to quickly find the specific GDPR reference you
need and review Nymity’s unique two-level summary analysis to
understand GDPR impact, all in English regardless of the source
language.
Save Time with Up-to-Date Comparison Charts

Compare GDPR with laws around the world for:
• Email Marketing Consent

• Breach Laws
• Appointment of a DPO
• Cross-border Transfer Requirements
• Binding Corporate Rules
• Data Subject Rights
• Legal Grounds for Processing
and more…

Learn from Our Experts with Nymity GDPR Accountability Papers

Learn how to use the Nymity series of GDPR Accountability Papers
and tools.
GDPR Knowledge Sources

31% Legal or Consulting Firm
26% Data Protection Authority/Commissioner
16% EU Commission / Working Party / EDPS
9% Industry Publication / Association
4% Advocates
4% Company Publications
3% Government
3% Legislature
2% Academia
2% Nymity

Monitor and manage Data Subject Requests efficiently and ✔ ✔ ✔

confidently.
Whether it is compliance with the GDPR, the future CCPA, or any of the over 1,900 DSR obligations found in laws in over 115 countries,
Nymity’s Data Subject RequestsTM, will help ensure you both meet your compliance obligations and provide a positive experience for the
individual when they make a data related request to the company. Nymity’s Data Subject RequestsTM solution helps ensure you meet
your legal obligations, while taking the guesswork out of preparing responses saving time and money. Leverage the customizable
response templates that are pre-configured based on jurisdiction, that will help you to meet short GDPR deadlines for dealing
with individual requests. Nymity’s Data Subject RequestsTM solution equips you with the tools that allow you to provide demonstrable
accountability and compliance. Robust reporting ensures that you will always be regulator ready, as reports are dynamically updated based
on changing regulatory expectations allowing you to demonstrate the right compliance for your jurisdiction.
Regulator Ready Reporting

As with all of Nymity’s solutions, Nymity Data Subject Requests™ equips users with the tools to rapidly demonstrate accountability
and compliance. When it comes to privacy, being able to demonstrate compliance is as important as compliance itself.
Power Dashboard
Utilize the dashboard to ensure proactive and timely responses to data subject requests, and improve management of data collection
from requestors and employees.
Compliance Panel
Keep up-to-date through every phase of a Data Subject Request through the Compliance Knowledge Panel. Relevant and contextual
information is continually updated.
Response Templates
Save time by taking the guesswork out of preparing responses. Leverage the preconfigured response templates or customize them to fit
your organization’s needs.

Nymity’s Expert Privacy Platform Helps Organizations

Comply with Privacy Laws Around the World
Enables GDPR compliance Enables rapid deployment of expert Enables compliant projects/processes that
monitoring and research to ensure accountability mechanism and helps produce Records of Processing Activities
ongoing compliance. ensure ongoing compliance without Data Inventory, PIAs and DPIA reports.
restricting business.
Enables on-going accountability Enables to visually document data

management and reporting for GDPR. processing activities and demonstrate
GDPR compliance
Monitor and manage Data Subject Enables the monitoring and management
Requests efficiently and confidently of GDPR and produces evidenced-based
dashboards and reports.
Learn more about how our GDPR solutions help organisations plan, implement, maintain, and demonstrate compliance to GDPR
at www.nymity.com/GDPR.
Contact Nymity at info@nymity.com

A Comprehensive Compliance Guide for the General Data Protection Regulation
W W W. N Y M I T Y. C O M

Nymity GDPR Handbook 2019 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Nymity GDPR Handbook 2019 PDF

Uploaded by

Copyright:

Available Formats

Copyright ©2019 by Nymity Inc. All rights reserved.

Accountability Under the GDPR

GDPR is not the First Accountability-based Privacy Law

Nymity’s Expertise in Accountability

© 2019 Nymity Inc. 2

1. Nymity Privacy Management Accountability Framework™

2. A Structured Approach to Privacy Management: Getting Started

3. A Structured Approach to Privacy Management: Demonstrating Compliance

4. The Nymity GDPR Compliance Toolkit

© 2019 Nymity Inc. 3

Currently, Nymity is conducting two accountability research projects:

1. Demonstrating Compliance to Regulators

2. An Alternative Approach to PIAs/DPIAs

The Nymity Privacy Management Accountability Framework™ (the “Framework”)

© 2019 Nymity Inc. 4

© 2019 Nymity Inc. 5

Purpose of the Nymity GDPR Accountability Handbook:

© 2019 Nymity Inc. 6

© 2019 Nymity Inc. 7

© 2019 Nymity Inc. 8

© 2019 Nymity Inc. 9

© 2019 Nymity Inc. 10

This privacy management

© 2019 Nymity Inc. 11

This privacy management

© 2019 Nymity Inc. 12

© 2019 Nymity Inc. 13

This privacy management Copies of signed consent

© 2019 Nymity Inc. 14

© 2019 Nymity Inc. 15

© 2019 Nymity Inc. 16

© 2019 Nymity Inc. 17

This privacy management

This privacy management

© 2019 Nymity Inc. 18

© 2019 Nymity Inc. 19

© 2019 Nymity Inc. 20

See Recitals 51-56.

Audit results indicate that

© 2019 Nymity Inc. 21

© 2019 Nymity Inc. 22

© 2019 Nymity Inc. 23

This privacy management

© 2019 Nymity Inc. 24

Provide data privacy

© 2019 Nymity Inc. 25

This privacy management

See Recitals 60-62. Maintain Data privacy

© 2019 Nymity Inc. 26

Provide data privacy

This privacy management

© 2019 Nymity Inc. 27

See Recitals 63, 64.

© 2019 Nymity Inc. 28

© 2019 Nymity Inc. 29

See Recitals 65, 66.

© 2019 Nymity Inc. 30

See Recital 66. This privacy management

© 2019 Nymity Inc. 31

This privacy management

© 2019 Nymity Inc. 32

See Recital 68.

© 2019 Nymity Inc. 33