Professional Documents
Culture Documents
Handbook Certified Data Protection Officer Practical Work Plan Guidance
Handbook Certified Data Protection Officer Practical Work Plan Guidance
Recommended Citation:
Kadir, Romeo F., Handbook Certified Data Protection Officer (DPO) –
Practical Work Plan Guidance, EIPACC (2021),
www.dataprotectionbooks.com
ISBN/EAN 9789083115450
NUR 820
BISAC LAW059000
© 2021
European Institute for Privacy, Audit, Compliance & Certification
(EIPACC)
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or
transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise,
without the publisher’s prior consent. Except for the quotation of short passages for the purposes of
criticism and review, no part of this publication may be reproduced, stored in a retrieval system, or
transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or
otherwise, without the prior written permission of the publisher or a license.
Without limiting the rights under copyright reserved above, no part of this book may be reproduced,
stored in or introduced into a retrieval system, or transmitted, in any form or by any means (electronic,
mechanical, photocopying, recording or otherwise) without the written permission of both the copyright
owner and the author of the book.
Every effort has been made to obtain permission to use all copyrighted illustrations reproduced in this
book. Nonetheless, whosoever believes to have rights to this material is advised to contact the
publisher.
Fictitious names of companies, products, people, characters and/or data that may be used herein (in
case studies or in examples) are not intended to represent any real individual, company, product or
event.
European Institute for Privacy,
This publication is translated from Dutch into English. The
Audit, Compliance & Certification (EIPACC) takes no responsibility for the quality of
the translations into other languages. The views expressed in this handbook do not bind EIPACC. The
handbook refers to a selection of commentaries, manuals and other primary sources. EIPACC takes no
responsibility for their content, nor does their inclusion amount to any form of endorsement of these
publications.
EIPACC has no responsibility for the persistence or accuracy of URLs for external or third-party
internet websites referred to in this publication and does not guarantee that any content on such
websites is, or will remain, accurate or appropriate.
FOREWORD
Providing for a practical guide for the Data Protection Officer (DPO) lies at
the heart of this publication. As stated by the European Data Protection Board
(EDPB) it is best practice for the DPO to have a work plan. What does such a
work plan look like? Providing an answer to that question lies at the core of
this publication. According to the EDPB, it is valued a good practice for the
DPO (or the organisation) to compose a work plan, but the form or content of
such a work plan is not discussed by the EDPB. In order to answer this
central question, the two following (more concrete) ‘lines of orientation for a
DPO work plan’ are being applied.
Firstly, the text as enshrined in the General Data Protection Regulation
(GDPR) itself codifies an important line of orientation in the embodiment of
Articles 37 to 39 of the GDPR in which the designation, positions and tasks
of the DPO are discussed.
Secondly, an orientation line is found in the typical role the DPO is playing in
the “daily data protection practice” which can be inferred from, among
others, an action plan (or work plan) from an enterprise (institution or
organisation). In pursuit of compliance with the obligations pursuant to the
GDPR, at least the following steps (in any form or comparable language) can
usually be distinguished.
1. Establish GDPR policies.
2. Make an inventory of personal data.
3. Perform a GDPR baseline.
4. Perform a GDPR gap-analysis.
5. Perform a GDPR implementation.
6. Perform GDPR review and update.
7. Perform GDPR assurance and audit.
8. Compose and communicate the GDPR accountability and reports.
The approach of “two lines of orientation” that is chosen for this practical
guidance deliberately pursues to serve justice to the dichotomous practice of
everyday life in which many DPOs operate. On the one hand, there is this
continuous expectation that the DPO ‘will just take care of all we need to do’,
while on the other hand, Articles 37 to 39 of the GDPR actually actively
construct a certain distance between the DPO and the more operational
GDPR activities. A special reason for this is to the benefit of preserving the
independent functioning of the DPO which is emphasized among others in
recital 97 of the GDPR.
Taking into account previous feedback on the legibility (and feedback on
earlier manuscripts of this book), a deliberate choice is made to ‘where
appropriate‘ just repeat (copy-paste) the content of certain previous
paragraphs and/or parts of the book to promote the legibility and learning
effects.
The mission, vision and strategy of the DPO work plan are taken as a starting
point to compose general ‘tables of reference for the DPO’, which entail
‘connecting factors for more depth’ of each of the subjects that are mentioned
in the specific chapters. The lay-out of these tables are equal in every chapter
and are primarily intended for orientation for more concrete elaboration by
the DPO in his or her work plan in accordance with their own enterprise,
institution or organisation.
The GDPR defines a number of important tasks for the DPO which are in
some way positioned on a ‘thin line of fragile checks and balances’ of various
GDPR stakeholders. The specific positioning of the DPO is also relevant for
the success of one of the most important goals of the GDPR, protecting the
fundamental rights and freedoms of natural persons (‘data subjects’ in the
GDPR) and in particular the right to protection of their personal data pursuant
to Article 1(2) GDPR.
According to the European Data Protection Board (formerly operating as
WP29), the DPO (or the organisation) should avail of a work plan which the
organisation will use as a basis for providing, among others, ‘necessary
resources’ for the DPO. With the entry into force of the GDPR as of 25 May
2018, the need to work on professional maturity of the Data Protection
Officer (DPO) became more and more urgent. Moreover, the Spanish
supervisory authority (AEDP) was the first European privacy supervisory
authority that (although not based on Article 42 GDPR) to publish a
“Certification Scheme of Data Protection Officers” in which a number of
concrete knowledge and competence areas are mentioned, followed by the
‘CNIL Certification Scheme of DPO Skills and Knowledge’ in September
2018. This certification scheme of the French Data Protection Authority
introduced certification criteria setting out, in particular, the conditions for
admissibility of applications and the list of 17 DPO skills and knowledge
required to be certified and also contained accreditation criteria setting out
the requirements applicable to certification bodies wishing to be accredited
by the CNIL to certify DPO skills and knowledge.
This publication is part of a larger series of publications for the professional
DPO. Especially for junior and medior/advanced (and even some
senior/expert) level DPO’s the following two additional sources are
considered to be an indispensable work of reference:
CHAPTER 1
GENERAL INTRODUCTION
1.1 Introduction
The GDPR, which came into effect on 25 May 2018, provides a modernised,
accountability-based compliance framework for data protection in Europe,
which especially resonates to the tasks and positioning of the Data Protection
Officers (DPO). The designation of a DPO who operates at the heart of this
new legal framework for many organisations, facilitating (amongst others)
compliance with the provisions of the GDPR, is mandatory for certain
controllers and processors. This will be the case for all public authorities and
bodies (irrespective of what data they process), and for other organisations
which - as a core activity - monitor individuals systematically and on a large
scale, or that process special categories of personal data on a large scale.
Even when the GDPR does not specifically require the appointment of a
DPO, organisations may sometimes find it useful to designate a DPO on a
voluntary basis. The EDPB encourages these voluntary (internal or external)
efforts. Even back in 2010, the EDPB (WP29)[1] (predecessor of the European
Data Protection Board) already pointed out that, in the light of
‘Accountability as a driver for effective implementation of data protection
principles’, that any organisation could, in addition to measures like
performing a DPIA also consider the ‘appointment of data protection
officers’ in given cases.
The GDPR increasingly puts the (voluntary) appointment of the DPO on the
agenda of various enterprises and organisations. After the Dutch privacy
legislation came into force in September 2001, I was part of the initial board
to constitute the Dutch association of DPOs (NGFG) which acted as a
‘representative body’ of Dutch DPOs. As a newly designated Secretary of the
Board (acting Vice-President) of this brand-new association of Data
protection officers were at an early stage confronted with the challenge of
‘DPO professionalism by design’ which become more of challenge with the
entry into force of the GDPR as this added to expectations of DPO
professionalism.
The legally enshrined function of the DPO is paramount in promoting the
factual guarantee of privacy and data protection in daily policies and daily
operations of the organisation. The DPO fulfils an essential role as internal
expert in the area of privacy and data protection for daily practice. The
constructive contribution of promoting the factual protection is invigorated,
because of the vision of the European Data Protection Board that the DPO (or
the organisation) has to draw up a work plan, among others to substantiate
the ‘necessary resources’ that the organisation has to provide.
Given the size and structure of the organisation, it may be necessary to set up
a DPO team (a DPO and his/her staff), according to the EDPB.[2] In such
cases, the internal structure of the team and the tasks and responsibilities of
each of its members should be clearly drawn up. Similarly, when the function
of the DPO is exercised by an external service provider, a team of individuals
working for that entity may effectively carry out the tasks of a DPO as a
team, under the responsibility of a designated lead contact for the client.
In light of further professionalization and increasing the expertise of the DPO
and the continuous training that is part of it, this practical guidance for the
DPO work plan entails a few core processes that are key in this book
(chapters 3 to 10) which is preceded by some general remarks in chapter 1
and a short discussion of the tasks, positioning and professional profile of the
DPO in chapter 2. Of course, wherever the text mentions the word ‘he’,
naturally also includes ‘she’ within its ambit.
To this end of transparency, this handbook DPO work plan framework as
discussed in this guidance is structured along the lines of the following ten
chapters.
The introduction to European data protection law to opt for the designation of
a data protection officer (DPO) was inspired by German law. The first
difference between for example Dutch law and the German regulation was
that pursuant to Dutch law designation of a DPO was mandatory. The
controller that did not designate an officer fell automatically under the
supervision based on public law. He also had to report on the non-exempted
data processes there. If the controller decided to designate an officer, the
Dutch supervisory authority was supposed to be notified about this
designation. In that case public law-based supervision of the controller could
be reduced to supervision of the DPO task performance. The second
difference with German law was that an officer could also be appointed for a
group of enterprises or organisations. This could lead to the introduction of
an institution for the whole industry, that, if there was a code of conduct,
could supervise compliance with that code. This officer was not meant as an
extension of the supervisory authority of the government, neither was he seen
as a whistle-blower.[7]
Recital 97 of the GDPR specifies that the core activities of a controller relate
to its ‘primary activities and do not relate to the processing of personal data
as ancillary activities’. ‘Core activities’ can be considered as the key
operations necessary to achieve the controller’s or processor’s goals.
According to EDPB (WP29)[13], however, ‘core activities’ should not be
interpreted as excluding activities where the processing of data forms an
inextricable part of the controller’s or processor’s activity. For example, the
core activity of a hospital is to provide health care. However, a hospital could
not provide healthcare safely and effectively without processing health data,
such as patients’ health records. Therefore, processing these data should,
according to EDPB (WP29), be considered to be one of any hospital’s core
activities and hospitals must therefore designate at least one DPO.
As another example, mentioned by EDPB (WP29), a private security
company carries out the surveillance of a number of private shopping centres
and public spaces. Surveillance is the core activity of the company, which in
turn is inextricably linked to the processing of personal data. Therefore, this
company must also designate a DPO.
On the other hand, all organisations carry out certain activities, for example,
paying their employees or having standard IT support activities. These are
necessary support functions for the organisation’s core activity or main
business. Even though these activities are necessary or essential, they are
usually considered ancillary functions rather than the core activity.
Article 37(1)(b) and (c) require that the processing of personal data be carried
out on a large scale in order for the designation of a DPO to be triggered. The
GDPR however does not define what constitutes large scale.[14]
According to recital 91, ‘large-scale processing operations which aim to
process a considerable amount of personal data at regional, national or
supranational level and which could affect a large number of data subjects
and which are likely to result in a high risk’ would be included, in particular.
On the other hand, the recital specifically provides that ‘the processing of
personal data should not be considered to be on a large scale if the
processing concerns personal data from patients or clients by an individual
physician, other health care professional or lawyer’.
EDPB (WP29)[15] thinks it is important to consider that while the recital
provides examples at the extremes of the scale (processing by an individual
physician versus processing of data of a whole country or across Europe).
there is a large grey zone in between these extremes. In addition, it should be
borne in mind that this recital refers to data protection impact assessments.
This implies that some elements might be specific to that context and do not
necessarily apply to the designation of DPOs in the exact same way.
According to EDPB (WP29)[16], it is indeed not possible to give a precise
number either with regard to the amount of data processed or the number of
individuals concerned, which would be applicable in all situations. This does
not exclude the possibility, however, that over time, a standard practice may
develop, for specifying in objective, quantitative terms what constitutes
‘large scale’ in respect of certain types of common processing activities. The
EDPB (WP29) also plans to contribute to this development, by way of
sharing and publicising examples of the relevant thresholds for the
designation of a DPO.
In any event, the EDPB (WP29) recommends that in particular the following
factors be considered when determining whether the processing is carried out
on a large scale:
The EDPB (WP29) also gives examples that do not constitute large-scale
processing:
1. The data subjects: see Article 38(4). Data subjects may contact
the data protection officer with regard to all issues related to
processing of their personal data and to the exercise of their
rights under this regulation.
2. The supervisory authority: see Article 39(1)(e). The DPO
acts as a contact point for the supervisory authority on issues
relating to processing, including the prior consultation referred
to in Article 36 and to consult, where appropriate, with regard
to any other matter.
2. Internally within the organisation: considering that one of the
tasks of the DPO is ‘to inform[26] and advise the controller and
the processor and the employees who carry out processing of
their obligations pursuant to this Regulation’ (Art. 39(1)(a)).
Based on Article 37(3) of the GDPR, a single DPO may be designated for
several public authorities or bodies, taking account of their organisational
structure and size. The same considerations with regard to resources and
communication apply.
Based on the fact that the DPO is in charge of a variety of tasks, the
controller or the processor must ensure that a single DPO, with the help of a
team if necessary, can perform these tasks efficiently despite being
designated for several public authorities and bodies, according to the EDPB
(WP29).[28]
CHAPTER 2
TASKS, POSITIONING AND PROFILE OF THE
DPO
2.1 Legal tasks (GDPR)
A number of mandatory legal tasks has been explicitly stated in the GDPR
from which the key position of the DPO can be inferred. Next to these legal
tasks, a DPO may fulfil other tasks and duties whereby the controller or
processor shall ensure that any such tasks and duties do not result in a
conflict of interests (Article 38(6)). Recital 97 specifies that the DPO ‘should
assist the controller or processor to monitor internal compliance with this
Regulation’. Prior to the GDPR it has been food for many thoughts as to
which tasks should be considered part of the function of the DPO. A division
can be made between a number of legal tasks at one side and conditionally
accepted optional tasks. Conditional because as per Article 38(6) the DPO
may only fulfil other tasks and duties under the condition that the controller
or processor shall ensure that any such tasks and duties do not result in any
conflict of interests.
According to Article 39(1) of the GDPR, the DPO shall have at least the
following tasks:
Ad 1
To inform and advice the controller or the processor and the employees who
carry out processing of their obligations pursuant to this Regulation and to
other Union or Member State data protection provisions. Where appropriate,
the controller or processor could develop data protection guidelines or
programmes that set out when the DPO must be consulted.[47]
Ad 2
To monitor compliance with this Regulation, with other Union or Member
State data protection provisions and with policies of the controller or
processor in relation to the protection of personal data, including the
assignment of responsibilities, awareness-raising and training of staff
involved in processing operations and related audits.
As part of these duties to monitor compliance, DPOs may, in particular
collect information to identify processing activities, analyse and check the
compliance of processing activities, and inform, advise and issue
recommendations to the controller or the processor.
Monitoring of compliance does not mean that it is the DPO who is personally
responsible for non-compliance. The GDPR makes it clear that it is the
controller, not the DPO, who is required to ‘implement appropriate technical
and organisational measures to ensure and to be able to demonstrate that
processing is performed in accordance with this Regulation’ (Article 24(1)).
Data protection compliance is a corporate responsibility of the data
controller, not of the DPO, according to the EDPB (WP29).[48]
Ad 3
To provide advice (where requested) concerning the data protection impact
assessments and monitor its performance pursuant to Article 35 of the GDPR.
According to Article 35(1), it is the task of the controller, not of the DPO, to
carry out, when necessary, a DPIA. However, the DPO can play a very
important and useful role in assisting the controller. Following the principle
of data protection by design, Article 35(2) specifically requires that the
controller ‘shall seek advice’ of the DPO when carrying out a DPIA. Article
39(1)(c) GDPR, in turn, tasks the DPO with the duty to ‘provide advice
where requested as regards the [DPIA] and monitor its performance’.
The EDPB (WP29)[49] recommends that the controller should seek the advice
of the DPO, on the following issues, amongst others:
Ad 4
To cooperate with the supervisory authority. The DPO cooperates with the
competent supervisory authorities with regard to any action taken to ensure
compliance with the GDPR.[51]
Ad 5
To act as the contact point for the supervisory authority on issues relating to
processing, including prior consultation referred to in Article 36, and to
consult, where appropriate, with regard to any other matter.
Pursuant to the EDPB (WP29)[52], the DPO acts as a contact point to facilitate
access by the supervisory authority to the documents and information for the
performance of the tasks mentioned in Article 57, as well as for the exercise
of its investigative, corrective, authorisation, and advisory powers mentioned
in Article 58. The DPO is bound by secrecy or confidentiality concerning the
performance of his or her tasks, in accordance with Union or Member State
law (Article 38(5)). However, the obligation of secrecy/confidentiality does
not prohibit the DPO from contacting and seeking advice from the
supervisory authority, according to the EDPB (WP29).[53]
In accordance with the second paragraph of Article 39 GDPR, the DPO shall
in the performance of his/her tasks have due regard to the risk associated with
processing operations, taking into account the nature, scope, context and
purposes of processing. According to the EDPB (WP29)[54], this article recalls
a general and common-sense principle, which may be relevant for many
aspects of a DPO’s day-to-day work. In essence, it requires DPOs to
prioritise their activities and focus their efforts on issues that present higher
data protection risks. This does not mean that they should neglect monitoring
compliance of data processing operations that have comparatively lower level
of risks, but it does indicate that they should focus, primarily, on the higher-
risk areas.
This selective and pragmatic approach should help DPOs (in the view of the
EDPB (WP29)) advise the controller what methodology to use when carrying
out a DPIA, which areas should be subject to an internal or external data
protection audit, which internal training activities to provide to staff or
management responsible for data processing activities, and which processing
operations to devote more of his or her time and resources to.
The GDPR in principle allows the data protection officer to fulfil other tasks
and duties. The controller or processor shall ensure that any such tasks and
duties do not result in a conflict of interests, in accordance with Article 38(6)
GDPR. In general, there is a conflict of interests when the other task or duty
of the DPO has direct or indirect consequences for the adequate performance
of the legal tasks of the DPO.
The EDPB (WP29)[56] rightly so points out that in practice DPOs often create
inventories and hold a register of processing operations based on information
provided to them by the various departments in their organisation responsible
for the processing of personal data. This practice has been established under
many current national laws and under the data protection rules applicable to
the EU institutions and bodies.[57]
Article 39(1) provides for a list of tasks that the DPO must perform as a legal
minimum. Therefore, nothing prevents the controller or the processor from
assigning the DPO with the task of maintaining the record of processing
operations, as stated in Article 30 GDPR, under the responsibility of the
controller or processor. Such a record should be considered as one of the
tools enabling the DPO to perform its tasks of monitoring compliance,
informing and advising the controller or the processor.
In any event, the record required to be kept under Article 30 GDPR should
also be seen as a tool allowing the controller and the supervisory authority,
upon request, to have an overview of all the personal data processing
activities that an organisation is carrying out. It is thus a prerequisite for
compliance, and as such, an effective accountability measure.
2.4 Positioning
Ad 2
Access to personal data and processing operations
The controller and processor shall support the DPO in performing the tasks
referred to in Article 39 by providing access to personal data and processing
operations (Art. 38(2)).
Ad 3
Resources to carry out tasks and maintain expert knowledge
The controller and processor shall support the DPO in performing the tasks
referred to in Article 39 by providing resources necessary to carry out those
tasks and to maintain his or her expert knowledge (Art. 38(2)).
According to the EDPB (WP29)[61], the following items, in particular, are to
be considered:
Ad 4
No instructions regarding the exercise of tasks
The controller and processor shall ensure that the data protection officer does
not receive any instructions regarding the exercise of those tasks (Art. 38(3)).
This paragraph establishes some basic guarantees to help ensure that DPOs
are able to perform their tasks with a sufficient degree of autonomy within
their organisation. Moreover, DPOs, whether or not they are an employee of
the controller, should be in a position to perform their duties and tasks in an
independent manner.[62] According to the EDPB (WP29)[63], the above-
mentioned means that, in fulfilling their tasks under Article 39, DPOs must
not be instructed how to deal with a matter, for example, what result should
be achieved, how to investigate a complaint or whether to consult the
supervisory authority. Furthermore, they must not be instructed to take a
certain view of an issue related to data protection law, for example, a
particular interpretation of the law.
The autonomy of DPOs does not, however, mean that they have decision-
making powers extending beyond their tasks pursuant to Article 39 GDPR, as
stated by the EDPB (WP29). The controller or processor remains responsible
for compliance with data protection law and must be able to demonstrate
compliance to Article 5(2) GDPR. If the controller or processor makes
decisions that are incompatible with the GDPR and the DPO's advice, the
DPO should be given the opportunity to make his or her dissenting opinion
clear to the highest management level and those making the decisions. Article
38(3) GDPR provides that the DPO shall directly report to the highest
management level of the controller or the processor.
Such direct reporting ensures that the senior management (e.g. board of
directors) is aware of the DPO’s advice and recommendations as part of the
DPO’s mission to inform and advise the controller or the processor. Another
example of direct reporting is the drafting of an annual report of the DPO’s
activities provided to the highest management level.
Ad 5
No dismissal or penalty for performing the tasks
The DPO shall not be dismissed or penalised by the controller or the
processor for performing his tasks (Art. 38(3) GDPR).
Protection against dismissal and penalisation also strengthens the autonomy
of DPOs and helps to ensure that they act independently and enjoy sufficient
protection in performing their data protection tasks, as stated by the EDPB
(WP29).[64]
Penalties are only prohibited under the GDPR if they are imposed as a result
of the DPO carrying out their duties as a DPO. For example, a DPO may
consider that a particular processing is likely to result in a high risk and
advise the controller or the processor to carry out a data protection impact
assessment but the controller or the processor does not agree with the DPO’s
assessment. In such a situation, the DPO cannot be dismissed for providing
this advice.
Penalties may take a variety of forms and may be direct or indirect. They
could consist of, for example:
1. absence or delay of promotion.
2. prevention from career advancement.
3. denial from benefits that other employees receive.
It is not necessary that these penalties be actually carried out, a mere threat is
sufficient as long as they are used to penalise the DPO on grounds related to
their DPO activities.
As a normal management rule and as it would be the case for any other
employee or contractor under, and subject to, applicable national contract or
labour and criminal law, a DPO could still be dismissed legitimately for
reasons other than for performing his or her tasks as a DPO (for instance, in
case of theft, physical, psychological or sexual harassment or similar gross
misconduct).
In this context it is noted by the EDPB (WP29) that the GDPR does not
specify how and when a DPO can be dismissed or replaced by another
person.
However, the more stable a DPO’s contract is, and the more guarantees can
be built in against unfair dismissal. the more likely they will be able to act in
an independent manner. Therefore, the EDPB (WP29) should welcome
efforts by organisations to this effect.
Ad 6
Directly report to the highest management level
The DPO shall directly report to the highest management level of the
controller or the processor (Art. 38(3)).
Ad 7
Contact point with regard to all issues related to processing of personal
data
Data subjects may contact the data protection officer with regard to all issues
related to processing of their personal data (Art. 38(4)).
Ad 8
Functional secrecy/confidentiality
The data protection officer shall be bound by secrecy or confidentiality
concerning the performance of his or her tasks, in accordance with Union or
Member State law (Art. 38(5)).
Ad 9
No conflict of interests in other tasks
The data protection officer may fulfil other tasks and duties. The controller or
processor shall ensure that any such tasks and duties do not result in a
conflict of interests (Art. 38(6)).
EDPB (WP29)[65] considers that the absence of conflict of interests is closely
linked to the requirement to act in an independent manner. Although DPOs
are allowed to have other functions, they can only be entrusted with other
tasks and duties provided that these do not give rise to conflicts of interests.
This entails in particular that the DPO cannot hold a position within the
organisation that leads him or her to determine the purposes and the means of
the processing of personal data. Due to the specific organisational structure in
each organisation, this has to be considered case by case.
As a rule of thumb, conflicting positions within an organisation may include:
a. Chief executive.
b. Chief operating officer.
c. Chief financial officer.
d. Chief medical officer.
e. Head of marketing department.
f. Head of Human Resources.
g. Head of IT departments.[66]
Ad 10
If easily accessible, a DPO for a group of undertakings is possible
A group of undertakings may appoint a single data protection officer
provided that a data protection officer is easily accessible from each
establishment (Art. 37(2) GDPR).
Ad 11
A DPO for various public institutions with respect to the structure and size
Where the controller or the processor is a public authority or body, a single
data protection officer may be designated for several such authorities or
bodies, taking account of their organisational structure and size (Art. 37(3)
GDPR).
1. The controller and the processor shall ensure that the data
protection officer is involved, properly and in a timely manner, in
all issues which relate to the protection of personal data (Art. 38(1)
GDPR).
2. The controller and processor shall support the data protection
officer in performing the tasks referred to in Article 39 by
providing resources necessary to carry out those tasks and access to
personal data and processing operations, and to maintain his or her
expert knowledge (Art. 38(2) GDPR).
3. The controller and processor shall ensure that the data protection
officer does not receive any instructions regarding the exercise of
those tasks. He or she shall not be dismissed or penalised by the
controller or the processor for performing his tasks. The data
protection officer shall directly report to the highest management
level of the controller or the processor (Art. 38(3) GDPR).
4. Data subjects may contact the data protection officer with regard to
all issues related to processing of their personal data and to the
exercise of their rights under this Regulation (Art. 38(4) GDPR).
5. The data protection officer shall be bound by secrecy or
confidentiality concerning the performance of his or her tasks, in
accordance with Union or Member State law (Art. 38(5) GDPR).[68]
6. The data protection officer may fulfil other tasks and duties. The
controller or processor shall ensure that any such tasks and duties
do not result in a conflict of interests (Art. 38(6) GDPR).
The first step in the development of a proper position (job) profile is making
a proper analysis of the position of the DPO (position analysis).[69] Making
position analysis can be traced back to earlier time and movement studies
during the end of 19th and beginning of the 20th century. that is the period of
large-scale industrialisation. According to Smit[70], a position analysis can be
described as a systematically collecting function-related information, on one
hand about the content of the position (tasks, roles, responsibilities and
competencies) and on the other hand about the requirements and
characteristics that are necessary to fulfil the position (knowledge, skills,
competences, abilities, personal and cognitive characteristics). While in
traditional methods of a position analysis, the position itself is the starting
point of research, modern approaches, according to Smit[71], work according
to the following principles: outside-in and top-down. Assuming development
of the environment, objectives for the organisation could be set. These goals
are elaborated on in objectives or contributions of organisation units
(departments and teams) to eventually arrive at the level of the position
(category) and a description of tasks and/or roles. The final step is then the
translation to the requirements that are posed on the position manager. Terms
of the required capacities or characteristics are usually displayed as criteria
and competencies of attitude. Traditionally, the position analysis focuses on
the individual position and position management. But, naturally, it is also
possible to make an analysis of team assignments and team competences.
There are many options to bring function-related characteristics and criteria
into account. In practice, a number of position analysis methods and
instruments are used. An interview, often on the basis of a structured
questionnaire (see example) in which the most important subjects are
indicated, is frequently used. Although a bit out-dated in mainstream, the
following interview-methods are explicitly mentioned by Smit (especially
having regard to the position of the DPO).
Ad 1
Interview method Position Analysis Questionnaire (PAQ) and 360° model
The ‘Position Analysis Questionnaire’ of McCormick (1976) is beyond any
doubt the most famous one. The questionnaire consists of almost 200
questions with regard to position elements defined in terms of the required
behaviour. Usually there is a collection of information through interviews
with position managers. Nowadays it is good practice to collect information
according the 360°model. Next to the position manager himself, the
supervisor, colleague position manager and a client (internal or external)
constitute various sources of information concerning the activities, results
and competences of the position. Taking into account various angles, a more
complete image can be acquired.
Ad 2
Interview method Critical Incidents Technique (CIT)
Another frequently used method is the Critical Incidents Technique. Flanagan
already developed this method in 1954. The core of the method consists of
the collection of examples of behaviour in which the officer performs well
and in which he does not perform well. By means of interviews, according to
behaviour-based techniques, one can get some sense of the required qualities
in important terms of employment. Questions that can be raised are, for
example:
Ad 3
Interview method Repertory Grid
The interview method Repertory Grid of Kelly (1955) is similar but applies a
somewhat different approach. Supervisors are asked to indicate how a
successful employee distinguishes themselves from a less successful
employee. In order to get more insight in the requirements of the function of
the data protection officer, the following questions can be raised.
1. How does the difference between an effective and less effective officer
appear?
2. Imagine the best DPO. Why does he stand out?
3. In What fields should this DPO accomplish to excel?
4. What is the simplest way for the DPO to inflict damage to the
organisation?
After these preliminary questions, one endeavours to get a clearer picture of
the desired behaviour through more detailed questions. Subsequently, a
connection is made with the requirements which an officer (DPO) ideally
should meet. In order to obtain an image as complete as possible, it is
recommended to interview various informants that deal with the officer
(DPO) from various positions. A considerable number of collected critique
incidents form the basis for a classification in categories in which the analyst
in various phases repeatedly consults the stakeholders to determine whether
he is on the right track. The resulting categories serve as a reference point for
deriving and determining the function requirements. Usually, this
determination of categories of behaviour and the derivation of the function
requirements occur in group meetings.
Above-mentioned methods mostly provide a description of the function
content and requirements in terms of education and experience etc.
1. The controller and the processor shall ensure that the data
protection officer is involved, properly and in a timely manner, in
all issues which relate to the protection of personal data.
2. The controller and processor shall support the data protection
officer in performing the tasks referred to in Article 39 by
providing resources necessary to carry out those tasks and access to
personal data and processing operations, and to maintain his or her
expert knowledge.
3. The controller and processor shall ensure that the data protection
officer does not receive any instructions regarding the exercise of
those tasks. He or she shall not be dismissed or penalised by the
controller or the processor for performing his tasks. The data
protection officer shall directly report to the highest management
level of the controller or the processor.
4. Data subjects may contact the data protection officer with regard to
all issues related to processing of their personal data and to the
exercise of their rights under this Regulation.
5. The data protection officer shall be bound by secrecy or
confidentiality concerning the performance of his or her tasks, in
accordance with Union or Member State law.
6. The data protection officer may fulfil other tasks and duties. The
controller or processor shall ensure that any such tasks and duties
do not result in conflict of interests.
Diplomatic performance.
deal with conflicts.
Independent positioning.
Empathic ability, having regard for the emotions of colleagues.
Affinity with a variety of aspects of activities of colleagues (good
capacity of experience).
Being accessible for everybody within the organisation.
Patience and the capacity of listening.
Balanced personality.
Capacity to be objective and remain distant to case specificity.
Readiness to introspection.
Readiness to accountability.
Being able to deal with vulnerabilities and the solitude of the
function of the DPO.
It is undisputed, especially as far as the exemplary nature that the DPO fulfils
is concerned with that the function of the DPO requires a certain degree of
leadership. The line of thought concerning the leadership qualities and
leadership styles that belong to the DPO, however, has yet to be evolved.
Concerning leadership in a general sense (with the goal to develop
assessments), considerable research has been executed, that could perhaps
give some guidance to acquire the necessary insights, whether or not based
on the competency framework of Quinn.[74]
The model of Quinn describes eight management models that are effective in
relation to a certain context. These roles distinguish between roles with the
alleged dimension ‘internal orientation’ versus ‘external orientation’ and the
dimension ‘control’ versus ‘flexibility’, thus four quadrants that can be
visualized as follows.
In fulfilling their activities, the DPO takes on diverse roles (see hereafter also
paragraph 3.5, figure 3.18 Roadmap framework and structure DPO work
plan). From this role perspective, the tasks, goals or results to be
accomplished as DPO are related to the role (or roles) that the DPO should
ideally fulfil in a company (or organisation) as collaboration. The role of the
DPO fits in the development in which, within the framework of increasingly
dynamic functions, it is no longer sufficient to allocate activities, function
requirements and competencies in a tight (static) function description.[75] The
description of roles on a higher abstraction level comes towards the desire to
describe what is expected from the DPO. A role matrix perspective of the
DPO does not only encompass a set of activities and corresponding
competencies, but also envisions the core of what should be expected of the
DPO.
The used language for role descriptions usually has a visual and sometimes
metaphorical character, because of which the desired behaviour of the DPO
can be described in an effective manner. Moreover, role descriptions have a
more open character instead of a (restricted) enumeration of activities.
therefore, a margin of appreciation is left to the DPO himself.
A position analysis in terms of roles that could be relevant for the function of
the DPO, has already been elaborated on by McLagan in 1989. Although this
position analysis was developed for the field of human resource development,
the followed approach in which a picture is painted of the field in terms of
task fields, activities guidelines for behaviour (ethics), roles and competences
is also applicable for the DPO. Schematically, the development of this role
matrix of the function of the DPO (based on the extract of the role
competences matric as enclosed in the ASTD report)[76] could look like this,
in the form of a table of reference, to provide an example.
3
CHAPTER 3
FRAMEWORK & STRUCTURE
3.1 Introduction
3.1.1 Work plan of the DPO
Although the DPO does not receive any instructions in as per Article 38(3) of
the GDPR. As far as task performance in the sense of Article 39 is concerned,
the DPO directly reports pursuant to the same Article 38(3) GDPR to the
highest management level of the controller within the organisation (usually
the president of the board or colleague-president with privacy and data
protection in his portfolio). The GDPR however does not elaborate any
further on what ‘directly report’ exactly entails. As far as this matter is
concerned, the EDPB (WP29)[82] notes that such direct reporting ensures that
senior management (e.g. board of directors) is aware of the DPO’s advice and
recommendations as part of the DPO’s mission to inform and advise the
controller or the processor. Another example of direct reporting is the
drafting of an annual report of the DPO’s activities provided to the highest
management level.
1. Professional qualities.
2. Expertise in the area of legislation.
3. Expertise in the area of data protection practice.
Ad 2
Improve the synergy with other business units
Continuity of primary business processes should ideally experience no
nuisance as result of the performance of DPO tasks, unless, of course,
pressing issues exist and in which the necessary internal procedures and
processes are attended to in a correct manner. From this mutual dependency
perspective, continuous monitoring for good cooperation and underlying
processes is key and should not suffer from financial constraints. Ergo, a
good and timely, qualitatively good collaboration between the DPO on the
one hand and management of primary company processes on the other hand,
could be at the basis of making sure that the professional performance of
DPO tasks and duties do not interfere with the continuity of primary
company processes.
Ad 3
Secure the interests of stakeholders
A professional DPO work plan can benefit from the relationship with the
(internal and external) stakeholders when sufficient attention is being paid to
all interests concerned. The GDPR pays attention to the interests of a good
relationship with stakeholders in different contexts, such as the following.
Ad 4
Cooperating well with the Data Protection Authorities (DPA)
In the context of performance of the tasks, the DPO is expected to cooperate
with the DPA as per Article 39(1)(d) of the GDPR and the DPO acts as the
contact point for the DPA pursuant to Article 39(1)(e). What this entails
exactly is for the time being not completely clear, although this relation will
without any doubt lead to further actions of the DPO that methodically and
systematically deserves proper attention.
According to the EDPB (WP29),[86] these tasks refer to the role of ‘facilitator’
of the DPO. The DPO acts as a contact point to facilitate access by the
supervisory authority to the documents and information for the performance
of the tasks mentioned in Article 57 GDPR, as well as for the exercise of its
investigative, corrective, authorisation, and advisory powers mentioned in
Article 58 GDPR. As already mentioned, the DPO is bound by secrecy or
confidentiality concerning the performance of his or her tasks, in accordance
with Union or Member State law (Article 38(5) GDPR).
The quality of the relationship between the DPO and the DPA is not without
interest. After all, the DPA acts in a reserved way with respect to
organisations where a DPO is monitoring compliance with data protection.[87]
Ad 5
Prudent reporting of audit results
A professional DPO work plan accounts for the findings of internal and
external audits in the sense that sufficient attention is being paid to possible
risks of GDPR non-compliance in the interest of the organisation itself.
Relating to that, the DPO could give internal independent advice or provide
for requested advice concerning Data Protection Impact Assessments
(DPIAs) and the importance of the timely GDPR (follow-up) audits could be
emphasized.
The importance of this is for instance obvious in the case of data breaches.
The interests of compliance with the duty to report data breaches should
enjoy special attention from the DPO. Not only because data breaches could
harm (given specific circumstances) the good reputation of an organisation,
but also because of the very fact that violation of this could be followed by
serious financial consequences (after all, a fine could – apart from other
GDPR possibilities of fines – extend to € 820.000 or even 10% of the annual
turnover). This fine (and sphere of accountability) requires the professional
DPO work plan to effectively contribute to this perspective of important
GDPR compliance.
Ad 6
Risk and incidents management
The concept of ‘risk’ plays a central role in the GDPR. With respect to the
enhancement of reputation management, a proper functioning incidents
management is indispensable. Risks and incidents could produce important
signals for the DPO about the possible forms of non-compliance with rights
and obligations in the area of privacy and data protection. Spending proper
attention to risk and incidents management as part of a professional DPO
work plan could therefore make important contributions to managing risks
and incidents in the area of privacy and data protection at organisation level.
This would have a direct effect within the context of updates of fines and
penalty payments by the DPA and restrict claims for consequential damages
as a (direct or indirect) result of GDPR non-compliance.
Some advantages for the organisation of proper attention to risk and incidents
management in the DPO work plan could be for example (depending on the
circumstance) the following:
customer experience).
Ad 8
Restrict accountability for damage suffered
According to recital 74 of the GDPR, the responsibility and liability of the
controller for any processing of personal data carried out by the controller or
on the controller's behalf should be established. The controller should be
obliged to implement appropriate and effective measures and be able to
demonstrate the compliance of processing activities with this Regulation,
including the effectiveness of the measures. Those measures should take into
account the nature, scope, context and purposes of the processing and the risk
to the rights and freedoms of natural persons.
The risk to the rights and freedoms of natural persons, of varying likelihood
and severity, may result from personal data processing which could lead to
physical, material or non-material damage, according to recital 75 of the
GDPR. A professional DPO work plan could (among others) contribute to an
interesting reduction of GDPR violations and as a logic result of that also
reduce the risk that data subjects use the right to claim damages by invoking
Article 82 GDPR. This article states, ‘Any person who has suffered material
or non-material damage as a result of an infringement of this Regulation shall
have the right to receive compensation from the controller or processor for
the damage suffered.’
Ad 9
Reputation management
To some extent, the DPO could be qualified as one of the guards of the
reputation of the organisation, in particular where the processing of data is at
stake, taking into account the DPO tasks of Article 39 of the GDPR.
Reputation in that sense could also be qualified as the judgment of the public
of the accountability of a person or enterprise in the long term. In a certain
sense the reputation of a company can be viewed as the sum of judgments on
various aspects of the functioning of the organisation and on various
moments, by various stakeholders. One could agree that this means that the
reputation fluctuates through time. In light of this the prevention of large
fluctuations in the privacy and data protection reputation of the organisation
deserves and justifies an important place in a well-thought (professional)
DPO work plan. Good reputation retrospectively creates a certain value for
all relevant stakeholders.[89]
Ad 10
Enrichment of a corporate privacy integrity culture
A corporate privacy (and data protection) integrity culture directly influences
the achievements and therefore the results of an enterprise. A corporate
privacy integrity culture is therefore something to be taken seriously. What
does this mean in practice? The approach of the Dutch Central Bank (DNB)
provides interesting insights in this regard. DNB envisions a corporate
integrity culture as, ‘a sphere and climate in which one, besides complying
with legislation and regulation, also behaves and operates in a way that is
explainable and justifiable. A culture in which one operates according to the
spirit of the law.’[90] DNB distinguishes between the following seven
elements of a corporate integrity culture.
The costs of the DPO work plan should be part of a separately and
independently managed operational budget of the DPO. Pursuant t0 Article
38(2) of the GDPR, the DPO is supported by the controller (and processor) in
performing the tasks referred to in Article 39 GDPR by providing resources
necessary to carry out those tasks and to maintain his or her expert
knowledge.
In general, the more complex and/or sensitive the processing operations, the
more resources must be allocated for the DPO. The data protection function
must be effective and sufficiently well-resourced in relation to the data
processing being carried out, according to the EDPB (WP29).[91] According
to the EDPB, the following items, in particular, are to be considered in the
debate concerning ‘necessary resources’ for the DPO:
1. Recruitment of employees.
2. Putting in order the administration of vital information systems.
3. Acquisition, implementation and administration of firewall, anti-
virus software and ‘intrusion-detection and intrusion-prevention
systems.’
4. Unification with a ‘security operations centre’ (SOC).
5. Restriction of risks by, for example, equipping facilities to escape.
6. Re-design costs of company processes.
7. Development, implementation and audits of policy and procedures
(for example policy with regard to passwords and mobile devices).
8. Re-design of software (‘secure software development).
9. Launch of specific functions, such as ‘Chief information security
officer’ (CISO).
10. Recruitment/hiring of third parties for guidance, education and
training.
11. Following the Masterclass Information Security.
12. Attendance to congresses and symposiums concerning information
safety and security.
13. Unforeseen costs.
It seems justifiable to reserve a certain percentage of the budgeted expenses
for company processes for costs with regard to ‘monitoring the compliance
with obligations of the GDPR’ by the DPO provided that the independence of
the DPO is safe in performing the tasks mentioned in Article 39 of the
GDPR.
Pursuant to Article 38(3) of the GDPR the following can be added to this
list
Next to these so-called Article 39 tasks, the DPO can also fulfil other tasks
and functions provided that they are compatible with a good performance of
the Article 39 tasks, which means that the independent functioning of the
DPO cannot be questioned. Also, a possible conflict of interests should be
beyond any doubt. Because of the fact that these possible tasks of the DPO
may vary from organisation to organisation, it will only be touched upon only
briefly.[92]
In performing the tasks mentioned in Article 39 of the GDPR, the DPO shall
in the performance of his or her tasks under Article 39 (2) GDPR have ‘due
regard’ to the risk associated with processing operations, taking into account
the nature, scope, context and purposes of processing personal data. Although
‘due regard’ is not elaborated on in more detail in the GDPR, it is indicative
of the fact that diverse perspectives are to be taken into account in the context
of a professional performance of the DPO tasks. More concretely, one could
think of diverse disciplinary interests, boundaries and opportunities from (for
example) the following disciplines (also called the ‘Privacy table of 5’):
1. Legal.
2. Compliance.
3. Ethics.
4. Security.
5. Information Technology (IT).
Of course, depending on the relevance for the organisation, company or
institute, other disciplines could be added as well. This disciplinary diversity
deserves a strategically significant position in every professional DPO work
plan.
Figure 3.3 Multi-disciplinary in the DPO work plan
3.2.4 GDPR core themes of the DPO work plan
The above-identified core GDPR themes have to be developed in practice for
the specific teams of the own organisation and in such a way that the DPO
can effectively and efficiently fulfil his or her legal (Article 39 GDPR) tasks.
A starting list of possible themes could (by way of example) consist of the
following items.[93]
3.2.7 Planning
Without a plan, the DPO is like a ship lost at sea in absence of a map,
compass or radio. The DPO knows where to end up approximately, but the
chances of actually arriving there are small (also because of continuously
unexpected storms which lead to a completely different navigational route).
Planning ought to be an integral component of the design process (set-up) of
the professional DPO work plan.
In order to realise the set goals in the DPO work plan, planning is
indispensable. More specifically also because of the following obvious
reasons.
1. Planning gives the DPO the opportunity to set priorities and to focus.
2. Planning provides the DPO with insights of available timelines.
3. Planning increases the effective results.
4. Planning helps to achieve the set goals from the DPO work plan.
5. Planning increases the chance that the DPO enforces certain
activities or that they at least will be maintained and completed.
6. Planning helps the DPO to stay on track.
7. Planning prevents important tasks becoming urgent tasks (stress
prevention).
8. Planning increases insights in the necessary resources (inventory or
capital) and contributes to better estimates of support as needed by
the DPO.
9. Planning increases the acceptance level of DPO-activities, because
one will not ‘be surprised by action.’
10. Planning of the DPO promotes a better resource planning (in
particular for human resources) especially where resources are
shared with other departments (for example privacy implementation
teams).
Which activities of the DPO should have priority, is not always easy to
determine. Therefore, setting priorities is an important time-management
skill. In essence setting priorities is nothing else than keeping yourself busy
with important tasks. How can you use your time efficiently and complete
what you want to do?
The statement of former general and president of the United States, Dwight
D. Eisenhower, ‘What is important is seldom urgent and what is urgent is
seldom important,’ is the fundament of the so-called Priority matrix of
Eisenhower that is mainly known because of Stephen Covey (time-
management-guru). The Priority matrix of Eisenhower consists of four
quadrants that arise by putting two opposing values across from each other:
important versus unimportant and urgent versus non-urgent. Important
means, in this context, matters that catch the eye and/or concern many
people. Unimportant in this context means matters that should be completed
before a specific time. In the form of a diagram, it can be illustrated as
follows.
Figure 3.5 DPO Work Plan Priority Matrix (Eisenhower’s priority)
What would a basic framework of a DPO work plan look like? In absence of
any substantial guidance by Data Protection Authorities and the European
Data Protection Board (EDPB), it is advised to frame a DPO work plan as
close to Articles 37-39 GDPR as possible, as this is the core provision for
DPO tasks in the GDPR.
The formal GDPR tasks of the DPO should be connected with the internal
organisation based ‘six DPO task-pillars’ of the DPO and strategically
harmonized[96] at the highest management level. As can be inferred from
Articles 37-39 GDPR the following strategic pillars of any DPO work plan
can be derived.
1 Informing and advising the controller or processor and the
employees of the organization.
2 Monitor compliance with the GDPR and internal policies.
3 Cooperate with the supervisory authority.
4 Act as contact point for the supervisory authority.
5 Act as contact point for data subjects.
6 Performance of other tasks with due regard for GDPR Risks
Next to these six strategic pillars of a DPO work plan – which are discussed
in detail below in Section 3.4 - a key consideration for any DPO work plan is
the positioning derived from Articles 37 to 39 of the GDPR and internal
statute of the DPO which are the foundations of the job profile of the DPO as
adjusted to the specific organisation
In the context of alignment with the highest management level, hereinafter
the concrete steps that the DPO undertakes will be discussed in more detail.
After this alignment with the highest management level, all outcomes are to
be coordinated with all relevant stakeholders.
The execution of the DPO work plan will be directly reported to the highest
management level.
3.3.2.1 GDPR
The core of the DPO work plan is compliance with obligations under the
GDPR[97] and other Union or Member State data protection provisions. For a
brief discussion of GDPR themes, see the discussion in previous pages.
Provided that it is applicable, the DPO work plan thematically takes into
account the existence of all internal regulations in the area of privacy and
data protection. Ergo, in case of possible contradictions with the EU
regulations of higher order (GDPR or otherwise), the DPO ought to ask for
attention to this and if necessary, undertake all actions needed while taking
into account the professional performance of all formal task as depicted in
Article 39 of the GDPR.
The risk control thinking of COSO is based on the following eight so-called
elements of every ‘control and inspection’ system. These elements are
derived from the way in which the board and management style of leading
and is therefore directly interconnected to the process of leadership.
Referring to recital 77 of the GDPR, stating that the DPO can give
indications for appropriate measures to the controller or processor concerning
the risk of the processing, the so-called DPO Privacy Risk Model
(abbreviated: DPO PRISC Model) can be helpful.[102]
In the preceding years, while training many DPOs at the Dutch Privacy
Academy (NPA), a number of concrete subsequent steps are formulated in
order to achieve a sound way of risk-oriented performance of GDPR tasks for
the DPO. This was based on an elaborate background study of the COSO-
model, the GDPR and DPO perspectives with diverse multidisciplinary
backgrounds. The diagram below illustrates an abstract example of the core
elements (basic categorization) of the DPO PRISC Model.®
Figure 3.11 Pillar 1 of the DPO work plan: inform and advise
1. The GDPR.
2. Other Union data protection provisions.
3. Member State data protection provisions.
4. The policy of the controller or processor with regard to the
protection of data, including the appointment of responsibilities,
awareness-raising and education of the with processing concerned
personnel and the specific audits.
The data protection officer shall in the performance of his or her tasks have
due regard to the risk associated with processing operations, taking into
account the nature, scope, context and purposes of processing, according to
Article 39(2) of the GDPR.
The GDPR assignment of the DPO under this pillar is to cooperate with the
Data Protection Authorities (DPA) by which due regard is given to the risk
associated with processing operations, taking into account the nature, scope,
context and purposes of processing, according to Article 39(2) of the GDPR.
According to the EDPB (WP29),[106] the tasks ‘cooperating’ and ‘acting as a
contact point’ refer to the role of ‘facilitator’ of the DPO mentioned in the
introduction to these Guidelines. The DPO acts as a contact point to facilitate
access by the supervisory authority to the documents and information for the
performance of the tasks mentioned in Article 57 GDPR, as well as for the
exercise of its investigative, corrective, authorisation, and advisory powers
mentioned in Article 58 GDPR. As already mentioned, the DPO shall be
bound by secrecy or confidentiality concerning the performance of his or her
tasks, in accordance with Union or Member State law (Article 38(5) of the
GDPR).
Figure 3.13 Pillar 3 of the DPO work plan: Cooperate with the Data
Protection Authorities
3.4.2.4 Pillar 4: contact point for the Data Protection Authorities
The assignment of the DPO under this pillar consists of acting as the contact
point for the supervisory authority on issues relating to processing, including
the prior consultation referred to in Article 36, and to consult, where
appropriate, with regard to any other matter (Article 39(1)(e) of the GDPR).
Figure 3.14 Pillar 4 of the DPO work plan: contact point for the Data
Protection Authorities
3.4.2.5 Pillar 5 | Contact point for data subjects
The assignment of the DPO under this pillar consist of acting as the contact
point for data subjects. They may contact the data protection officer with
regard to all issues related to processing of their personal data and to the
exercise of their rights under the GDPR (Article 38(4) of the GDPR).
Figure 3.15 Pillar 5 of the DPO work plan: contact point for the supervisory
authority
3.4.2.6 Pillar 6 | Other (optional) tasks
Based on Article 38(6) of the GDPR, the DPO may in principle fulfil other
tasks and duties next to the legal tasks. The controller or processor shall
ensure that any such tasks and duties do not result in a conflict of interests. In
general, there is conflict of interests when another task or duty of the DPO
has direct or indirect consequences for the good fulfilment of legal tasks of
the DPO ex Article 39 of the GDPR. This entails in particular that the DPO
cannot hold a position within the organisation that leads him or her to
determine the purposes and the means of the processing of personal data. Due
to the specific organisational structure in each organisation, this has to be
considered case by case. In addition, according to EDPB (WP29)[107], conflict
of interests may also arise for example if an external DPO is asked to
represent the controller or processor before the Courts in cases involving data
protection issues.
1. Promoting awareness.
2. Promoting permanent education.
3. Handling complaints.
4. Handling incidents.
5. Acting as confidential counsellor.
6. Making an inventory of data processes.
7. Development of norms.
8. Advising on technology and security of data.
9. Providing information.
10. Executing (non) monitoring-related privacy audits.[108]
Figure 3.16 Pillar 6 of the DPO work plan: contact point for data subjects
3.4.3 General Overview of a DPO Work Plan
Figure 3.17 General overview of a DPO Work Plan
CHAPTER 4
VISION, MISSION & STRATEGY (VMS)
4.1 Introduction
After discussing the general design and structure of the DPO work plan,
attention will be paid to the basic principles on which the subsequent steps of
the DPO work plan are structured, which is the main focus of this chapter.
Professional performance of tasks by the DPO – as described in the previous
chapters – requires from both the processor that has ‘appointed’ the DPO as
well as form the DPO himself a thorough insight in the fundamental character
of the tasks that have to be performed. Therefore, a clear picture of the
historical background, text, rationale and spirit of the ‘envisioned purpose’ of
the DPO and his/her work plan is crucial.
More specifically with regard to the strategy of the DPO work plan as
contextualized within the ambits of the DPO work plan vision and mission at
one side and public documents[114] at the other side, once again several
indications can be derived from diverse main actors (among which the
European Parliament and the European Council, European Commission,
European Data Protection Board, European Data Protection Supervisor
(EDPS), domestic legislator, Data Protection Authorities, involved faculties
and internal stakeholders).
With regard to the DPO work plan, the EDPB (WP29)[115] notes that ‘[…] it is
also good practice to determine the appropriate level of priority for DPO
duties, and for the DPO (or the organisation) to draw up a work plan.’ Please
note that remarkably the EDPB (WP29) places the work plan discussion right
at the centre of ‘necessary resources’, in the context of which the DPO is to
be supported by the organisation (controller).
4.1.5 VMS calibration of the DPO work plan
To a certain extent the cases connected to VMS[116] ‘force’ the DPO in some
ways to substantiate his/her work plan as profound as possible taking into
account relevant perspectives from various main actors such as the following.
Figure 4.5 VMS of the DPO work plan from the European Parliament and the
European Council
1. The controller or the processor shall ensure that the data protection
officer is properly and in a timely manner involved in all issues
which relate to the protection of personal data.
2. The controller or processor shall ensure that the data protection
officer performs the duties and tasks independently and does not
receive any instructions as regards the exercise of the function. The
data protection officer shall directly report to the management of the
controller or the processor.
3. The controller or the processor shall support the data protection
officer in performing the tasks and shall provide staff, premises,
equipment and any other resources necessary to carry out the duties
and tasks referred to in Article 37.
Figure 4.6 VMS of the DPO work plan from the European
Commission
Figure 4.7 VMS of the DPO work plan from the EDPS
4.2.4 EDPB and VMS of a DPO work plan
The cooperating European privacy authorities (previously called Working
Party 29, currently operating under European Data Protection Board)[123] have
published their Guidelines on Data Protection Officers (‘DPOs’) on
December 13, 2016 and revised it on April 05, 2017, also known as WP
243.01.
In § 3.2. of WP 234.01 (Necessary resources) the following is stated. Article
38 (2) of the GDPR requires the organisation to support its DPO by
‘providing resources necessary to carry out [their] tasks and access to
personal data and processing operations, and to maintain his or her expert
knowledge’. In particular the following remarks (items) are to be considered:
Figure 4.9 VMS of the DPO work plan from the European Data Protection
Board
4.2.6 Controller and VMS of the DPO work plan
While composing a DPO work plan, it is paramount for the DPO to gain a
clear understanding of the expectations of the controller (actually being the
highest management level, pursuant to Article 38(3) of the GDPR). In other
words, what does the highest management level of the organisation expect
from the DPO as far as his/her task performance is concerned, especially with
regard to realising the vision and mission of the DPO work plan. As per
Article 39 (1) this is supposed to be related to the way the controller,
processors and employees carry out processing activities in accordance with
their obligations pursuant to the GDPR and other Union or Member State
data protection provisions.
Important sources for the DPO in which indications can be found to get a
more in-depth picture in this regard could (in general) be for instance:
1. The applicable job profile of the DPO.
2. The applicable PTP (Personal Training Program) of the DPO.
3. Inferences that can be made from regular (confidential)
conversations with the highest management level of the
organisation.
In practice, however, it regularly happens that the highest management level
of the controller is not completely aware of what some of the elements of the
GDPR obligations entail and what in that respect is expected from the
controller, also related to the DPO work plan. In general, it is noted that the
GDPR at occasion has codified extremely vague norms on which relatively
few case law is available. Under those circumstances it is clear that the
controller, as the party to which the standard applies, in a non-negligible
number of cases has to deliver a considerable best-efforts obligation to, with
the input of (often valuable) professional expertise, to assess (or to have
others assess) to what extent there is a violation of the law and with reference
to that, whether, and in which way, he can avoid penalty payments.
Although the GDPR displays relatively many open and abstract norms and
urges for more practical detailing, the GDPR is and will remain de facto the
primary source for what is expected of both the controller and the DPO
himself. Against this background, (where a sufficient level of knowledge and
expertise is not always present at the highest management level on the one
hand and the open GDPR norms on the other hand), it should be advocated
that as far as the expectations of the controller relating to the vision and
mission of the DPO work plan is concerned, ‘appropriate measures’[130] taken
by the controller enjoy special attention. In other words, the key requirements
of appropriate measures for the controller which are entailed in Articles 24
and further of the GDPR (responsibility of the controller) in chapter IV of the
GDPR (controller and processor) Section 1 (general obligations). In light of
this situation, it is presumed that the influence of the controller on the legally
framed vision and mission of the DPO work plan is practically none,
especially in light of the fact that the tasks of the DPO – codified in Articles
38 and 39 of the GDPR – are designed (and as per consequences). The
influence of the controller on a number of legally mandatory tasks of the
DPO is not evident (since they are legally restricted). The foregoing debate
does not affect the fact that the DPO work plan should be aligned with the
controller as far as the level of DPO activities in the context of the legal tasks
are concerned which the DPO intends to undertake in a specific work plan
activity. For this purpose, various (general) arguments can be brought to the
front, among which the following.
Figure 4.10 VMS of the DPO work plan from the controller
4.2.7 Professional DPO and VMS of the DPO work plan
The DPO as lead author of the DPO work plan establishes the framework,
structure, texts and priorities (substantive preferences) of the DPO work plan.
Obviously, within the space provided for by laws and regulations (mainly the
GDPR, other EU data protection provisions and Member State data
protection provisions). Moreover, the influence of the DPO can be shaped at
different (although also and mostly strategical) levels. At least the following
crucial factors are noted.
1. Expertise (education and training) of the DPO.
2. Personal competencies of the DPO.
3. Personal convictions of compliance and ethics of the DPO.
4. Personal premises of the DPO.
5. Personal drivers of the DPO, such as:[131]
a) Aspired professionalism.
b) Take on a leadership role.
c) Accountability.
d) Increase the degree of acceptance.
e) Apply knowledge and skills.
f) Visualize a careful balance of interests.
With regard to the influence on the mission of the DPO work plan, for the
time being there seems to be relatively little space for own interpretations of
the DPO. Since the mission of the DPO work plan is based on the ‘higher
goals of the GDPR’ as becomes apparent from the text, ratio and spirit of
Article 39 of the GDPR, namely the intended factual situation in which the
controller and/or processor and the employees that carry out processing act in
accordance with their obligations pursuant to the GDPR and other Union or
Member State data protection provisions.
The personal influence of the DPO in (strategically) establishing and
prioritising the task-oriented steps appears larger than is the case in
influencing the mission of the DPO work plan. Especially in the context of
risk management activities in fulfilling the monitoring tasks, there seems to
be more room for convictions that are connected to the person of the DPO.
The influence of the professional DPO can especially also be applied on a
tactical-strategic level where according to Article 39(2) of the GDPR the
DPO in the performance of his or her tasks has due regard to the risk
associated with processing operations, taking into account the nature, scope,
context and purposes of processing.
Figure 4.11 VMS of the DPO work plan from the DPO as professional
Figure 4.13 VMS of the DPO work plan from the internal
stakeholders
5
CHAPTER 5
INVENTORY OF PROCESSING ACTIVITIES
AND DPO WORK PLAN
5.1 Introduction
A good inventory of personal data is of pivotal value for complying with the
general GDPR privacy duty of care of the controller, meaning that every
processing of personal data should be fair and lawful. In the wording of
recital 39 of the GDPR, ‘It should be transparent to natural persons that
personal data concerning them are collected, used, consulted or otherwise
processed and to what extent the personal data are or will be processed. The
principle of transparency requires that any information and communication
relating to the processing of those personal data be easily accessible and easy
to understand, and that clear and plain language be used. This principle
covers in particular information providing to the data subjects with regard to
the identity of the controller and the purposes of the processing and further
information to ensure fair and transparent processing in respect of the natural
persons concerned and their right to obtain confirmation and communication
of personal data concerning them which are being processed.’
5.1.7 Importance for the DPO of taking stock of personal data
Based on Article 39(2) jo 24 of the GDPR, the DPO – taking into account the
nature, scope, context and purposes of processing as well as the risks of
varying likelihood and severity for the rights and freedoms of natural persons
– monitor that the controller shall implement appropriate technical and
organisational measures to ensure and to be able to demonstrate that
processing is performed in accordance with the GDPR. Moreover, these
measures shall be reviewed and updated where necessary.
As is the case with many ‘generic laws and regulations’, in the EU GDPR
some ‘open’ and even ‘vague’ legal obligations for the controller and
processor can be found. Given certain circumstances, this could lead to a so
called ‘implementation trap’, the actual effect of implementing certain
measures based on at best an ‘informed best guess.’ Possible results of this
implementation trap can be summarized as follows.
5.2.1.3 Comply with the GDPR privacy duty to care (Article 5(1) of the
GDPR)
1. Desktops.
2. Laptops.
3. Mobile phones.
4. Cloud.
5. Results of search engines.
6. Servers.
7. Desks and cabinets.
8. Registration of visitors.
9. Corporate applications (corporate calendars, intranet etc.).
10. Customer relation systems (CRM-systems).
5.3.8 Support by IT
Attention in this regard can also be given to using flow charts as the above-
mentioned Personal Data Process Flows (PDPF’s), realising cost reductions,
managing data quality and using IT in assessing material privacy norms (as
for example the general GDPR duty of care to process data lawfully and
fairly).
1. Forming.
2. Storming.
3. Norming.
4. Performing.
5. Adjourning.
1. Resource managers.
2. Senior management.
3. HRM-managers.
4. Security managers.
5. Suppliers and sales.
6. Customers.
7. Supervisors.
8. Marketing divisions.
9. Public relations.
10. Supporting personnel.
Some considerations for the project manager to invest in a good relationship
with stakeholders, could be the following:
Some people take the view that keeping a register ex Article 30, is about the
only optional task that the DPO could perform next to the tasks mentioned in
Article 39. They believe that the only tasks of the controller/processor that
may be shifted to the DPO is keeping the register of processing activities
under Article 30 of GDPR, since it directly contributes to the tasks of the
DPO under the GDPR. In the context of keeping a register (pursuant to
Article 30 of the GDPR) an important role is reserved for the DPO in the
context of inventorying personal data.
Sure, it is paramount for the professional performance of any task of the DPO
that to dispose of a panoramic, holistic view of all personal data processing
activities (including) relevant data elements) within the organisation. This is
the case whether the DPO does or does not have the optional task to keep a
register ex Article 30 and whether the DPO is or is not himself (as project
manager or otherwise) involved in inventorying personal data within the
organisation.
If there is no complete and qualitatively good overview of all processing of
personal data, this can negatively influence a professional performance of
DPO tasks, especially considering the vision, mission and strategy (VMS) of
the DPO work plan as already discussed extensively.
If the DPO is involved in the inventory of personal data (for example as a
sparring partner or as a member of a steering committee, project manager or
as member of the inventory project team), the DPO should, also in light of
the practical development of the DPO work plan, pay special attention to the
vision, mission and strategy (VMS) of the own DPO work plan in the context
of the legal minimum tasks of the DPO (within the meaning of Article 39 of
the GDPR).
Hereinafter, in paragraph 5.6, a general table of reference for A DPO work
plan GDPR inventory is included which provides a general framework and
can be detailed by the DPO given the specifics of the own organization and
independent views during the inventory project within the own enterprise,
institution or organisation.
With the aim of, among others, providing insights into the role of the
professional DPO as far as assembling a GDPR inventory is concerned (in
view of the vision, mission and strategy (VMS) of the DPO work plan), the
following ‘DPO work plan table of reference’ is composed which could serve
as a general framework for the DPO. Of course, this ‘Table of Reference’
should be tailored and specified to the own enterprise, institution or
organisation and by doing so the professional DPO (pursuant to Article 39(2)
GDPR) shall have due regard to the risk associated with processing
operations, taking into account the nature, scope, context and purposes of
relevant processing of personal data.
6
CHAPTER 6
DPO WORK PLAN GDPR COMPLIANCE
BASELINE AND GAP-ANALYSIS
6.1 Introduction
1. What is the ratio (reason) for a GDPR baseline and a GDPR gap-
analysis?
2. What is the utility (added value) of a GDPR baseline and a GDPR
gap-analysis?
3. Which dimensions (kinds) of a GDPR baseline respectively GDPR
gap-analysis exist?
4. What exactly should be measured with a GDPR baseline
respectively GDPR gap-analysis?
5. How detailed should a GDPR baseline respectively GDPR gap-
analysis be carried out?
6. What is the goal of a GDPR baseline respectively GDPR gap-
analysis?
7. What is the practical (management) value of a GDPR baseline
respectively GDPR gap-analysis?
8. What is meant by ‘methodologically’ justified?
9. Which GDPR compliance measuring instruments are there and how
should these GDPR compliance measuring instruments (GDPR
metrics) be used?
10. What to do when the relevant GDPR obligations are not complied
with?
11. What is the role of the DPO in the context of a GDPR baseline and
GDPR gap-analysis?
12. What is the characteristic difference between the GDPR baseline on
the one hand and the GDPR gap-analysis on the other hand?
1. Providing insight into the necessary measures and actions that are
needed to comply with the general and specific obligations pursuant
to the GDPR.
2. Defining levels of ambition of GDPR compliance on the basis of a
maturity mode.
3. Defining more detailed goals in the context of privacy
(implementation) projects).
4. Advancing efficiency of data processing.
5. Attracting sufficiently competent and capable personnel (internal or
external).
6. Providing important input for privacy project managers.
7. Advancing a privacy compliance ‘sense of urgency’ within the
organisation or specific departments and activities within the
organisation or enterprise.
1. discrimination.
2. identity theft.
3. Identity fraud.
4. financial loss.
5. damage to the reputation.
6. loss of confidentiality of personal data protected by professional
secrecy.
7. unauthorised reversal of pseudonymisation.
8. or any other significant economic or social disadvantage.
a. where data subjects might be deprived of their rights and
freedoms or prevented from exercising control over their
personal data.
b. where personal data are processed which reveal racial or
ethnic origin, political opinions, religion or philosophical
beliefs, trade union membership, and the processing of
genetic data, data concerning health or data concerning
sex life or criminal convictions and offences or related
security measures.
c. where personal aspects are evaluated, in particular
analysing or predicting aspects concerning performance at
work, economic situation, health, personal preferences or
interests, reliability or behaviour, location or movements,
in order to create or use personal profiles.
d. where personal data of vulnerable natural persons, in
particular of children, are processed.
e. where processing involves a large amount of personal data
and affects a large number of data subjects.
1. Clandestine enquiry
2. Blacklists
3. Prevention of fraud
4. Credit scores
5. Financial situation
6. Genetic personal data
7. Health data
8. Collaborations
9. Camera surveillance
10. Flexible camera enforcement
11. Inspection of employees
12. Location data
13. Communication data
14. Internet of things
15. Profiling
16. Observation and influencing behaviour
17. Biometrical data processing
Based on Article 39(1)(b) of the GDPR, the DPO monitors, among others,
compliance with the GDPR, with other Union or Member State data
protection provisions and with the policies of the controller or processor in
relation to the protection of personal data, including the assignment of
responsibilities, awareness-raising and training of staff involved in processing
operations, and the related audits.
In monitoring compliance with the policies of the controller with regard to
‘awareness-raising’, the pays sufficient attention to the main criteria of a
professional Privacy Awareness Program which can be depicted as the
follows.
Notwithstanding the design and structure of the GDPR baseline and gap-
analysis, an important side effect (if and provided that it was not previously
set as a main goal), is that a better (more complete and often more detailed)
fact finding can be completed concerning the number and kinds of processing
of personal data as well as the concerned processing within the meaning of
Article 4(2) of the GDPR, ‘any operation or set of operations which is
performed on personal data or on sets of personal data, whether or not by
automated means, such as collection, recording, organisation, structuring,
storage, adaptation or alteration, retrieval, consultation, use, disclosure by
transmission, dissemination or otherwise making available, alignment or
combination, restriction, erasure or destruction.’
Because of various evident (management) reasons, a good oversight of the
number and kinds of processing is of importance. A few of GDPR inferred
reasons are recalled:
1. Any processing of personal data should be lawful and fair. It should
be transparent to natural persons that personal data concerning them
are collected, used, consulted or otherwise processed and to what
extent the personal data are or will be processed. The principle of
transparency requires that any information and communication
relating to the processing of those personal data be easily accessible
and easy to understand, and that clear and plain language be used
(recital 39 of the GDPR).[169]
2. Every reasonable step should be taken to ensure that personal data
which are inaccurate are rectified or deleted. Personal data should
be processed in a manner that ensures appropriate security and
confidentiality of the personal data, including for preventing
unauthorised access to or use of personal data and the equipment
used for the processing (recital 39 of the GDPR).
3. In order to prevent creating a serious risk of circumvention, the
protection of natural persons should be technologically neutral and
should not depend on the techniques used. The protection of natural
persons should apply to the processing of personal data by
automated means, as well as to manual processing, if the personal
data are contained or are intended to be contained in a filing system
(recital 15 of the GDPR).[170]
4. The processing of personal data for purposes other than those for
which the personal data were initially collected should be allowed
only where the processing is compatible with the purposes for
which the personal data were initially collected (recital 50 of the
GDPR).
5. Personal data which are, by their nature, particularly sensitive in
relation to fundamental rights and freedoms merit specific
protection as the context of their processing could create significant
risks to the fundamental rights and freedoms (recital 51 of the
GDPR).
6. A data subject should have the right of access to personal data
which have been collected concerning him or her, and to exercise
that right easily and at reasonable intervals, in order to be aware of,
and verify, the lawfulness of the processing (recital 63 of the
GDPR).
7. The responsibility and liability of the controller for any processing
of personal data carried out by the controller or on the controller's
behalf should be established. In particular, the controller should be
obliged to implement appropriate and effective measures and be
able to demonstrate the compliance of processing activities with
this Regulation, including the effectiveness of the measures. Those
measures should take into account the nature, scope, context and
purposes of the processing and the risk to the rights and freedoms
of natural persons (recital 74 of the GDPR).
The results of the GDPR baseline and gap-analysis could lead to a better
insight into the prominence of GDPR compliance with obligations pursuant
to the GDPR for core processes of the enterprise, institution or organisation.
Core processes indeed differentiate across enterprises, institutions or
organisations, nonetheless, generally it could be said that in every enterprise,
institution or organisation at least three kinds of core processes can be
distinguished.
The DPO could indeed also benefit from the results of a well and
professionally conducted GDPR baseline in the performance of concrete
activities that are foreseen in the DPO work plan within the framework of
Article 39 of the GDPR.
As discussed in chapter 4 within the scope of the vision of the DPO work
plan, it is intended that the DPO undertakes concrete activities in order to
realise that obligations of the controller or the processor and the employees
who carry out processing activities pursuant to the GDPR (and to other Union
or Member State data protection provisions) are ultimately complied with.
Thanks to the unambiguous results of a GDPR baseline and gap-analysis, a
DPO is able to define his/her activities within the framework of ‘monitoring
compliance’ more effectively (more efficiently) and prioritise within the
context of the following (in chapter 3) discussed added value of the DPO
work plan.
Ad 1
Competent GDPR project manager
A competent project manager plays a crucial role in driving the performance
of a GDPR baseline or gap-analysis to a successful closure. Whereas a
professional project manager determines for the most part the success of the
project, both the internal good functioning of the project team as well as an
external dissemination of the importance of the end results of a GDPR
baseline and GDPR gap-analysis are important factors.
Ad 2
Composition of the GDPR project team
It is important that the GDPR project manager achieves a balance in the team
between the various roles, tasks and responsibilities.[175] Under reference to
Belbin[176], the following is of interest for said balance:
1. Forming.
2. Storming.
3. Norming.
4. Performing.
5. Adjourning.
Ad 4
Soft aspects of the GDPR project team
As in many organisations, any team develops its own culture. This entails the
sphere in the team, enthusiasm, perseverance, exuberance, etc. Or exactly the
lack of that. In virtually all project teams in which team members collaborate
intensively, a team spirit will come into existence, especially in the course of
a longer period. This could result in positive stimuli for realising the team
results and set goals.
Ad 5
Hard aspects of the GDPR project team
For any professional team accountable for the performance of a GDPR
baseline or gap-analysis, expert knowledge should be available (or at least
accessible), as well as the necessary abilities and skills that have to be
deployed. A professional project manager specifies (defines and discusses)
these aspects prior to the composition of the team and sticks with all member
profile requirements when appointing the team in practice.
a. Assignment of responsibilities.
b. Raising awareness amongst the staff involved in
processing.
c. Training of staff involved in processing operations.
d. Carrying out related audits concerning data protection.
Within the framework of monitoring compliance with the GDPR by the
controller or processor, it seems obvious that the results of a GDPR baseline
are not solely interesting but are also relevant in the following two aspects:
Before the GDPR baseline can be initiated. there is need for clarity as to what
the intention of this baseline is. In other words, what is the goal (or what are
the goals) of this GDPR baseline? Under reference to Article 39(1)(b),
hereinafter for the sake of convenience, it will be assumed that the goal of the
in this paragraph discussing baseline is, attaining insights in the degree to
which the enterprise, institution or organisation does or does not comply with
the obligations pursuant to the GDPR.
In general, the following categories of goals of a GDPR baseline could be
distinguished[184]:
Ad 1
Goals related to policies
From Article 24(2) can be derived that the enterprise, institution or
organisation has to possess an appropriate data protection policy (referring to
appropriate technical and organisational measures). In conformity to Article
24(1), the controller shall implement, taking into account the nature, scope,
context and purposes of processing as well as the risks of varying likelihood
and severity for the rights and freedoms of natural persons, appropriate
technical and organisational measures to ensure and to be able to demonstrate
that processing is performed in accordance with this Regulation. Those
measures shall be reviewed and updated where necessary (GDPR review and
update). Conform Article 24(2), the measures referred to in paragraph 1 of
the same article shall include – where proportionate in relation to processing
activities – the implementation of appropriate data protection policies by the
controller.
Ad 2
Operational goals
From Article 24(2) it can be derived that having appropriate data protection
policies at one’s disposal are not enough, but this also needs to be factually
(operationally) carried out. For defining operational actions and goals, a
GDPR baseline can form a good basis, because more concrete information
can be obtained for discussing the different processing and operation and
composing a (draft) action plan, including the estimated pastime, distribution
of tasks and costs.
Ad 3
GDPR compliance goals
GDPR baseline and gap-analysis could easily be sharpened to results with the
goal to use this for accomplishing more specific compliance (GDPR
compliance) goals. An appealing example is the compliance goal to maintain
a record in consonance to Article 30 of the GDPR.
Ad 4
Demonstrate appropriate measures
A GDPR baseline can provide important information for answering the
question whether the controller has de-facto taken sufficiently appropriate
measures within the meaning of the GDPR and the in the GDPR mentioned
(self-regulating) mechanisms. In this manner, it can be derived from recital
77 that guidance on the implementation of appropriate measures could be
provided in particular by means of approved codes of conduct, approved
certifications, guidelines provided by the Board or indications provided by a
data protection officer.[185] It should also be noted that the Board may also
issue guidelines on processing operations that are considered to be unlikely to
result in a high risk to the rights and freedoms of natural persons and indicate
what measures may be sufficient in such cases to address such risks.
Ad 5
Relating to ‘guarantees’ on behalf of the controller
To ensure compliance with the requirements of the GDPR in respect of the
processing to be carried out by the processor on behalf of the controller,
when entrusting a processor with processing activities, the controller should
use only processors providing sufficient guarantees, in particular in terms of
expert knowledge, reliability and resources, to implement technical and
organisational measures which will meet the requirements of the GDPR,
including for the security of processing. The adherence of the processor to an
approved code of conduct or an approved certification mechanism[186] may be
used as an element to demonstrate compliance with the obligations of the
controller. This can be derived among others from recital 81.
Ad 6
DPIA related goals
On 4 April 2017, the EDPB (WP29) (predecessor of the European Board) has
passed the ‘Guidelines on Data Protection Impact Assessment (DPIA) and
determining whether processing is ‘likely to result in a high risk’ for the
purposes of Regulation 2016/679’ – Guidelines WP248 rev.01[187] where (in
as far relevant) the following is noted, ‘A DPIA is a process designed to
describe the processing, assess the necessity and proportionality of a
processing and to help manage the risks to the rights and freedoms of natural
persons resulting from the processing of personal data (by assessing them and
determining the measures to address them). DPIAs are important tools for
accountability, as they help controllers not only to comply with requirements
of the GDPR, but also to demonstrate that appropriate measures have been
taken to ensure compliance with the Regulation.’ A GDPR baseline can
significantly contribute to describing processing within the framework of a
DPIA.
Ad 7
Goals related to monitoring
Within the framework of monitoring or monitoring-related goals, the result of
a GDPR baseline can also be employed purposefully, for example in the
following situations.
Ad 8
Securing the rights of data subjects
If the controller does not take action on the request of the data subject under
Articles 15 – 22,[188] the controller shall inform the data subject without delay
and at the latest within one month of receipt of the request of the reasons for
not taking action and on the possibility of lodging a complaint with a
supervisory authority and seeking a judicial remedy, according to 12(4) of the
GDPR. In answering the question to which degree, the enterprise, institution
or organisation guarantees the rights of the data subjects sufficiently, a good
and competently performed GDPR baseline can be worthwhile.
Ad 9
Goals related to the limitation of responsibility
Any person who has suffered material or non-material damage as a result of
an infringement of the GDPR shall have the right to receive compensation
from the controller or processor for the damage suffered, according to Article
82(1) of the GDPR. Naturally, the proverb ‘prevention is better than cure’
applies here as well. It goes without saying that taking measures in a timely
manner in consequence of the results of a GDPR baseline, can successfully
reduce the chance of liability for damage of the enterprise, institution or
organisation.
Ad 10
Defending the enterprise, institution or organisation in court
When the enterprise, institution or organisation in the capacity of controller
gets involved in legal proceedings, the results of a good and competently
performed GDPR baseline can provide important indications for the GDPR
compliance status of (certain) obligations pursuant to the GDPR (for instance
in case of the above-mentioned situation under Article 12(4) of the GDPR).
What is the scope of current GDPR baseline of personal data? In other words,
how far does the scope (visual field) of this baseline of obligations pursuant
to the GDPR reach. Roughly the following scopes can be distinguished in
practice within the framework of the GDPR:
Ad 1
The GDPR and other Union provisions
The centre of attention here is the GDPR baseline relating to the compliance
with obligations pursuant to:
Ad 2
GDPR and national data protection laws and regulations
Determine whether besides the GDPR, other personal data relevant to the
General Data Protection Regulation, additional national data protection laws
and regulations are to be implemented. If this is the case, of course this
should be part (in scope) of the aspired GDPR baseline.
Ad 3
Industry codes of conduct
For organisations that are operating in certain sectors, industry codes of
conduct within the meaning of Article 40 GDPR can be applicable. The
relevant norms, rights and obligations incorporated in such industry codes of
conduct can entail the processing of personal data which could be part of the
intended GDPR baselines. An overview of valid industry codes of conduct
can usually be found on the website of the national DPA.[189]
Ad 4
Industry security codes
Pursuant to Article 32 (1) GDPR, taking into account the state of the art, the
costs of implementation and the nature, scope, context and purposes of
processing as well as the risk of varying likelihood and severity for the rights
and freedoms of natural persons, the controller and the processor shall
implement appropriate technical and organisational measures to ensure a
level of security appropriate to the risk,
As stated in Article 32 (3) GDPR, adherence to an approved code of conduct
as referred to in Article 40 or an approved certification mechanism as referred
to in Article 42 may be used as an element by which to demonstrate
compliance with the requirements set out in paragraph 1 of this Article.
On a regular basis, new security standards and new versions of existing
security standards are published, which complements the newest
developments within the field. Correct use of updated security standards
allows the controller to take appropriate measures and to come to a balanced
and effective unit of technical and organisational measures.
If and provided that specific personal data are being processed within the
framework of relevant security measures, it deserves recommendation to
consider these integrally within the scope of the GDPR baseline, moreover in
light of the (general) security duty under Article 32 of the GDPR.
Ad 5
General (security) norms
From the point of view of efficiency and effectiveness, it deserves a
recommendation to, within the scope of the GDPR baseline, if and provided
that it is relevant for the enterprise, institution or organisation, to include the
relevant general (security) norms (for instance ISO, CEN/CENELEC and
ENISA). Within this framework, ISO/IEC 29100:2011 provides for an
interesting framework, because of
Ad 6
Organisation specific (internal) regulations
For particular (more specific, detailed level) GDPR baselines, it is of utmost
importance to avail of a full panorama of applicable and relevant (internal)
policies, regulations, codes and norms.
If, for example, a GDPR baseline is executed relating to the settlement of
certain complaints of co-workers, it could be recommended to involve within
the scope the processing of (required) personal data within the framework of
the internal ‘complaints regulation for co-workers.’
1. Instruction.
2. Conditions.
3. Recitals.
4. Accountability.
Ad 1
Instruction
From this part of the particular ‘obligation pursuant to the GDPR’, one can
infer which action should be executed, if at all. The instruction must be clear.
The GBC-model (GDPR obligation Board of Compliance), described below,
could for example be used for this.
Ad 2
Conditions
From this part of the particular GDPR obligation, (instruction) conditions for
acting and neglecting can be derived.
A clear example of a conditions can be found within the framework of
carrying out a DPIA. Ex Article 35(1) of the GDPR, carrying out a DPIA is
required if the condition is fulfilled that there is a ‘likely high risk to the
rights and freedoms of natural persons.
Ad 3
Recitals
In this part of the particular GDPR obligation, (specific) circumstances are
mentioned/described that have to be taken into account (considered) in
carrying out the instruction as meant before.
In this regard, Article 24(1) mentions that in implementing appropriate
technical and organisational measures, the nature, scope, context and
purposes of processing as well as the risks of varying likelihood and severity
for the rights and freedoms of natural persons have to be taken into account.
Ad 4
Accountability
The part of the GDPR obligation is related to the parameters that can
contribute to ‘demonstrate’ compliance with the ‘the principles relating to
processing of personal data’ within the meaning of Article 5(1) of the GDPR,
to which Article 5(2) of the GDPR (accountability) refers.
The GDPR emphasizes in various ways the importance of data quality (with
good reason).[191] Generally, one could define data quality as the degree to
which elementary personal data (personal data elements) are appropriate for
the goal for which they are processed.
With regard to the GDPR baseline, it could be argued that the quality of the
GDPR baseline could be described as the degree to which the chosen
measuring method is appropriate for the goal of the GDPR baseline, in other
words, whether and if so, to what extent the particular obligation pursuant to
the GDPR is or is not complied with. During the carrying out of the GDPR
baseline, it is paramount to shape the quality control permanently. In other
words, in carrying out every step according to the action plan, the quality of
the above-mentioned GDPR activity has to be constantly examined. This to
prevent that eventually no or insufficient or undeserved conclusion(s) of the
compliance value(s) of parameters are obtained.
1. Data governance.
2. Data architecture management (data protection by design).
3. Data development.
4. Database operations management.
5. Data security management.
6. Reference and master data management.
7. Data warehousing and business intelligence management.
8. Document and content management.
9. Meta data management.
10. Data quality management.
Taking as a starting point the non-compliant parameters of the specific GDPR
obligations as mentioned in the GBC-model, next steps have to be taken that
lead to answering the question, which measures have to be implemented and
which concrete actions have to be carried out to be able to comply with the
said component of the analysed GDPR obligation? The answer to this
question could be shaped by following these three logical steps in the GDPR
gap-analysis:
Before any GDPR gap-analysis can be performed, the goals of the gap-
analysis need to be clearly defined and approved by the competent party. In
other words, what is the goal (or what are the goals) of this specific GDPR
gap-analysis? Referring to Article 39(1)(b) GDPR, for the sake of
convenience, it is assumed that the primary goal of the discussed GDPR gap-
analysis is to implement appropriate technical and organisational measures
within the meaning of Article 24(1) of the GDPR. For a discussion of the
general goals (and side effects) of a GDPR gap-analysis, see inter alia § 6.1.3.
Ad 1
The GDPR and other EU provisions
It is advisable to decide as specific as possible with respect to the extent to
which specific obligations mentioned in the GDPR and other GDPR related
EU laws and regulations are to be part of the GDPR gap-analysis. For this at
least at the following two levels relevant obligations should be pre-defined.
Ad 2
National laws and regulations to enforce and maintain GDPR and GDPR
related obligations
Determine whether next to the GDPR related processing of personal data,
relevant personal data are also processed in the sense of additional national
laws and regulations which are put in place in order to enforce and maintain
relevant processing obligations. It should be clear from the outset whether or
not these additional obligations are part of any GDPR gap-analysis.
Ad 3
Industry codes of conduct
For organisations that are operating in specific sectors, national or
international industry codes of conduct within the meaning of Article 40
GDPR could be applicable. The relevant norms, rights and obligations
incorporated in such industry codes of conduct could entail relevant
obligations for processing personal data which could be part of the envisaged
GDPR gap-analysis. In general, an overview of valid industry codes of
conduct can be found on the websites of data protection authorities.
Ad 4
Industry security codes
Organisations are expected and supposed to comply with the relevant
industry security standards while processing personal data. [199]
In general security standards also include lessons learned from the security
system of a specific industry or technological environment. They represent
which measures are generally seen as ‘appropriate’ by security experts within
a particular context and, in the case of more technical focused standards,
which technological resources are applied in a specific security system.
Ad 5
General (security) norms
From a ‘efficiency and effectivity’ point of view, it is recommended to
include the relevant general (security) norms (of for instance ISO 27701),[200]
which were part of the scope of the GDPR baseline, if and provided that it is
relevant for the enterprise, institution or organisation.
Ad 6
Organisation specific (internal) regulations
For particular (more scope specific) GDPR gap-analyses, it is of the utmost
importance to create an overview mapping out whether or not certain acts of
processing of personal data are of interest within the framework of relevant
(internal) regulations.
If, for example, a GDPR gap-analysis is performed concerning the processing
of personal data within the context ‘sign off procedures for employees’, it
deserves recommendation to also analyse all relevant internal rules of
procedure next to GDPR specific obligations. Of course, this
recommendation is based on the assumption that this would fit the (primary)
goals(s) of the intended GDPR gap-analysis.
In the third step, a so-called Gap Analysis Template (GAT) is composed for
the purposes of traceability, reproductivity, clarity, manageability and
verifiability of above-mentioned mapping. Essentially, this results in a step-
by-step overview of the GDPR gap-analysis at hand. By way of example,
such a template could look like the following.
6.3.6 Step 4: fill out the GDPR ambition level in the GAT
During the fourth step, the ambition level of a particular GDPR obligation
parameter (which is or is not (yet completely) complied with, is defined in the
GAT. While doing so, it deserves recommendation to closely pay attention to
the Risk Management Framework (RMF) or (if available) Information
Security Management System (ISMS) of the enterprise, institution or
organisation, or (upon availability) other supporting documentation/decision-
making concerning the risk appetite of the enterprise, institution or
organisation.
During the fifth step, the yet to be implemented measures in realising the
aimed GDPR ambition level of compliance are specified in the GAT for the
specific parameter (which is not complied with yet).
6.3.8 Step 6: fill out the actions (to be carried out) in the GAT
During the sixth and last step of the GDPR gap-analysis, the yet to be
implemented concrete actions are defined in the GAT of the specific
parameter (which is not yet (completely) complied with. While defining the
yet to be implemented actions, it is recommended to pay close attention to
current and future projects, in particular to projects with aspects of (data)
quality management.
The first step on the roadmap for a GDPR baseline respectively GDPR gap-
analysis is obtaining sufficient mandate (administrative clearance) for
performing the desired GDPR baseline respectively GDPR gap-analysis. A
well-defined mandate for these activities includes at least a clear definition
of:
The importance of a good GDPR team for performing (or guiding) the GDPR
baseline and GDPR gap-analysis is in practice often underestimated. The
interest of a good team is not only regularly underestimated by ‘less
professional’ external GDPR consultants, it also known that some enterprises,
institutions or organisations themselves have no adequate understanding of
the importance of a good (professional) GDPR team, let alone the correct
composition (tasks, roles, responsibilities and relevant competences).
As discussed in chapter 3 above, the term ‘risk’ plays a central role in the
GDPR.[203] In light of this it is strongly advised to preserve this central role in
any GDPR gap-analysis. The risks to the rights and freedoms of natural
persons, of varying likelihood and severity, may result from personal data
processing which could, according to recital 75, lead to:
1. Physical, material or non-material damage, in particular where the
processing
Discrimination.
Identity theft.
Identity fraud.
Financial loss.
Damage to compliance reputation.
Ad 1
Practical phases of risk identification
Although many models of risk management are published (mostly from a
business perspective and audit perspective),[204] the approach of GDPR
obligations as behavioural norms (decency norms, as you wish integrity
norms), is an approach that is worthy of more detailed research. In this sense,
one could by analogy follow the Identification of Risk (IRA) method
resulting in a systematic management of ‘risks of dishonest behaviours’,
whereby the four phases can be distinguished. Visualized in diagram this
looks like the following.
Ad 2
Risk prioritization based on GDPR risk mapping
Prior to, within a framework of a GDPR gap-analysis, finalizing a step-by-
step plan of action for implementing GDPR measures and carrying out
relevant actions, all identified GDOR risks need to be plotted and
prioritised. An often-used method is composing a so-called ‘GDPR risk
map’.[205] The probability (likelihood) that an identified GDPR risks will
become reality is usually depicted on the x-axis of such a map and the impact
of such GDPR risks are drawn on the y-axis. As per the risk methodology of
the French Data Protection Authority – Commission Nationale de
l’Informatique et des Libertés (CNIL) – such a GDPR risk map looks like the
following.[206]
In general, it is recommended to make a GDPR risk map, tailored to the
enterprise, institution or organisation, to enhance the added value of the
GDPR gap-analysis for among others risk management purposes or in the
context of a Data Protection Impact Assessment (DPIA) pursuant to Article
35 GDPR.
Most professional project managers will support the basic assumption that –
in any GDPR project - all GDPR stakeholders have to be identified and
involved for successfully completing a GDPR gap-analysis. A stakeholder
can be seen as a person or organisation that is actively involved in the project,
or whose interests can be influenced positively or negatively by the findings
and results of the project. A stakeholder could also influence the project and
results. Generally, the following parties could be qualified as stakeholder (of
any GDPR project):
1. Resource managers.
2. Senior management
3. HRM-managers.
4. Security managers.
5. Providers and sales.
6. Customers.
7. Supervisors.
8. Marketing departments.
9. Public relations.
10. Co-workers in supporting functions.
Figure 6.23 CNIL Risk Map
In general, the following considerations for the project manager can be
distinguished to underline the importance of good relationships with all
GDPR stakeholders.
The GDPR gap-analysis is concluded (just like every other corporate project)
with a sound final report, with the primary goal of accounting for the way in
which the GDPR is complied with and the efforts that were taken in that
regard by the controller and processor.
In a sense, Article 5(2) gives an extra (accountability) dimension in the area
of processing personal data to reporting and the importance of underlying
‘evidence’ of analyses and conclusions that form the basis of reports.
According to latter article, a controller is responsible for the compliance with
Article 5(1) of the GDPR (principles relating to processing of personal data)
and can demonstrate this (‘accountability’). See here also the usefulness and
necessity of giving sufficient attention to ‘accountability and reporting’.
If and provided that the goal of the GDPR gap-analysis is measuring if and if
yes, to which degree Article 5(1) is complied with, it is, in light of the
relatively open character of operated terms, even more important that good
parameters are found to demonstrate (account for) that the principles of
Article 5(1) are de facto (in fact) complied with.
As identified before, the DPO is expected to execute his/her tasks in the full
scope of the GDPR obligations. According to Article 39(1)(a) of the GDPR,
‘The data protection officer shall have at least the task to inform and advise
the controller or the processor and the employees who carry out processing of
their obligations pursuant to this Regulation and to other Union or Member
State data protection provisions.’
Against this background, the results (reports) of the GDPR baseline and
GDPR gap-analysis deserve the DPO’s special attention in light of the
performance of his/her legal tasks within the meaning of Article 39 of the
GDPR and the acting as a contact point for data subjects within the meaning
of Article 38(4) of the GDPR.
In answering the question which role the DPO can or may have in performing
an organisation-wide GDPR baseline and GDPR gap-analysis (besides within
the framework of the performance of the legal tasks of the DPO) the
following considerations should at least be taken into account:
3. Pursuant to Article 35(2) of the GDPR, the controller shall seek the
advice of the data protection officer, when carrying out a data
protection impact assessment (DPIA). Advising in this case with
regard to the DPIA and monitoring the performance in accordance
with Article 35 of the GDPR, belongs (per Article 39(1)(c)) to the
legal tasks of the DPO. Is it possible that a too intensive role by the
DPO in the context of execution (of in the case of GDPR baseline
or GDPR gap-analysis) could come in conflict with the independent
‘monitoring compliance’ within the context of a DPIA? The EDPB
(WP29) notes the following on the role of the DPO within the
framework of a DPIA, ’The controller must also seek the advice of
the Data Protection Officer, where designated (Article 35(2)) and
this advice, and the decisions taken, should be documented within
the DPIA. The DPO should also monitor the performance of the
DPIA (Article 39 (1)(c) GDPR).’[209]
4. In order to professionally ‘inform’ and ‘advise’ as per Article 39(1)
of the GDPR, it is recommended that the DPO contributions take
full guard of opinions and approaches of the data protection
authorities, especially their views on ‘appropriate measures and
actions,’ in particular the risk approach of these data protection
supervisory authorities and their recommended methodologies (see
among others the methodology of the CNIL).
CHAPTER 7
GDPR IMPLEMENTATION AND DPO WORK
PLAN
7.1 Introduction GDPR implementation plan
1. Providing insight into the costs that are attended with the
implementation of the intended GDPR measures.
2. Concretely filling out a GDPR maturity model (growth path).
3. Promoting efficiency of data processing.
4. Recruit sufficiently competent and capable personnel (internal or
external).
5. Providing important input for GDPR project managers.
6. Promoting (in as far necessary) a GDPR compliance ‘sense of
urgency’ within the enterprise, institution or organisation or one or
more specific departments or activities.
A. Assignment of responsibilities
B. Raising awareness amongst the staff involved in processing
operations.
C. Training of staff involved in processing operations.
D. The audits related to data protection.
Just as with the GDPR baseline and GDPR gap-analysis, the comment to
which degree the ‘independent monitoring’ by the DPO can be based on
conclusion of the GDPR implementation plan that the measures as concrete
actions that were taken are effective (and de facto work), deserves attention.
It is important here as well to emphasize that a professional DPO is capable
to do research independently on the basis of which the DPO as an expert
professional can come to conclusions on his own.
For the time being, the most practical line to be chosen seems to be the one
where the DPO is involved in a timely manner, in the set-up, design and
performance of the GIP on the way in which the DPO desires to execute
his/her legal tasks, (monitor, inform, advise, cooperate with the supervisory
authority and act as a contact point for the supervisory authority).[217]
The controller can only process personal data lawfully under Article 6(1) if
and to the extent that at least one of the following conditions (foundations)
applies.
a. The data subject has given consent to the processing of his or her
personal data for one or more specific purposes.
b. Processing is necessary for the performance of a contract to which
the data subject is party or in order to take steps at the request of the
data subject prior to entering into a contract.
c. Processing is necessary for compliance with a legal obligation to
which the controller is subject.
d. Processing is necessary in order to protect the vital interests of the
data subject or of another natural person.
e. Processing is necessary for the performance of a task carried out in
the public interest or in the exercise of official authority vested in
the controller.
f. Processing is necessary for the purposes of the legitimate interests
pursued by the controller or by a third party, except where such
interests are overridden by the interests or fundamental rights and
freedoms of the data subject which require protection of personal
data, in particular where the data subject is a child.[223]
a. The identity and the contact details of the controller and, where
applicable, of the controller's representative.
b. The contact details of the data protection officer, where
applicable.
c. The purposes of the processing for which the personal data are
intended as well as the legal basis for the processing.
d. Where the processing is based on point (f) of Article 6(1), the
legitimate interests pursued by the controller or by a third
party.
e. The recipients or categories of recipients of the personal data,
if any. Where applicable, the fact that the controller intends to
transfer personal data to a third country or international
organisation and the existence or absence of an adequacy
decision by the Commission, or in the case of transfers referred
to in Article 46 or 47, or the second subparagraph of Article
49(1), reference to the appropriate or suitable safeguards and
the means by which to obtain a copy of them or where they
have been made available.
The risk to the rights and freedoms of natural persons, of varying likelihood
and severity, may according to recital 75, result from personal data
processing which could lead to severe or less severe consequences and
damage for data subjects. In short, referral to what was already observed in
chapter 6.
7.2.1.8 Realise GDPR issue management and control
The promotion of taking measures in case of incidents (issue management), is
often mentioned in practice as explicit goal of a GDPR implementation plan
(GIP). In that case, the GIP will in any case give appropriate attention to at
least the following.
On the basis of Article 5(2), the controller shall be responsible for, and be
able to demonstrate compliance with, paragraph 1 (‘accountability’). A
GDPR implementation plan where set-up and structure are designed well and
performed competently, does not only provide important management
information for compliance with the GDPR, but can also produce (generate)
necessary ‘evidence’. It is, therefore, strongly recommended to report (as
well on behalf of the privacy supervisory authority) on the complete GDPR
implementation track extensively (based on underlying records of evidence).
Dependent on the design, structure and layout of the specific GIP, it does not
seem implausible that certain side effects could occur as a consequence of the
actual performance of the GIP. Generally, it could be argued that a good and
competently performed GIP could lead to the following side effects that (as
was the case for the GDPR baseline and GDPR gap-analysis) could be taken
into account within the framework of the DPO work plan:
Generally, it could be argued that as the defined goals in the GIP become
more concrete, the degree to which side effects could occur (and thus also the
impact) can be estimated better, which in itself could be interesting within the
framework of the business case[229] of the DPO work plan as discussed in
chapter 3.
First thing after the GDPR ideal implementation team has been composed,
due attention is to be paid to the following.
1. What does the concrete action intend to achieve (what is the goal of
the concrete action)?
2. What does the concrete action have to at least entail (substantially)?
3. Which possible conditions[233] for performing concrete actions have
to be taken into account?
4. Which specific circumstances[234] have to be taken into account in
designing and performing the concrete action?
On the basis of Article 5(2) of the GDPR, the controller shall be fully
responsible for, and be able to demonstrate compliance with, paragraph 1
(‘accountability’). Against this background, it is inevitably recommended to
base the report on a foundation, ideally on the basis of reproducible evidence.
If and provided that the GIP also has the goal of measuring if, and if yes, to
which degree Article 5(1) is complied with,[236] it is even more important that
the following aspects receive sufficient attention, in light of the relatively
open character of these ‘principles relating to processing of personal data’.
Designing, laying out and competently carrying out a GIP (with or without
external support) can be a challenge for the controller both organisationally
and substantially.
A roadmap of a GIP delineated in clear steps could at least lead to some
organisational relief, because the main steps become subsequent and clear
(visualised) keeping in mind the methodical realisation of the beforehand
defined (SMART formulated) goals of the GIP.
Professional planning should therefore be an integral component of the
design, lay out and execution of a good GIP. In general, the following
advantages of a prudently designed roadmap of a GIP can be distinguished.
It is not only important that the GDPR project manager (or comparable
function or role) can achieve an appropriate balance in the GDPR
implementation team between the various roles, tasks, required expertise
areas, (joint) responsibilities and advices on behalf of the controller (principal
of the GDPR implementation plan). It is equally important that the GDPR
project manager (or comparable function or role) keeps guarding the design
in operational aspect of a good GDPR implementation plan.
1. Resource managers.
2. Senior management.
3. HR(M) managers.
4. Security managers.
5. Suppliers and sales.
6. Customers.
7. Supervisors.
8. Marketing departments.
9. Public relations.
10. Co-workers in supporting functions.
As well in the light of the fact that any person who has suffered material or
non-material damage as a result of an infringement of the GDPR shall have
the right to receive compensation from the controller or processor for the
damage suffered (according to the intention of Article 82), it is generally
recommended to also base the GIP on a GDPR risk map[243] tailored to the
enterprise, institution or organisation, in which regard the added value of the
GIP can also be increased.
While answering the question which role the DPO is allowed to or may have
in performing a GIP, it is recommended to at least take the following
considerations into account:
CHAPTER 8
REVIEW AND UPDATE OF A DPO WORK
PLAN
For maximisation of the utility value of a RUP and for realising the set
GDPR goals, it is important to determine (as you wish, delineate) the scope
of the current RUP as clearly as possible. In other words, to which degree
does the scope of the proper functioning and effectiveness to be tested and
assessed of the performed concrete actions reach in complying with the
obligations pursuant to the GDPR. Just as for the GDPR baseline, GDPR
gap-analysis and GDPR implementation, in practice (under reference to
Article 39(1)) the following scopes can be distinguished within the
framework of a RUP:
1. Compose a GDPR team for review and update (GDPR review and
update team).
2. Determine what has to be reviewed, mitigated and updated (which
actions).
3. Determine the review and update criteria.
4. Determine who was to perform what (governance, roles, tasks and
responsibilities).
5. Carry out the actual review and update (within beforehand
determined deadlines).
6. Report on the additionally taken measures and/or performed
actions.
Below – in paragraph 8.3 – these steps will be clarified.
Apart from the fact that the results of a professionally carried out RUP could
lead to compliance with an important part of the accountability duty under
Article 5(2), the RUP (as was the base for the GDPR baseline and AIP) could
generate interesting information (as you wish business strategic intelligence)
for the (line)management.
Within the framework of management issues, special attention should go to
the question why a specific measure or concrete action does or does not work
sufficiently and within the framework inquire into the possible causal
relationship (or direct/indirect causes).
a. Assignment of responsibilities.
b. Awareness-raising of staff involved in processing operations.
c. Training of staff involved in processing operations.
d. Audits related to data protection.
It could be argued with good reason, that being able to monitor compliance
with the GDPR by the controller, the set-up, design and performance of a
RUP is not only interesting, but equally relevant. After all, the DPO can form
an image of the question to which degree the controller and co-workers de
facto comply with their obligations pursuant to the GDPR (under Article
39(1)(b) GDPR), also due to the accurate additional concrete actions
mentioned in the RUP, or at any rate (intentionally) wish to comply (GDPR
compliance ambitions). In particular interesting in this regard is the answer to
the question why a specific beforehand expressed GDPR ambition level is not
achieved.
As was the case for the GDPR baseline, GDPR gap-analysis and AIP, it
should in general be considered to which degree ‘independent monitoring’ by
the DPO can be based on conclusions of the GDPR review and update team
whether the measures and concrete actions that were taken are effective
(really work). It is important here as well that the DPO keeps being able to
examine this independently (professionally and competently). Here as well,
the most practical line that can be chose seems to be that already in the set-
up, design and performance of the RUP, the DPO is involved in a timely
manner within the framework of the performance of his/her legal DPO tasks
(monitor compliance with the obligations pursuant to the GDPR), inform,
advise, cooperate with the supervisory authorities and act as a contact point
for the supervisory authorities and data subjects.[256]
a. the data subject has given consent to the processing of his or her
personal data for one or more specific purposes.
b. processing is necessary for the performance of a contract to which
the data subject is party or in order to take steps at the request of the
data subject prior to entering into a contract.
c. processing is necessary for compliance with a legal obligation to
which the controller is subject.
d. processing is necessary in order to protect the vital interests of the
data subject or of another natural person.
e. processing is necessary for the performance of a task carried out in
the public interest or in the exercise of official authority vested in
the controller.
f. processing is necessary for the purposes of the legitimate interests
pursued by the controller or by a third party, except where such
interests are overridden by the interests or fundamental rights and
freedoms of the data subject which require protection of personal
data, in particular where the data subject is a child.[261]
If the RUP shows that risk management measures that were taken to comply
with the obligations pursuant to the GDPR (on the basis of the GDPR
implementation plan (GIP) have no or too little effect, additional risk
mitigating measures have to be taken. This can take place by adjusting the
measures that were taken or to take completely new measures. Thus, the aim
is to reduce the risks to a level that fits within acceptable parameters, fixed by
the enterprise, institution or organisation (that often relate to the specific ‘risk
appetite’).
Whereas the new or adjusted risk management measures are applied, they
have to be reviewed again and updated if necessary. If applicable, this also
applies to current measures that were sufficient before but are not anymore
because of changing circumstances (for example by a change in the
processing of personal data). Every time, it has to be established whether the
measures that were taken actually reduce the risks to a lower level. In this
way, risk management measures stay up to date.[265]
The promotion of the taking of effective measures in case of GDPR incidents
(GDPR issue management) deserves special attention within the framework
of review and update and is in practice often mentioned as explicit goal of a
RUP. In that case, extra attention is devoted to among others the following
two aspects.
1. Promote insight into the necessary resources for both the controller
and the DPO (Article 38(2) GDPR).
2. Raise GDPR awareness (Article 39(1)(b)).
3. Promote better insight into processing activities (Article 30).
4. Promote insight into the importance of processing for company
critical processes (among others recital 74).
5. Promote a more effective performance of legal DPO tasks.
6. Since these side effects mutatis mutandis (roughly) correspond with
the side effects of a GDPR baseline, GDPR gap-analysis and GDPR
implementation, in short is referred to the discussion on this in
§ 6.1.3.2.
Whereas the mandate is received to draft and perform a RUP (the mandate
will usually not be provided to the DPO, but to someone else – for example a
Privacy Officer, GDPR co-worker or GDPR project manager – that is
explicitly burdened with review), first a GDPR review team has to composed.
Ideally, this team consists of people with diverse backgrounds (for example
legal, IT, Security, Compliance, Ethics, Quality and Control). When the
GDPR review team is composed, this team establishes at least the following:
Before the GDPR review and update plan (RUP) can be initiated, it first
needs to be clear which measures and corresponding concrete actions have to
be reviewed. Under reference to Article 39(1)(b), hereinafter for sake of
convenience it is assumed that the goal of the RUP that is discussed in this
chapter,[269] is testing the proper functioning and effectiveness of measures
and concrete actions within that framework within the meaning of Article
24(1).
Relating to the question which GDPR sources could be used for appropriate
technical and organisation GDPR measures, usually the following are
mentioned.[270]
1. What does the concrete action intend to achieve (what is the goal of
the concrete action)?
2. What does the concrete action have to (substantially) entail at least?
3. Which possible conditions[271] for performing concrete actions have
to be taken into account?
4. Which specific circumstances[272] have to be taken into account in
designing and performing the concrete action?
After having defined the actions to be reviewed in step 3, in step 4 the review
criteria are to be established. In general, the following review criteria can be
mentioned.
a. Is the goal that was set with the GDPR measure/action achieved
de facto?
b. Are the problems that are based on the GDPR measures/actions
solved?
c. Is there a possible question of (undesired) side effects of the
GDPR measure/action?
In general, it could be argued that, in light of the text, ratio and spirit of
Article 39(2), in establishing the review criteria due regard shall be given to
the risk associated with processing operations, taking into account the nature,
scope, context and purposes of processing.
In general, it could be argued that – in light of the text, ratio and spirit of
Article 39(2) – in establishing the GDPR update criteria due regard shall be
given to the risk associated with processing operations, taking into account
the nature, scope, context and purposes of processing.
8.4.5 Step 5: perform the actual GDPR update
In the penultimate step of the GDPR update plan (GUP), the actual
performance of the update of the main focus, or the – in light of the current
knowledge surrounding the proper functioning and effectiveness of the
particular GDPR measures/actions – accomplishment of (additional) acts
because of which the beforehand defined result can be realised. In the
performance, the above-mentioned beforehand defined update conditions are
the centre of attention.
8.4.6 Step 6: Report on the actually performed GDPR update
When steps 1 to 5 are completed and the appropriate technical and
organisational measures under Article 24(1) are updated (on proper
functioning and effectiveness) in order to ensure that processing is performed
in accordance with the GDPR, it is recommended to record the results in the
form of an (internal and/or external) report. On the basis of Article 5(2) of the
GDPR, the controller shall be responsible for, and be able to demonstrate
compliance with, the obligations pursuant to the GDPR (‘accountability’).
8.4.7 A clear GUP
To have at one’s disposal a clear, logical sequential plan for updating
appropriate technical and organisational measures – and thereto
corresponding concrete actions – provides various advantages, among others
the following:
Managers (both project managers, team managers and experts) could gain
efficiency and effectiveness by ‘organising the necessary knowledge’ in
performing the GUP. One could concretely think of involving at least those
disciplines that could for example be of added value in actually performing
concrete measures and actions to (subject to the most recent developments)
comply with the specific obligations pursuant to the GDPR. In practice, the
involvement of for example Communication, Marketing, HR, IT, Audit and
Security could sometimes lead to surprising input because of which the
proper functioning and effectiveness of GDPR measures and concrete actions
can be enhanced eventually.
It is not up for debate that it is of utmost importance that there is good sight
on the complete and correct (or rectified) compliance with obligations
pursuant to the GDPR for the good performance of legal tasks by the DPO.
Within the framework of ‘independent’ functioning of the DPO (see among
others Article 38(3)) the question can be asked whether it is wise to assign
the DPO a large executing role within the context of the RUP. Would it not
fit better in the professional profile of the DPO (see in particular chapter 2) to
reserve a larger role for the DPO to inform and advise within the context of
the RUP within the framework of the independent information, advise and
monitoring compliance with the GDPR? This line fits after all also better
within the framework of the vision, mission and strategy (VMS) of the DPO
work plan that is tailored to the text, ratio and spirit of Articles 37 – 39 of the
GDPR. Does an intensive role of the DPO fit within the framework of taking
measures and performing concrete actions as part of the RUP? If the DPO is
involved in the performance of the RUP of personal data (for example as
member of a feedback body, steering committee, technical project manager or
as member of the GDPR review and update team), it appears the DPO should
give constructive attention to the vision, mission and strategy (VMS) of the
own DPO work plan, keeping in mind the practical development of the DPO
work plan, in light of the legally enshrined tasks of the DPO (within the
meaning of Article 39). The controversy over performance vs monitoring
compliance deserves special attention.
In accordance with Article 35(2) of the GDPR, the controller shall seek the
advice of the DPO, when carrying out a data protection impact assessment
(DPIA). Providing advice as regards this DPIA and monitoring its
performance pursuant to Article 35 belongs to (pursuant to Article 39(1)(c))
the legal tasks of the DPO. Is it possible that a too intensive role of the DPO
within the context of performing a RUP could come in conflict with the
performance of the task to ‘independently monitor compliance’ in the context
of a DPIA, in light of the ratio and scope of Article 39(1)(c) of the GDPR?
The EDPB (WP29)[280] notes the following about the role of the DPO relating
to the DPIA (within the framework of which under circumstances
independent causes could be found to review and update). According to
Article 35(1), it is the task of the controller, not of the DPO, to carry out,
when necessary, a data protection impact assessment (‘DPIA’). However, the
DPO can play a very important and useful role in assisting the controller.
Following the principle of data protection by design, Article 35(2)
specifically requires that the controller ‘shall seek advice’ of the DPO when
carrying out a DPIA. Article 39(1)(c), in turn, tasks the DPO with the duty to
‘provide advice where requested as regards the [DPIA] and monitor its
performance pursuant to Article 35’.
The EDPB (WP29) (predecessor of the European Data Protection Board)
recommends that the controller should seek the advice of the DPO, on the
following issues, amongst others:[281]
CHAPTER 9
GDPR ASSURANCE AND GDPR AUDIT IN THE
DPO WORK PLAN
1. GDPR assurance.
2. GDPR audit.
Ad 1
GDPR assurance (providing sufficient guarantees for ensuring compliance
with GDPR obligations)
Providing sufficient guarantees and ‘ensuring compliance’ are terms that are
used in the GDPR as compliance mechanisms. According to Article 28(1) of
the GDPR, where processing is to be carried out on behalf of a controller, the
controller shall use only processors providing sufficient guarantees to
implement appropriate technical and organisational measures in such a
manner that processing will meet the requirements of this Regulation and
ensure the protection of the rights of the data subject. Hereinafter, ‘GDPR
assurance’ entails all activities within the framework of realising (enforcing)
‘sufficient guarantees to ensure the compliance with appropriate technical
and organisational obligations pursuant to the GDPR’.
Ad 2
GDPR audit (professionally monitoring the actual compliance with the
GDPR)[285]
Ad A
GDPR audits within the framework of the relationship between the
controller and processor
Under Article 28(3) of the GDPR, processing by a processor shall be
governed by a contract or other legal act under Union or Member State law,
that is binding on the processor with regard to the controller and that sets out
the subject-matter and duration of the processing, the nature and purpose of
the processing, the type of personal data and categories of data subjects and
the obligations and rights of the controller. That contract or other legal act
shall stipulate, in particular, that the processor (under Article 28(3)(h)) makes
available to the controller all information necessary to demonstrate
compliance with the obligations laid down in this Article and allow for and
contribute to audits, including inspections, conducted by the controller or
another auditor mandated by the controller.
Ad B
GDPR audits within the framework of monitoring compliance with the
GDPR by the DPO
Relating to the so-called GDPR audits, Article 39(1)(b) of the GDPR
determines the following, ‘to monitor compliance with this Regulation, with
other Union or Member State data protection provisions and with the policies
of the controller or processor in relation to the protection of personal data,
including the assignment of responsibilities, awareness-raising and training of
staff involved in processing operations, and the related audits.’ For the sake
of completeness, it is observed that although the GDPR audits that are
mentioned here are primarily related to appointing GDPR audits in the policy
of the controller, it is argued that the instrument of GDPR audits can also be
used in the context of performing GDPR audits by the DPO within the
framework of performing tasks within the meaning of Articles 37 – 39 (so-
called GDPR audits).
Ad C
GDPR audits relating to the use of ‘binding corporate rules’ within the
framework of personal data transfer to third countries or international
organisations
Under Article 47(1), the competent supervisory authority shall approve[287]
binding corporate rules in accordance with various further mentioned
conditions relating to which Article 47(2)(j) explicitly declares that said
binding corporate rules should at least be recorded within the group of
undertakings – or group of enterprises engaged in a joint economic activity –
for ensuring the verification of compliance with the binding corporate rules.
Such mechanisms shall include data protection audits and methods for
ensuring corrective actions to protect the rights of the data subject. Results of
such verification should be communicated to the person or entity referred to
in Article 47(2)(h) (or the DPO or an internal supervisory organ)[288] and to
the board of the controlling undertaking of a group of undertakings, or of the
group of enterprises engaged in a joint economic activity and should be
available upon request to the competent supervisory authority.
Considering above-mentioned interpretation of GDPR assurance and GDPR
audit, among others the following questions can be asked.
1. Providing insight in the costs that are involved with the measures
that were taken for optimizing the proper functioning and
effectiveness of concrete GDPR compliance actions.
2. Concretely filling out GDPR maturity models (growth path).
3. Promoting the efficiency of processing processes.
4. Attracting sufficiently competent and expert personnel (internal or
external).
5. Providing important input for the board, management, GDPR
project managers and GDPR teams.
6. Promote a ‘GDPR sense of urgency’ within the organisation or
specific departments or activities within the enterprise, institution
or organisation.
Equally for the GDPR baseline, the GIP and the GDPR review and update
plan (RUP), it is generally recommended to note to which degree the
‘independent monitoring’ by the DPO can be based on GDPR assurance and
GDPR audits that are performed by others, in particular if it is concluded that
the measures and concrete actions that were taken are effective (have real
effect). Here as well, it remains important that the DPO keeps examining this
autonomously as a professional expert. within the framework of
independently monitoring compliance (professionally and competently).
For the time being, it seems to be that the most practical line that can be
chosen that already in the set-up, design and performance of GDPR assurance
and GDPR audits, the DPO is involved in a timely manner in the area of
performing legal DPO tasks (monitoring compliance, informing, advising,
cooperating with the supervisory authority and acting as a contact point for
the supervisory authority and acting as a contact point for data subjects).[295]
9.1.9 Action scheme
Whereas a number of introductory comments are made in § 9.1 relating to
GDPR assurance and GDPR audits, in § 9.2 a number of general objectives
and side effects of GDPR assurance and GDPR audits are discussed. Which
subsequent steps can be taken to approach GDPR assurance orderly and
structurally, are central in § 9.3, followed by GDPR assurance Roadmap in
§ 9.4. Logical process steps for performing GDPR audits are central in § 9.5,
followed by a GDPR audit Roadmap in § 9.6. whereas § 9.7 further discusses
the role of the DPO within the framework of GDPR assurance and GDPR
audits, the substantial part of this chapter is completed in § 9.8 with a general
Table of reference for GDPR assurance and GDPR audits that can be used
(further developed) by the DPO – tailored to the enterprise, institution or
organisation – within the framework of the own DPO work plan.
As a starting point for GDPR assurance and GDPR audits, it is important that
companies, organisations and institutions (controllers within the meaning of
Article 4) could at least answer the question which appropriate technical and
organisational measures are implemented. GDPR assurance and GDPR audit
reports could provoke re-evaluation of the proper functioning and
effectiveness of the specific implemented measures. In a sense, GDPR
assurance and GDPR audits can be seen as important compliance control
mechanisms where it is established whether all previous implemented
(reviewed and updated, determined to be appropriate and effective) measures
are de facto complied with.
a. the data subject has given consent to the processing of his or her
personal data for one or more specific purposes.
b. processing is necessary for the performance of a contract to which
the data subject is party or in order to take steps at the request of the
data subject prior to entering into a contract.
c. processing is necessary for compliance with a legal obligation to
which the controller is subject.
d. processing is necessary in order to protect the vital interests of the
data subject or of another natural person.
e. processing is necessary for the performance of a task carried out in
the public interest or in the exercise of official authority vested in
the controller.
f. processing is necessary for the purposes of the legitimate interests
pursued by the controller or by a third party, except where such
interests are overridden by the interests or fundamental rights and
freedoms of the data subject which require protection of personal
data, in particular where the data subject is a child.[296]
Once the GDPR audit team is composed, this team establishes at least the
following:
CHAPTER 10
ACCOUNTABILITY AND REPORTING IN A
DPO WORK PLAN
An ARP as discussed here, in principle lends itself well for expansion of the
scope to additional scopes, such as additional data privacy compliance
dimensions (that are directly or indirectly related to the GDPR). A concrete
example are the following dimensions in light of the DAMA data
management model,[330] where the following expertise areas are mentioned, 1)
data governance, 2) data architecture management (data protection by
design), 3) data development, 4) database operations management, 5) data
security management, 6) reference and master data management, 7) data
warehousing and business intelligence management, 8) document and content
management, 8) meta data management and 9) data quality management.
10.2.1.7 Insight into the expectations of the DPO: review and update
The DPO, as a professional, provides insight to the highest management level
of the controller of processor and/or their stakeholder(s) into his/her
expectations regarding the duty to review and update where necessary
appropriate technical and organisational measures as mentioned in Article
24(1) (last sentence).
1. Promote insight into the necessary resources for both the controller
and the DPO (Article 38(2)).
2. GDPR awareness raising (Article 39(1)(b)).
3. Promote better insight into the processing activities (Article 30).
4. Promote insight into the importance of processing for corporate
critical processes (among others recital 74).
5. Promote an effective performance of legal DPO tasks.
Since these side effects correspond mutatis mutandis (roughly) with the side
effects of a GDPR baseline, GDPR gap-analysis and GDPR implementation,
for sake of brevity one is referred to what is already discussed on this in
§ 6.1.3.2.
1. In what way does the DPO expect that the controller and/or
processor shall have due regard to the risk associated with
processing operations, taking into account the nature, scope,
context and purposes of processing?
2. In what way does the DPO value the used compliance parameters
within the framework of the GDPR gap-analysis?
3. On which grounds does the DPO conclude that the beforehand
defined (and SMART formulated) goals of the GDPR
implementation plan (GIP) are or are not achieved?
Loyalty
a. The DPO shall take all steps necessary to ensure the application of
data protection requirements within his/her institution, as
elaborated in the Regulation, the institution/body’s implementing
rules, and these standards.
b. The DPO shall exercise independent professional judgment in
performing his/her duties and render candid advice to his/her
institution, its controllers, and data subjects on data protection
matters.
c. While handling a complaint of a data subject, the DPO shall act
with diligence and promptness to impartially analyse the issues
raised in order to determine whether there has been a violation of
the requirements of the Regulation. If so, he/she should attempt to
resolve the matter with his/her institution and thereafter report to
the complainant on the solution found. A DPO shall not counsel or
assist his/her institution to alter, destroy or conceal a document or
other material relevant to the complaint.’
Confidentiality
ANNEXURES
1. REGULATION (EU) 2016/679 [GDPR]
2. DIRECTIVE (EU) 2016/680 [CRIMINAL OFFENCES]
3. DIRECTIVE (EU) 2016/681 OF THE EUROPEAN PARLIAMENT
AND OF THE COUNCIL
4. REGULATION (EU) 2018/1725 OF THE EUROPEAN
PARLIAMENT AND OF THE COUNCIL
5. DECISION OF THE EUROPEAN DATA PROTECTION
SUPERVISOR
6. WP 243 rev.01 Guidelines on Data Protection Officers (‘DPOs’), 5
April 2017
7. WP243 ANNEX - FREQUENTLY ASKED QUESTIONS
8. AEPD Certification scheme
9. CNIL DPO Certification
10. EADPP CDPO Certification Code of Conduct
11. EADPP CDPO Certification Mechanism (PPT)
12. LIST OF DPA’s in the European Economic Area (EEA)
[1]
WP 173, Opinion 3/2010 on the principle of accountability (13 July 2010), § 13, p. 5.
[2]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 3.2, p. 14.
[3]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 1, p. 5.
[4]
See for example Article 18 of the Council Directive 95/46/EC of 24 October 1995 on the protection
of individuals with regard to the processing of personal data and on the free movement of such data
[1995] OJ L281/31 and consideration 54 of the GDPR.
[5]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 1, p. 4.
[6]
Historically, the term privacy officer is mostly used in the American context where a privacy
compliance officer was appointed (initially voluntarily and later mandatory) in certain companies in
certain sectors in particular for the protection (security) of personal data, among others customer data,
medical data and financial data of individual people. See for more detail, Roberta Fusaro, ‘Chief
Privacy Officer’ (Harvard Business Review 2000) https://hbr.org/2000/11/chief-privacy-officer
accessed 11 May 2019.
[7]
See First Amendment Note (II, nr. 11, p. 6), Dutch Parliamentary History.
[8]
Courts may be exempted from that obligation, when acting in their judicial capacity. See Article 32
of Council Directive (EU) 2016/680 of 27 April 2016 on the protection of natural persons with regard
to the processing of personal data by competent authorities for the purposes of the prevention,
investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and
on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA [2016]
OJ L119/89.
[9]
Within this context, WP29 refers to ‘core activities’, further elaborated on in WP 243 rev.01,
Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 2.1.2, p. 7.
[10]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 2.1.1, p. 6.
[11]
According to the definition of ‘public sector body’ and ‘body governed by public law’ in Article
2(1) and (2) of Council Directive 2003/98/EC of 17 November 2003 on the re-use of public sector
information [2003] OJ L345/90.
[12]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 2.1.1, p. 6.
[13]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 2.1.2, p. 7.
[14]
WP29 has formulated criteria for the interpretation of ‘large scale’, 1) the number of data subjects
concerned, 2) the volume of data being processed and 3) the duration of the data processing activity and
4) the geographical extent of the processing activity. See WP 243 rev.01, Guidelines on Data
Protection Officers (‘DPOs’) (April 05, 2017), § 2.1.3, p. 7 – 8. Next to that, the Dutch DPA has given
more detailed explanatory notes for specific providers of care. It has mentioned the number of 10,000
(patients) to identify when there is a case of processing personal data on a large scale. See
www.autoriteitpersoonsgegevens.nl (available in Dutch).
[15]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 2.1.3,
footnote 14, p. 7.
[16]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 2.1.3, p. 7.
[17]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 2.1.3, p. 8.
[18]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 2.1.4,
footnote 16, p. 8.
[19]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 2.1.4, p. 8.
[20]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 2.1.4, p. 8 –
9.
[21]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 2.1.4, p. 9.
[22]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 2.1.5, p. 9.
[23]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 2.2, p. 9 – 10.
[24]
According to Article 12(1) of the GDPR: ‘The controller shall take appropriate measures to provide
any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and
34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible
form, using clear and plain language, in particular for any information addressed specifically to a
child.’ According to WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05,
2017), § 2.3, footnote 22, p. 10.
[25]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 2.3, p. 10.
[26]
For a more detailed discussion, See also Kadir, Romeo F., Business Companion Data Protection –
Practical GDPR Guidance, EIPACC (2021), www.dataprotectionbooks.com.
[27]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 3.2, p. 14.
[28]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 5, p. 22.
[29]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 2.4, p. 11.
[30]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 2.4, p. 11.
[31]
In accordance with Article 3(3) of the GDPR, the GDPR applies to the processing of personal data
by a controller not established in the Union, but in a place where Member State law applies by virtue of
public international law.
[32]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 2.6, p. 12.
[33]
Confidentiality is equally important: for example, employees may be reluctant to complain to the
DPO if the confidentiality of their communications is not guaranteed in WP 243 rev.01, Guidelines on
Data Protection Officers (‘DPOs’) (April 05, 2017), § 2.6, p. 12.
[34]
Communicating the name of the DPO to the supervisory authority is however of essential interest if
the DPO wants to act as a contact point between the organisation and the supervisory authority (Article
39(1)(e) of the GDPR).
[35]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 2.6, p. 12 –
13.
[36]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 2.5, p. 11.
[37]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 2.5, p. 11.
[38]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 2.5, p. 11.
[39]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 2.5, p. 11.
[40]
Zwenne 2016, ‘Wat doen we met de functionaris voor de gegevensbescherming (m/v)?’ (2016) 3
Tijdschrift voor Internetrecht 89 (only available in Dutch).
[41]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 2.5, p. 12.
[42]
See with respect to the safeguarding principles of data protection among others, Kadir, Romeo F.,
Business Companion Data Protection – Practical GDPR Guidance, EIPACC (2021),
www.dataprotectionbooks.com.
[43]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 2.5, p. 12.
[44]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 2.5, p. 12.
[45]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 2, p. 5 – 6.
[46]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 2, footnote
11, p. 6.
[47]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 3.1, p. 14.
[48]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 4.1, p. 17.
[49]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 4.1, p. 17.
[50]
It is established in Article 24(1) of the GDPR that ‘taking into account the nature, scope, context
and purposes of processing as well as the risks of varying likelihood and severity for the rights and
freedoms of natural persons, the controller shall implement appropriate technical and organisational
measures to ensure and to be able to demonstrate that processing is performed in accordance with this
Regulation. Those measures shall be reviewed and updated where necessary’.
[51]
According to recital 80 of the GDPR.
[52]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 4.3, p. 18.
[53]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 4.3, p. 18.
[54]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 4.4, p. 18.
[55]
According to Article 39(1)(b) of the GDPR.
[56]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 4.5, p. 19.
[57]
Article 24(1)(d) of Council Regulation (EC) 45/2001 of 18 December 2000 on the protection of
individuals with regard to the processing of personal data by the Community institutions and bodies
and on the free movement of such data [2000] OJ L8/1.
[58]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 3.2, p. 14.
[59]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 3.1, p. 13.
[60]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 3.1, p. 13 –
14.
[61]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 3.2, p. 14.
[62]
According to recital 97 of the GDPR.
[63]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 3.3, p. 15.
[64]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 3.4, p. 15.
[65]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 3.5, p. 16.
[66]
See also Bayerisches Landesamt für Datenschutzaufsicht Ansbach (20.10.2016) where the German
privacy supervisory authority has issued a fine for combining the function of Head IT with the position
of DPO. See www.lda.bayern.de.
[67]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 3.5, p. 16.
[68]
Also, according to Article 63(4) of the Wbp (former Dutch Data Protection legislation) which
mentions the confidentiality obligation of the officer of what has become known to him on the basis of
a complaint or a request of a data subject, unless the data subject agrees with publication.
[69]
For a more detailed discussion, see also, See also Kadir, Romeo F., Business Companion Data
Protection – Practical GDPR Guidance, EIPACC (2021), www.dataprotectionbooks.com.
[70]
Arend-Jan Eshuis, Joost van Tilborg, Barend Koch et al, ‘De succesvolle medewerker’ in Smit,
Verhoeven and Driessen (Eds), Personeelsselectie en assessment: wetenschap in de praktijk
(Koninklijke Van Gorcum 2006), p. 42 (available in Dutch).
[71]
Arend-Jan Eshuis, Joost van Tilborg, Barend Koch et al, ‘De succesvolle medewerker’ in Smit,
Verhoeven and Driessen (Eds), Personeelsselectie en assessment: wetenschap in de praktijk
(Koninklijke Van Gorcum 2006), p. 42 (available in Dutch).
[72]
Paul van der Maesen de Sombreff, ‘Vat krijgen op strategische competenties: haal competenties uit
eigen experts’ [2002] Gids voor Personeelsmanagement 44 (available in Dutch).
[73]
Daniel Goleman, Working with emotional intelligence (Bantam Books 1998).
[74]
Robert Quinn, Sue Faerman, Michael Thompson et al, Becoming a master manager: a competency
framework (2nd edition, John Wiley and Sons 1996).
[75]
Arend-Jan Eshuis, Joost van Tilborg, Barend Koch et al ‘De succesvolle medewerker’ in Smit,
Verhoeven and Driessen (eds), Personeelsselectie en assessment: wetenschap in de praktijk
(Koninklijke Van Gorcum 2006), p. 53 – 54 (available in Dutch).
[76]
Arend-Jan Eshuis, Joost van Tilborg, Barend Koch et al ‘De succesvolle medewerker’ in Smit,
Verhoeven and Driessen (eds), Personeelsselectie en assessment: wetenschap in de praktijk
(Koninklijke Van Gorcum 2006), p. 55 (available in Dutch). Reproduction and adaptation of Patricia
McLagan, The Models for HRD practice (American Society for Training and Development 1989).
[77]
Henk Verhoeven and Barend Koch, ‘Andere manieren van kijken’ in Smit, Verhoeven and
Driessen (eds), Personeelsselectie en assessment: wetenschap in de praktijk (Koninklijke Van Gorcum
2006), p. 135 (available in Dutch).
[78]
According to Henk Verhoeven and Barend Koch, ‘Andere manieren van kijken’ in Smit,
Verhoeven and Driessen (eds), Personeelsselectie en assessment: wetenschap in de praktijk
(Koninklijke Van Gorcum 2006), p. 136 (available in Dutch). Under reference to Barbara Brown and
Michael Campion, ‘Biodata Phenomenology: Recruiters’ Perceptions and Use of Biographical
Information in Resume Screening’ (1994) 79 Journal of Applied Psychology 6 897.
[79]
Jane Harvey-Cook and Richard Taffler, ‘Biodata in professional entry-level selection: statistical
scoring of common format applications’ (2000) 73 Journal of Occupational and Organizational
Psychology 103.
[80]
Alec Serlie and Arnold Driessen, ‘Wegen en Beslissen’ in Smit, Verhoeven and Driessen (eds),
Personeelsselectie en assessment: wetenschap in de praktijk (Koninklijke Van Gorcum 2006), p. 170
(available in Dutch).
[81]
STAR is an acronym for Situation, Task, Activity and Result. The core of this method is that
behaviour from the recent past is the best predictor for future behaviour. It comes down to giving
examples of actual (work) behaviour that is related to the position profile. Consequently, one can show
they are suitable for fulfilling the function they applied for.
[82]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 3.3, p. 15.
[83]
Lisa DiBenedetto Velardi, ‘8 Tips for Building a Successful Compliance Communication Plan’
(Compliance Wave 23 September 2015) https://www.compliancewave.com/blog/8-tips-for-building-a-
successful-compliance-communication-plan accessed 11 May 2019.
[84]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 8, p. 23.
[85]
John Mackenzie Owen, ‘Kennismanagement’ in Handboek informatiewetenschap, I 560 (Samson
2011), p 1 – 27 (available in Dutch).
[86]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 4.3, p. 18.
[87]
In a similar sense, ‘Privacywet en privacyfunctionaris: val ik in de prijzen?’ (NGFG April 2009), p.
9 (available in Dutch).
[88]
Ponemon Institute LLC, The True Cost of Compliance: A Benchmark Study of Multinational
Organizations (January 2011), p. 3.
[89]
54% of the Dutch employees would directly decline a job of an employer with a bad reputation,
regardless of the salary increase that they would receive. Even a salary increase of more than 10%
would not convince a quarter of the Dutch professionals to accept the offer. These companies have to
dig deep into their pockets to bring in talent and keep it. In Max van Liemt ‘De 7 eigenschappen van
effectieve Employer Branding’ (Recruiting Roundtable 12 September 2011)
https://www.recruitingroundtable.nl/2011/09/12/7-eigenschappen-van-effectieve-employer-branding/
accessed 11 May 2019.
[90]
DNB, ‘De 7 Elementen van een Integere Cultuur: Beleidsvisie en aanpak gedrag en cultuur bij
financiële ondernemingen 2010 – 2014’ (November 2009) § 3, p. 6 (available in Dutch).
[91]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 3.2, p. 14.
[92]
See among others chapter 1.
[93]
For a thematic article by article discussion on the GDPR obligations, see also Kadir, Romeo F.,
Business Companion Data Protection – Practical GDPR Guidance, EIPACC (2021),
www.dataprotectionbooks.com.
[94]
Ontology is used here within the meaning of studying categories within a domain that forms a
logical basis for a (scientific approach of) representation of knowledge.
[95]
Commission, ‘Proposal for a Regulation of the European Parliament and of the Council on the
protection of individuals with regard to the processing of personal data and on the free movement of
such data (General Data Protection Regulation)’ COM (2012) 11 final.
[96]This harmonization means an alignment without being detrimental to the fact that pursuant to
Article 38(3) GDPR, the DPO is not allowed to receive instructions while performing his or her tasks.
[97]
For an Article-by-Article discussion of ‘GDPR obligations’, see also Kadir, Romeo F., Business
Companion Data Protection – Practical GDPR Guidance, EIPACC (2021),
www.dataprotectionbooks.com.
[98]
See also Kadir, Romeo F. (Ed.), GDPR Official Resources – A comprehensive collection of the
most important official sources for a better understanding of the GDPR, EIPACC (2021),
www.dataprotectionbooks.com.
[99]
For further research, see among others ENISA, ‘Recommendations on European Data Protection
Certification’ (27 November 2017) https://www.enisa.europa.eu/publications/recommendations-on-
european-data-protection-certification accessed 11 May 2019.
[100]
See https://www.coso.org.
[101]
For a practical approach of privacy risk management, see also CNIL, ‘Methodology for Privacy
Risk Management: How to implement the Data Protection Act’ (June 2012)
https://www.cnil.fr/sites/default/files/typo/document/CNIL-ManagingPrivacyRisks-Methodology.pdf
accessed 11 May 2019.
[102] See also, Kadir, R.F., Handbook Certified Data Protection Officer (DPO) – Body of Knowledge &
Skills (BOKS), EIPACC Publications (2021), www.dataprotectionbooks.com.
[103]
Anita van Bergenhenegouwen, ‘Business Intelligence ontwikkelproces: de kritische succesfactoren
voor een succesvol project’ (Thesis, Open Universiteit 2008) (available in Dutch).
[104]
The Standish Group Report: Chaos 2011 https://www.projectsmart.co.uk/white-papers/chaos-
report.pdf (p. 15).
[105]
For more details, see also Kadir, Romeo F., Business Companion Data Protection – Practical
GDPR Guidance, EIPACC (2021), www.dataprotectionbooks.com.
[106]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 4.3, p. 18.
[107]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 10, p. 24.
[108]
According to Article 39(1)(b) of the GDPR.
[109]
The following possible personal drivers of the DPO were distinguished there: Data Protection
Expert(s), take on a leadership role, accountability, increase the degree of acceptance, apply knowledge
and skills and visualize a careful balance of interests.
[110]
The following advantages can generally be connected to process improvement for the DPO, 1) the
DPO is capable of qualitatively better performance of tasks, 2) the DPO is better equipped to
substantiate the necessity of a specific financial budget, 3) the DPO can organise himself in such a way
that excessive stress is avoided, 4) the DPO can deploy IT more efficiently to support (simplify) its own
AO/IC, 5) the DPO can accomplish more, with less support (of for example HR), 6) the DPO reduces
the chances of making mistakes, 7) the DPO can save time because of good process management, 8)
the DPO responds quicker and more efficiently to changes in processes, 9) the DPO can be of better
service to internal stakeholders (colleagues, Works Council etc.), 10) the DPO can be of better service
to external stakeholders (DPA, data subjects).
[111]
A professional DPO work plan appreciates the findings of internal and external audits within the
meaning that sufficient attention is devoted to possible risks of non-compliance in the interest of the
own organisation.
[112]
Some advantages for the organisation of proper attention to risk and incidents management in the
DPO work plan could be for example (depending on the circumstance) the following, 1) handle risks
cleverly, 2) connect to management actions, 3) opening debates on risk acceptance, 4) better providing
of professional service by the organisation (better customer experience), 5) reducing the amount of
management time to deal with minor problems, 6) more internal focus on doing the right things well, 7)
a better basis for determining strategies.
8. Obtaining competitive advantage, 9) a more efficient use of resources, 10) less restoration costs due
to non-compliance.
[113]
According to recital 74 of the GDPR, ‘The responsibility and liability of the controller for any
processing of personal data carried out by the controller or on the controller's behalf should be
established. In particular, the controller should be obliged to implement appropriate and effective
measures and be able to demonstrate the compliance of processing activities with this Regulation,
including the effectiveness of the measures. Those measures should take into account the nature, scope,
context and purposes of the processing and the risk to the rights and freedoms of natural persons.’ The
risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from
personal data processing which could lead to physical, material or non-material damage, according to
recital 75 of the GDPR.
[114]
For a comprehensive collection of official GDPR resource documents, see also Kadir, Romeo F.
(Ed.), GDPR Official Resources – A comprehensive collection of the most important official sources
for a better understanding of the GDPR, EIPACC (2021), www.dataprotectionbooks.com.
[115]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 3.2, p. 14.
[116]
For more detailed explanation of related terms and definitions, see also
[117]
Commission, ‘Proposal for a Regulation of the European Parliament and of the Council on the
protection of individuals with regard to the processing of personal data and on the free movement of
such data (General Data Protection Regulation)’ COM (2012) 11 final. See also Kadir, Romeo F.
(Ed.), GDPR Official Resources – A comprehensive collection of the most important official sources
for a better understanding of the GDPR, EIPACC (2021), www.dataprotectionbooks.com.
[118]
Supplement to the Commission, ‘Proposal for a Regulation of the European Parliament and of the
Council on the protection of individuals with regard to the processing of personal data and on the free
movement of such data (General Data Protection Regulation)’ COM (2012) 11 final. p. 1.
[119]
Commission, ‘Europe 2020: A strategy for smart, sustainable and inclusive growth’ COM (2010)
2020 final.
[120]
According to recital 75 of the Commission, ‘Proposal for a Regulation of the European Parliament
and of the Council on the protection of individuals with regard to the processing of personal data and
on the free movement of such data (General Data Protection Regulation)’ COM (2012) 11 final.
[121]
Council Regulation (EC) 45/2001 of 18 December 2000 on the protection of individuals with
regard to the processing of personal data by the Community institutions and bodies and on the free
movement of such data [2000] OJ L8/1. This Regulation is repealed by Regulation (EU) 2018/1725 of
the European Parliament and of the Council of 23 October 2018 on the protection of natural persons
with regard to the processing of personal data by the Union institutions, bodies, offices and agencies
and on the free movement of such data, OJ L 295, 21.11.201.
[122]
EDPS, ‘Position paper on the role of Data Protection Officers in ensuring effective compliance
with Regulation (EC) 45/2001’ (28 November 2005)
https://edps.europa.eu/sites/edp/files/publication/05-11-28_dpo_paper_en.pdf accessed 11 May 2019.
See also EDPS, Position paper on the role of Data Protection Officers of the EU institutions and bodies
(18-09-30).
[123]
This Working Party was set up under Article 29 of Council Directive 95/46/EC of 24 October
1995 on the protection of individuals with regard to the processing of personal data and on the free
movement of such data [1995] OJ L281/31. It is an independent European advisory body on data
protection and privacy. Its tasks are described in Article 30 of Directive 95/46/EC and Article 15 of
Directive 2002/58/EC. The secretariat is provided by Directorate C (Fundamental rights and rule of
law) of the European Commission, Directorate General Justice and Consumers, B-1049 Brussels,
Belgium, Office No MO59 02/27 Website: http://ec.europa.eu/justice/data-protection/index_en.htm.
[124]
Council Regulation (EC) 45/2001 of 18 December 2000 on the protection of individuals with
regard to the processing of personal data by the Community institutions and bodies and on the free
movement of such data [2000] OJ L8/1.
[125]
Network of Data Protection Officers of the EU institutions and bodies, ‘Professional Standards for
Data Protection Officers of the EU institutions and bodies working under Regulation (EC) 45/2001’
https://ec.europa.eu/anti-fraud/sites/antifraud/files/docs/body/dpo_standards.pdf accessed 11 May 2019.
[126]
See www.eadpp.eu and https://www.eadpp.eu/eadpp-certification.
[127]
The EADPP CDPO Certification Body of Knowledge & Skills (BOKS) is discussed in detail in
Kadir, R.F., Handbook Certified Data Protection Officer (CDPO) – Body of Knowledge & Skills
(BOKS), EIPACC Publications (2021) | www.dataprotectionbooks.com.
[128]
See https://privapedia.com/exams.php.
[129]
The EADPP CDPO Certification Code of Ethics is discussed in detail in Kadir, R.F., Handbook
Certified Data Protection Officer (CDPO) – Body of Knowledge & Skills (BOKS), EIPACC
Publications (2021) | www.dataprotectionbooks.com. See also https://privapedia.com/exams.php and
below Annexure 10 for the full text of the EADPP Certification Code of Ethics.
[130]
For a detailed discussion on ‘appropriate measures’ see also Kadir, Romeo F., Business
Companion Data Protection – Practical GDPR Guidance, EIPACC (2021),
www.dataprotectionbooks.com. For a comprehensive collection of official GDPR resource documents,
see also Kadir, Romeo F. (Ed.), GDPR Official Resources – A comprehensive collection of the most
important official sources for a better understanding of the GDPR, EIPACC (2021),
www.dataprotectionbooks.com.
[131]
For a more detailed discussion, see above Chapter 2.
[132]
See www.gdprcertifications.eu. Prudential control of internal audit findings can be of interest for
the DPO work plan. See also The EADPP CDPO Certification Body of Knowledge & Skills (BOKS) is
discussed in detail in Kadir, R.F., Handbook Certified Data Protection Officer (CDPO) – Body of
Knowledge & Skills (BOKS), EIPACC Publications (2021) | www.dataprotectionbooks.com.
[133]
Compare the definition of an inventory list within the meaning of the ‘Archiefwet’ (the Dutch
Archive legislation), being a systematic, or otherwise automated, description of archive components
with a table of contents, explanatory introduction and such. File inventories are also part of it.
[134]
According to recital 9 of the GDPR, the objective of the GDPR is to manage the legal
fragmentation within the EU in the area of privacy and data protection. Differences in the level of
protection of the rights and freedoms of natural persons, in particular the right to the protection of
personal data, with regard to the processing of personal data in the Member States may prevent the free
flow of personal data throughout the Union. Those differences may therefore constitute an obstacle to
the pursuit of economic activities at the level of the Union, distort competition and impede authorities
in the discharge of their responsibilities under Union law. Such a difference in levels of protection is
due to the existence of differences in the implementation and application of Directive 95/46/EC. In
order to ensure a consistent and high level of protection of natural persons and to remove the obstacles
to flows of personal data within the Union, the level of protection of the rights and freedoms of natural
persons with regard to the processing of such data should be equivalent in all Member States, according
to recital 10 of the GDPR.
[135]
Compare also with the general goals of internal control within the meaning of COSO. COSO
presumes the philosophy that internal control is a process, focused on obtaining a reasonable degree of
security with regard to achieving aims in the following four domains, 1) Strategic: Achieving strategic
aims, 2) Operational: Effectivity and efficiency of business processes, 3) Reporting: Reliability of
information transfer and 4) Compliance: Compliance with relevant legislation and regulations.
[136]
See http://ec.europa.eu/newsroom.
[137]
See http://ec.europa.eu/justice/data-protection/reform.
[138]
Transfers are necessary for the implementation of a contract between the data subject and the
controller or for the implementation of precontractual measures, taken at the request of the data subject.
[139]
See www.autoriteitpersoonsgegevens.nl for the situations in which the Dutch DPA prescribes the
performance of a DPIA.
[140]For a more detailed discussion on the general GDPR privacy duty of care, see Kadir, Romeo F.,
Business Companion Data Protection – Practical GDPR Guidance, EIPACC (2021),
www.dataprotectionbooks.com. For a more basic explanation of applicable principles of processing,
see Romeo Kadir, ’Privacy and Data Protection, Certified GDPR Compliance, which can be accessed
by visiting: https://www.udemy.com/course/european-institute-certified-gdpr-data-protection-
compliance/.
[141]
For a collection of relevant EU case law regarding these rights, see among others Kadir, Romeo
F., Business Companion Data Protection – Practical GDPR Guidance, EIPACC (2021),
www.dataprotectionbooks.com.
[142]
For the importance of a professional complaints handling procedures see also Kadir, R.F.,
Handbook Certified Data Protection Officer (CDPO) – Body of Knowledge & Skills (BOKS), EIPACC
Publications (2021) | www.dataprotectionbooks.com.
[143]
Examples of goals related to Business Intelligence are the inventory of personal data regarding
customer acquisition, customer insight, customer acceptance, data management, credit control and
collection management.
[144]
See also Kadir, Romeo F. (Ed.), GDPR Official Resources – A comprehensive collection of the
most important official sources for a better understanding of the GDPR, EIPACC (2021),
www.dataprotectionbooks.com.
[145]
With these guidelines, the Dutch DPA wants to clarify their expectations of the security of
personal data. In that regard, the organisation has the space to design the security of personal data that
is most suitable, concerning the method and the resources, to their specific situation. An organisation
should always safeguard the rights of stakeholders and there should be an adequate, competently
applicable security in which the organisation optimally utilizes the knowledge of the expertise area
information security. See www.autoriteitpersoonsgegevens.nl (available in Dutch).
[146]
In similar sense also Article 32(3) of the GDPR (security of processing).
[147]
See also Romeo Kadir, GDPR Dictionary, Contextualization of GDPR related terms and
definitions, PPG (2020), www.gdprliterature.eu.
[148]
ISO 5807:1985, see https://www.iso.org/standard/11955.html.
[149]
For a more elaborate discussion, see Kadir, Romeo F., Business Companion Data Protection –
Practical GDPR Guidance, EIPACC (2021), www.dataprotectionbooks.com.
[150] For an alternative roadmap with an elaborate clarification, see among others
http://labs.centerforgov.org/data-governance/data-inventory/.
[151]
The team roles of Belbin and the Belbin test are the limelight in the world of HR professionals.
The British scientist Meredith Belbin (1926) introduced his team roles in 1981. In principle, the roles
supplement and reinforce each other, although not every team member only has strong points of course.
The weaknesses of a team member, defined by Belbin as ‘allowable weaknesses’, are compensated by
other team members. See also www.belbin.com.
[152]
Bruce Tuckman, ‘Developmental sequence in small groups’ (1965) 63 Psychological Bulletin 6,
384.
[153]
The Standish Group Chaos Report 2014, The Smart Project, www.standishgroup.com.
[154]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 4.4, p. 18.
See also https://edpb.europa.eu.
[155]
See Article 24(1)(d) of Council Regulation (EC) 45/2001 of 18 December 2000 on the protection
of individuals with regard to the processing of personal data by the Community institutions and bodies
and on the free movement of such data [2000] OJ L8/1.
[156]
See also e-Dictionary Privacy & Data Protection | https://privapedia.com/dictionary.php.
[157]
For a discussion on the goals and side effects, see hereinafter.
[158]
See www.europrivacy.org and www.eipacc.eu.
[159]
For a more detailed discussion on recital 39 of the GDPR, see chapter 4.
[160]
With regard to the documentation and recording duty (Article 30(1)), DPIA duty (Article 35),
Privacy duty of care (Article 5(1)) and obligations relating to the transaction of rights of stakeholders,
see for a more detailed discussion Kadir, Romeo F., Business Companion Data Protection – Practical
GDPR Guidance, EIPACC (2021), www.dataprotectionbooks.com.
[161]
Further processing for archiving purposes in the public interest, scientific or historical research
purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be
incompatible with the initial purposes (‘purpose limitation’), according to Article 5(1)(b) of the GDPR.
[162]
The controller shall be able to demonstrate compliance with these principles ex Article 5(2) of the
GDPR. See Kadir, Romeo F., Business Companion Data Protection – Practical GDPR Guidance,
EIPACC (2021), www.dataprotectionbooks.com.
[163]
Maintaining such a record ex Article 30(5) of the GDPR shall not apply to an enterprise or an
organisation employing fewer than 250 persons unless the processing it carries out is likely to result in
a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing
includes special categories of data as referred to in Article 9(1) or personal data relating to criminal
convictions and offences referred to in Article 10.
[164]
Under reference to Article 4(17), representative means a natural or legal person established in the
Union who, designated by the controller or processor in writing pursuant to Article 27, represents the
controller or processor with regard to their respective obligations under this Regulation.
[165]
For a more elaborate discussion concerning GDPR requirements and GDPR controls, see Kadir,
Romeo F., Business Companion Data Protection – Practical GDPR Guidance, EIPACC (2021),
www.dataprotectionbooks.com.
[166]
For more detail, see, chapter 3, paragraph 3.3 (Risk orientation in the DPO work plan).
[167]
With regard to issue management in the case of integrity risks, see among others De
Nederlandsche Bank, ‘Integrity Risk Analysis: More where necessary, less where possible’ (August 17,
2015) http://www.toezicht.dnb.nl/en/binaries/51-234068.PDF accessed May 12, 2019.
[168]
See EDPB Recommendation 01/2019 on the draft list of the European Data Protection
Supervisor regarding the processing operations subject to the requirement of a data protection
impact assessment (Article 39.4 of Regulation (EU) 2018/1725) https://edpb.europa.eu/our-
work-tools/our-documents/doporuceni/recommendation-012019-draft-list-european-data-
protection_en . See also Kadir, Romeo F., Business Companion Data Protection – Practical GDPR
Guidance, EIPACC (2021), www.dataprotectionbooks.com.
[169]
The principle of transparency requires that any information and communication relating to the
processing of those personal data be easily accessible and easy to understand, and that clear and plain
language be used. That principle concerns, in particular, information to the data subjects on the identity
of the controller and the purposes of the processing and further information to ensure fair and
transparent processing in respect of the natural persons concerned and their right to obtain confirmation
and communication of personal data concerning them which are being processed, according to recital
39 of the GDPR.
[170]
Files or sets of files, as well as their cover pages, which are not structured according to specific
criteria should not fall within the scope of this Regulation, according to recital 15 of the GDPR.
[171]
The following advantages can generally be connected to process improvement for the DPO, 1) the
DPO is capable of qualitatively better performance of tasks, 2) the DPO is better equipped to
substantiate the necessity of a specific financial budget, 3) the DPO can organise himself in such a way
that excessive stress is avoided, 4) the DPO can deploy IT more efficiently to support (simplify) its own
AO/IC, 5) the DPO can accomplish more, with less support (of for example HR), 6) the DPO reduces
the chances of making mistakes, 7) the DPO can save time because of good process management, 8)
the DPO responds quicker and more efficiently to changes in processes, 9) the DPO can be of better
service to internal stakeholders (colleagues, Works Council etc.), 10) the DPO can be of better service
to external stakeholders (DPA, data subjects).
[172]
A professional work plan appreciates the findings of internal and external audits within the
meaning that sufficient attention is devoted to possible risks of non-compliance in the interest of the
own organisation.
[173]
Some advantages for the organisation of proper attention to risk and incidents management in the
DPO work plan could be for example (depending on the circumstance) the following, 1) handle risks
cleverly, 2) connect to management actions, 3) opening debates on risk acceptance, 4) better providing
of professional service by the organisation (better customer experience), 5) reducing the amount of
management time to deal with minor problems, 6) more internal focus on doing the right things well, 7)
a better basis for determining strategies.
8. Obtaining competitive advantage, 9) a more efficient use of resources, 10) less restoration costs due
to non-compliance.
[174]
According to recital 74 of the GDPR, the responsibility and liability of the controller for any
processing of personal data carried out by the controller or on the controller's behalf should be
established. In particular, the controller should be obliged to implement appropriate and effective
measures and be able to demonstrate the compliance of processing activities with this Regulation,
including the effectiveness of the measures. Those measures should take into account the nature, scope,
context and purposes of the processing and the risk to the rights and freedoms of natural persons. The
risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from
personal data processing which could lead to physical, material or non-material damage, according to
recital 75 of the GDPR.
[175]
Within this framework, compare this with the specific task of the DPO in Article 39(1)(b) of the
GDPR.
[176]
The team roles of Belbin and the Belbin test are the limelight in the world of HR professionals.
The British scientist Meredith Belbin (1926) introduced his team roles in 1981. In principle, the roles
supplement and reinforce each other, although not every team member only has strong points of course.
The weaknesses of a team member, defined by Belbin as ‘allowable weaknesses’, are compensated by
other team members. See also www.belbin.com.
[177]
Bruce Tuckman, ‘Developmental sequence in small groups’ (1965) 63 Psychological Bulletin 6,
384.
[178]
See in particular the Charter of Fundamental Rights of the European Union (2000/C 364/01),
Chapter II (Freedoms), retrieved from Kadir, Romeo F. (Ed.), GDPR Official Resources – A
comprehensive collection of the most important official sources for a better understanding of the
GDPR, EIPACC (2021), www.dataprotectionbooks.com.
[179]
For more detail, see chapter 7.
[180]
See also Kadir, Romeo F. (Ed.), GDPR Official Resources – A comprehensive collection of the
most important official sources for a better understanding of the GDPR, EIPACC (2021),
www.dataprotectionbooks.com.
[181]
See Article 8(1) of the Charter of Fundamental Rights of the European Union (The ‘Charter’) and
Article 16(1) of the Treaty on the Functioning of the European Union (TFEU). See also Kadir, Romeo
F. (Ed.), GDPR Official Resources – A comprehensive collection of the most important official
sources for a better understanding of the GDPR, EIPACC (2021), www.dataprotectionbooks.com.
[182]
See among others recital 4 of the GDPR.
[183]
Article 2(a) of Council Directive 95/46/EC of 24 October 1995 on the protection of individuals
with regard to the processing of personal data and on the free movement of such data [1995] OJ
L281/31 defines ‘personal data’ as ‘any information relating to an identified or identifiable natural
person ('data subject'). an identifiable person is one who can be identified, directly or indirectly, in
particular by reference to an identification number or to one or more factors specific to his physical,
physiological, mental, economic, cultural or social identity’.
[184]
Examples goals related to Business Intelligence are a baseline of personal data regarding customer
acquisition, customer insight, customer acceptance, data management, credit control, and collection
management.
[185]
These mechanisms could also help to demonstrate that the controller or processor complies with
the rules, especially relating to the establishment of the risk relating to the processing, the assessment of
the origin, nature, probability and severity, and the determination of best practices to reduce the risk.
[186]
See for example www.eipacc.eu.
[187]
See www.autoriteitpersoonsgegevens.nl.
[188]
Right of access (Article 15), Right to rectification (Article 16), Right to erasure (‘right to be
forgotten’) ex Article 17, Right to restriction of processing (Article 18), Notification obligation
regarding rectification or erasure of personal data or restriction of processing (Article 19), Right to data
portability (Article 20), Right to object (Article 21) and the right not to be subject to automated
individual decision-making, including profiling (Article 22). See also Kadir, Romeo F., Business
Companion Data Protection – Practical GDPR Guidance, EIPACC (2021),
www.dataprotectionbooks.com. For a comprehensive collection of official GDPR resource documents,
see also Kadir, Romeo F. (Ed.), GDPR Official Resources – A comprehensive collection of the most
important official sources for a better understanding of the GDPR, EIPACC (2021),
www.dataprotectionbooks.com.
[189]
See below, Annexure 12 of a list of DPAs in the European Economic Area (EEA).
[190]
For the record, it should be noted that not every GDPR obligation necessarily has to entail all
components that are mentioned here. The number of relevant components can differ as per GDPR
obligation.
[191]
For example, within the framework of binding corporate rules (see Article 47(2)(d) of the GDPR).
[192]
See also Kadir, Romeo F., Business Companion Data Protection – Practical GDPR Guidance,
EIPACC (2021), www.dataprotectionbooks.com.
[193]
See https://eipacc.eu/regulatory-gdpr-compliance/.
[194]
See among others the data management model of DAMA www.dama.org.
[195]
Above-mentioned additional data compliance dimensions are not part of the following analysis
unless specifically mentioned otherwise.
[196]
See among others the ‘AICPA/CICA Privacy Maturity Model’ (March 2011) that is based on the
Generally Accepted Privacy Principles (GAPP), published by the American Institute of Certified Public
Accountants (AICPA) and Canadian Institute of Chartered Accountants (CICA) in 2009
https://iapp.org/media/presentations/11Summit/DeathofSASHO2.pdf accessed 14 May 2019. Compare
with the previous edition (April 2010) also Information and Privacy Commissioner Ontario, ‘Privacy
Risk Management: Building privacy protection into a Risk Management Framework to ensure that
privacy risks are managed, by default’ (April 2010), p. 20, Annex 2 https://www.ipc.on.ca/wp-
content/uploads/2010/04/Privacy-Risk-Management-Building-privacy-protection-into-a-Risk-
Management-Framework-to-ensure-that-privacy-risks-are-managed.pdf accessed 14 May 2019.
[197]
See Kadir, Romeo F., Business Companion Data Protection – Practical GDPR Guidance, EIPACC
(2021), www.dataprotectionbooks.com.
[198]
See also Kadir, Romeo F., Business Companion Data Protection – Practical GDPR Guidance,
EIPACC (2021), www.dataprotectionbooks.com.
[199]
See for example ISO/IEC 27018 (Cloud Computing) and ISO/IEC 29100:2011, briefly discussed
in chapter 5.
[200]
Compare the ISO/IEC 27001 Standards family for information security management as part of
EIPACC certification audits, https://eipacc.eu/regulatory-gdpr-compliance/.
[201]
For a more elaborate discussion, see also Romeo Kadir, GDPR Business Companion, GDPR
Ultimate Business Guide Series, Part 1, PPG (2020). www.gdprliterature.eu.
[202]
For an alternative roadmap with an elaborate explanation, see among others:
http://labs.centerforgov.org/data-governance/data-inventory/.
[203]
Guidance on the implementation of appropriate measures and on the demonstration of compliance
by the controller or the processor, especially as regards the identification of the risk related to the
processing, their assessment in terms of origin, nature, likelihood and severity, and the identification of
best practices to mitigate the risk, could be provided in particular by means of approved codes of
conduct, approved certifications, guidelines provided by the Board or indications provided by a data
protection officer, according to recital 77 of the GDPR.
[204]
Compare within this framework also the PIA model (2015) of NOREA, which is a risk analysis
instrument that can identify and trace privacy risks, see https://www.norea.nl/english.
[205]
For a more detailed discussion on the GDPR privacy risk map, see also Kadir, Romeo F., Business
Companion Data Protection – Practical GDPR Guidance, EIPACC (2021),
www.dataprotectionbooks.com.
[206]
CNIL, ‘Methodology for Privacy Risk Management: How to implement the Data Protection Act’
(June 2012), p. 18 https://www.cnil.fr/sites/default/files/typo/document/CNIL-ManagingPrivacyRisks-
Methodology.pdf accessed May 11, 2019.
[207]
The Standish Group Chaos Report 2011, https://www.projectsmart.co.uk/white-papers/chaos-
report.pdf (p. 15).
[208]
See also Kadir, Romeo F., Business Companion Data Protection – Practical GDPR Guidance,
EIPACC (2021), www.dataprotectionbooks.com.
[209]
WP 248, Guidelines on Data Protection Impact Assessment (DPIA) and determining whether
processing is ‘likely to result in a high risk’ for the purposes of Regulation 2016/679 (4 April 2017).
[210]
Implementation (of the Latin verb implére, ‘fill out’ or ‘fulfil’) is the introduction of a new system,
plan, idea, model, design, standard or policy in an organisation. The term is, among others, used in the
IT world, in public administration (implementation of policies) and in the legal context
(implementation van legislation).
[211]
For a discussion on possible GDPR ambition levels, see among others chapter 6.
[212]
For a discussion on the goals and side effects, see hereinafter § 7.2.
[213]
See for example (standard) GDPR certification trajectories at www.eipacc.eu.
[214]
See among others the data management model of DAMA www.dama.org.
[215]
These steps will be discussed in more detail, below in paragraph 7.3.
[216]
For a more detailed discussion, see chapter 6.
[217]
For more detail, see chapter 1.
[218]
As regards the documentation and recording duty (Article 30(1)), DPIA duty (Article 35), privacy
duty of care (Article 5(1)) and obligations relating to realising the rights of data subjects, see § 2.4.
[219]
Autoriteit Persoonsgegevens (AP), ‘In 10 stappen voorbereid op de AVG’ (13 April 2017), p. 1
https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/in_10_stappen_voorbereid_op_de_avg.pdf
accessed, 12 May 2019 (available in Dutch).
[220] See Kadir, Romeo F., Business Companion Data Protection – Practical GDPR Guidance,
EIPACC (2021), www.dataprotectionbooks.com. See also e-Dictionary Privacy & Data Protection,
https://privapedia.com/dictionary.php.
[221]
In accordance with recital 51 of the GDPR, personal data which are, by their nature, particularly
sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their
processing could create significant risks to the fundamental rights and freedoms.
[222]
See also chapter 6.
[223]
Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in
the performance of their tasks, according to Article 6(1) of the GDPR.
[224]
Keeping such records shall ex Article 30(5) of the GDPR not apply to an enterprise or an
organisation employing fewer than 250 persons unless the processing it carries out is likely to result in
a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing
includes special categories of data as referred to in Article 9(1) or personal data relating to criminal
convictions and offences referred to in Article 10.
[225]
For more detail, see chapter 3, paragraph 3.3 (risk orientation in the DPO work plan).
[226]
With regard to issue management in the case of integrity risks, see among others De
Nederlandsche Bank, ‘Integrity Risk Analysis: More where necessary, less where possible’ (17 August
2015) http://www.toezicht.dnb.nl/en/binaries/51-234068.PDF accessed 12 May 2019.
[227]
The WP29 interprets “systematic” as meaning one or more of the following (see the WP29
Guidelines on Data Protection Officer 16/EN WP 243): 1) occurring according to a system, 2) pre-
arranged, organised or methodical, 3) taking place as part of a general plan for data collection, 4)
carried out as part of a strategy. According to WP 248 rev.01, Guidelines on Data Protection Impact
Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the
purposes of Regulation 2016/679 (as last Revised and Adopted on 4 October 2017), footnote 15, p. 9.
See also e-Dictionary Privacy & Data Protection | https://privapedia.com/dictionary.php.
[228]
See also Recommendation 01/2019 on the draft list of the European Data Protection Supervisor
regarding the processing operations subject to the requirement of a data protection impact assessment
(Article 39.4 of Regulation (EU) 2018/1725).
[229]
See § 3.1.3 (Business case for a professional DPO work plan).
[230]
In light of the duty of the controller and the processor to ensure that the DPO does not receive any
instructions, an extra argument can be found for the statement that the DPO, especially considering the
character of the steering information, cannot be an active member of the GDPR implementation team,
let alone be the leader of this team. See Article 38(3) of the GDPR.
[231]
See also Kadir, Romeo F., Business Companion Data Protection – Practical GDPR Guidance,
EIPACC (2021), www.dataprotectionbooks.com. For a comprehensive collection of official GDPR
resource documents, see also Kadir, Romeo F. (Ed.), GDPR Official Resources – A comprehensive
collection of the most important official sources for a better understanding of the GDPR, EIPACC
(2021), www.dataprotectionbooks.com.
[232]
According to Article 14(1) (information to be provided where personal data have not been
obtained from the data subject), where personal data have not been obtained from the data subject, the
controller shall provide the data subject with the following information: (a) the identity and the contact
details of the controller and, where applicable, of the controller's representative. (b) the contact details
of the data protection officer, where applicable. (c) the purposes of the processing for which the
personal data are intended as well as the legal basis for the processing. (d) the categories of personal
data concerned. (e) the recipients or categories of recipients of the personal data, if any. (f) where
applicable, that the controller intends to transfer personal data to a recipient in a third country or
international organisation and the existence or absence of an adequacy decision by the Commission, or
in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1),
reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where
they have been made available.
[233]
For a more detailed discussion on the component ‘conditions’ in the GBC model, see § 6.2.7.
[234]
For a more detailed discussion on the component ‘recitals’ in the GBC-model, see § 6.2.7.
[235]
See with regard to GDPR controls in general also § 7.2.1.6.
[236]
See also Kadir, Romeo F., Business Companion Data Protection – Practical GDPR Guidance,
EIPACC (2021), www.dataprotectionbooks.com. For a comprehensive collection of official GDPR
resource documents, see also Kadir, Romeo F. (Ed.), GDPR Official Resources – A comprehensive
collection of the most important official sources for a better understanding of the GDPR, EIPACC
(2021), www.dataprotectionbooks.com.
[237]
See also § 6.2.4 (matrix of GDPR obligations).
[238]
See for example § 7.4.
[239]
See also Kadir, Romeo F., Business Companion Data Protection – Practical GDPR Guidance,
EIPACC (2021), www.dataprotectionbooks.com.
[240]
A stakeholder can be referred to as a person of organisation that is actively involved in the project,
or whose interests can be influenced positively or negatively through the implementation or completion
of the project.
[241]
Guidance on the implementation of appropriate measures and on the demonstration of compliance
by the controller or the processor, especially as regards the identification of the risk related to the
processing, their assessment in terms of origin, nature, likelihood and severity, and the identification of
best practices to mitigate the risk, could be provided in particular by means of approved codes of
conduct, approved certifications, guidelines provided by the Board or indications provided by a data
protection officer, according to recital 77 of the GDPR.
[242]
For more detail, see § 6.4.2.3. See also Kadir, Romeo F., Business Companion Data Protection –
Practical GDPR Guidance, EIPACC (2021), www.dataprotectionbooks.com and e-Dictionary Privacy
& Data Protection | https://privapedia.com/dictionary.php.
[243]
With regard to the development of a GDPR risk map, see among others § 6.4.2.3.
[244]
The Standish Group Chaos Report (2011), where the following general success factors are
mentioned, 1) strong involvement of team members, 2) strong involvement of higher management, 3)
proper planning, 4) realistic expectations, 5) smaller project milestones, 6) project co-workers with
sufficient (relevant) expertise, 7) competent (possessing the necessary skills) project co-workers, 8)
ownership of the principal with the project management, 9) clearly formulated vision & corporate
objectives (SMART deliverables) and last but not least 10) devoted, hard-working, result-oriented
project team.
[245]
See among others § 6.1.3.2.1 (Privacy Awareness Programme).
[246]
WP 248 rev.01, Guidelines on Data Protection Impact Assessment (DPIA) and determining
whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 (as last
Revised and Adopted on 4 October 2017).
[247]
See § 6.4.2.3.
[248]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 2.5, p. 12.
[249]
See also Kadir, Romeo F., Business Companion Data Protection – Practical GDPR Guidance,
EIPACC (2021), www.dataprotectionbooks.com.
[250]
More focused on Article 24(1) of the GDPR, the appropriate technical and organisational
measures implemented by the controller should be reviewed and, where necessary, updated.
[251]
In other words, new facts and circumstances once the review and update of the implemented
appropriate technical and organisational measures is completed.
[252]
For a discussion on the goals and side effects, see below § 2.
[253]
For more EU context, see among others Kadir, Romeo F., Business Companion Data Protection –
Practical GDPR Guidance, EIPACC (2021), www.dataprotectionbooks.com.
[254]
See for example the (standard) GDPR certification trajectory at www.eipacc.eu.
[255]
See among others the data management model of DAMA (www.dama.org) as discussed in § 7.1.4.
[256]
For more detail, see chapter 2.
[257]
Relating to the documentation and recording duty (Article 30(1)), DPIA duty (Article 35), privacy
duty of care (Article 5(1)) and obligations in light of the realisation of the rights of data subjects, see
§ 5.2.
[258]
Autoriteit Persoonsgegevens (AP), ‘In 10 stappen voorbereid op de AVG’ (13 April 2017), p. 1
https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/in_10_stappen_voorbereid_op_de_avg.pdf
accessed 12 May 2019 (available in Dutch).
[259]
See also Kadir, Romeo F., Business Companion Data Protection – Practical GDPR Guidance,
EIPACC (2021), www.dataprotectionbooks.com. For a comprehensive collection of official GDPR
resource documents, see also Kadir, Romeo F. (Ed.), GDPR Official Resources – A comprehensive
collection of the most important official sources for a better understanding of the GDPR, EIPACC
(2021), www.dataprotectionbooks.com.
[260]
In accordance with recital 51, personal data which are, by their nature, particularly sensitive in
relation to fundamental rights and freedoms merit specific protection as the context of their processing
could create significant risks to the fundamental rights and freedoms.
[261]
Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in
the performance of their tasks, according to Article 6(1) of the GDPR.
[262]
Keeping such records shall ex Article 30(5) of the GDPR not apply to an enterprise or an
organisation employing fewer than 250 persons unless the processing it carries out is likely to result in
a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing
includes special categories of data as referred to in Article 9(1) or personal data relating to criminal
convictions and offences referred to in Article 10.
[263]
For an overview of 104 privacy controls, see among others NOREA, ‘NOREA Guide Privacy
Control Framework: Control objectives and controls for privacy audits and privacy assurance
engagements’ (May 2018), p. 8 and further https://www.norea.nl/download/?id=4160 accessed 15 May
2019.
[264]
For more detail, see chapter 3, paragraph 3.3 (risk orientation in the DPO work plan).
[265]
In the second sentence of Article 24(1), the wording ‘where necessary’ is used. This seems to
imply that the probability of the risks has to be taken into account at all times. See § 7.2.1.8.
[266]
With regard to issue management in the case of integrity risks, see among others De
Nederlandsche Bank, ‘Integrity Risk Analysis: More where necessary, less where possible’ (17 August
2015) http://www.toezicht.dnb.nl/en/binaries/51-234068.PDF accessed 12 May 2019.
[267]
The WP29 interprets “systematic” as meaning one or more of the following (see the WP29
Guidelines on Data Protection Officer 16/EN WP 243): 1) occurring according to a system, 2) pre-
arranged, organised or methodical, 3) taking place as part of a general plan for data collection, 4)
carried out as part of a strategy. According to WP 248 rev.01, Guidelines on Data Protection Impact
Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the
purposes of Regulation 2016/679 (as last Revised and Adopted on 4 October 2017), footnote 15, p. 9.
See also e-Dictionary Privacy & Data Protection | https://privapedia.com/dictionary.php.
[268]
Recommendation 01/2019 on the draft list of the European Data Protection Supervisor
regarding the processing operations subject to the requirement of a data protection impact
assessment (Article 39.4 of Regulation (EU) 2018/1725).
[269]
For a discussion on the general goals (and side effects) of a GDPR implementation plan, see § 8.2.
[270]
See also Kadir, Romeo F., Business Companion Data Protection – Practical GDPR Guidance,
EIPACC (2021), www.dataprotectionbooks.com. For a comprehensive collection of official GDPR
resource documents, see also Kadir, Romeo F. (Ed.), GDPR Official Resources – A comprehensive
collection of the most important official sources for a better understanding of the GDPR, EIPACC
(2021), www.dataprotectionbooks.com.
[271]
For a more detailed discussion on the component ‘conditions’ in the GBC-model, see § 6.2.7.
[272]
For a more detailed discussion on the component ‘recitals’ in the GBC-model, see § 6.2.7.
[273]
See § 7.4.2.1. See also Kadir, Romeo F., Business Companion Data Protection – Practical GDPR
Guidance, EIPACC (2021), www.dataprotectionbooks.com.
[274]
See also § 7.4.2.2.
[275]
See also § 7.4.2.3.
[276]
See also § 3.3.3.
[277]
See also § 7.4.2.5.
[278]
See also § 7.4.2.6.
[279]
The Standish Group Chaos Report 2011, p. 15 (https://www.projectsmart.co.uk).
[280]
See WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 4.2, p.
17.
[281]
The tasks of the Data Protection Officers are mentioned in Article 39(1) of the GDPR and it is
specified that the DPO fulfils ‘at least’ the following tasks. Consequently, nothing hinders the
controller to appoint the DPO with other tasks that are not explicitly mentioned in Article 39(1), or to
specify those tasks in more detail.
[282]
For a list of provided by the EDPB, see Recommendation 01/2019 on the draft list of the
European Data Protection Supervisor regarding the processing operations subject to the
requirement of a data protection impact assessment (Article 39.4 of Regulation (EU)
2018/1725).
[283]
See § 6.4.2.3.
[284]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 2.5, p. 12.
[285]
There is usually a distinction between internal audit (own research in the factual GDPR
compliance by qualified auditors and auditors that are declared competently by the board of the
controller) and external audit (a study by qualified auditors and auditors declared competently by the
controller, performed at processors). A ‘cross audit’ is normally referred to in the situation where
research is undertaken by the one entity (within a holding company) in another entity (either subsidiary
or sister companies).
[286]
See Article 24(1) for this primary obligation of the controller and processor.
[287]
Approval occurs subject to the coherence mechanism mentioned in Article 63.
[288]
Article 47(2)(h) mentions, ‘…any data protection officer designated in accordance with Article 37
or any other person or entity in charge of the monitoring compliance with the binding corporate rules
within the group of undertakings, or group of enterprises engaged in a joint economic activity, as well
as monitoring training and complaint-handling.’
[289]
For a discussion on the goals and side effects, see below § 2.
[290]
Residual risks are risks that seize to exist, despite the performance of concrete actions.
[291]
See for example the (standard) GDPR certification trajectory at www.eipacc.eu.
[292]
Interesting for example within this framework are the controls as discussed in NOREA, ‘NOREA
Guide Privacy Control Framework: Control objectives and controls for privacy audits and privacy
assurance engagements’ (May 2018), p. 8 https://www.norea.nl/download/?id=4160 accessed 15 May
2019.
[293]
See among others the data management model of DAMA (www.dama.org) as discussed in § 7.1.4.
[294]
With regard to GDPR management value in general, see also § 6.1.5. For a more detailed
discussion on GDPR management measures, see among others See also Kadir, Romeo F., Business
Companion Data Protection – Practical GDPR Guidance, EIPACC (2021),
www.dataprotectionbooks.com. For a comprehensive collection of official GDPR resource documents,
see also Kadir, Romeo F. (Ed.), GDPR Official Resources – A comprehensive collection of the most
important official sources for a better understanding of the GDPR, EIPACC (2021),
www.dataprotectionbooks.com. See also e-Dictionary Privacy & Data Protection,
https://privapedia.com/dictionary.php.
[295]
For more detail, see chapter 2.
[296]
Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in
the performance of their tasks, according to Article 6(1) of the GDPR.
[297]
Keeping such records shall ex Article 30(5) of the GDPR not apply to an enterprise or an
organisation employing fewer than 250 persons unless the processing it carries out is likely to result in
a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing
includes special categories of data as referred to in Article 9(1) or personal data relating to criminal
convictions and offences referred to in Article 10.
[298]
For an overview of 104 privacy controls, see among others NOREA, ‘NOREA Guide Privacy
Control Framework: Control objectives and controls for privacy audits and privacy assurance
engagements’ (May 2018), p. 8 https://www.norea.nl/download/?id=4160 accessed 15 May 2019. See
also Kadir, Romeo F., Business Companion Data Protection – Practical GDPR Guidance, EIPACC
(2021), www.dataprotectionbooks.com. For a comprehensive collection of official GDPR resource
documents, see also Kadir, Romeo F. (Ed.), GDPR Official Resources – A comprehensive collection
of the most important official sources for a better understanding of the GDPR, EIPACC (2021),
www.dataprotectionbooks.com. See also e-Dictionary Privacy & Data Protection |
https://privapedia.com/dictionary.php.
[299]
For more detail, see chapter 3, paragraph 3.3 (risk orientation in the DPO work plan).
[300]
With regard to issue management in the case of integrity risks, see among others De
Nederlandsche Bank, ‘Integrity Risk Analysis: More where necessary, less where possible’ (17 August
2015) http://www.toezicht.dnb.nl/en/binaries/51-234068.PDF accessed 12 May 2019.
[301]
See www.eipacc.eu.
[302]
See also § 7.4.2.1.
[303]
See also § 7.4.2.2.
[304]
See also § 7.4.2.3.
[305]
See also § 3.3.3.
[306]
Compare § 7.4.2.5.
[307]
See also § 7.4.2.6.
[308]
The Standish Group Chaos Report 2011, p. 15 (https://www.projectsmart.co.uk).
[309]
See www.eipacc.eu.
[310]
Which can be derived from Article 39(1)(b) of the GDPR. See among others also Article 28(3)(h)
(processor contract) and Article 47(2)(j) (binding corporate rules).
[311]
See also § 7.4.2.1.
[312]
See also § 7.4.2.2.
[313]
See also § 7.4.2.3.
[314]
See also § 3.3.3.
[315]
For a more detailed discussion on the GDPR privacy risk map, see also Kadir, Romeo F., Business
Companion Data Protection – Practical GDPR Guidance, EIPACC (2021),
www.dataprotectionbooks.com. For a comprehensive collection of official GDPR resource documents,
see also Kadir, Romeo F. (Ed.), GDPR Official Resources – A comprehensive collection of the most
important official sources for a better understanding of the GDPR, EIPACC (2021),
www.dataprotectionbooks.com. See also e-Dictionary Privacy & Data Protection,
https://privapedia.com/dictionary.php.
[316]
Compare § 7.4.2.5.
[317]
The Standish Group Chaos Report 2011, p. 15 (www.projectsmart.co.uk).
[318]
See also § 9.8, Table of reference DPO work plan GDPR assurance & GDPR audit.
[319]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 4.1, p. 17.
[320]
The same plan can be used ex ante for accountability and for the designing of reports that are
edited ex post.
[321]
For a more detailed discussion of the interpretation of these obligations, see among others Kadir,
Romeo F., Business Companion Data Protection – Practical GDPR Guidance, EIPACC (2021),
www.dataprotectionbooks.com.
[322]
See for the annual report of the DPA among others Article 59. Each supervisory authority shall
draw up an annual report on its activities, which may include a list of types of infringement notified and
types of measures taken in accordance with Article 58(2). Those reports shall be transmitted to the
national parliament, the government and other authorities as designated by Member State law. They
shall be made available to the public, to the Commission and to the Board. With regard to the reporting
duty of the Board, see Article 71. According to the first paragraph of this Article, The Board shall draw
up an annual report regarding the protection of natural persons with regard to processing in the Union
and, where relevant, in third countries and international organisations. The report shall be made public
and be transmitted to the European Parliament, to the Council and to the Commission. In accordance
with paragraph 2 of Article 71, the annual report shall include a review of the practical application of
the guidelines, recommendations and best practices referred to in point (l) of Article 70(1) as well as of
the binding decisions referred to in Article 65. With regard to the reporting duty (activities report) van
de European Data Protection Supervisor (EDPS, see Article 48 Regulation (EC) 45/2001 of the
European Parliament and of the council on the protection of individuals with regard to the processing of
personal data by the Community institutions and bodies and on the free movement of such data (18
December 2001). Article 48 has codified that, ‘The European Data Protection Supervisor shall submit
an annual report on his or her activities to the European Parliament, the Council and the Commission
and at the same time make it public. The European Data Protection Supervisor shall forward the
activities report to the other Community institutions and bodies, which may submit comments with a
view to possible examination of the report in the European Parliament, in particular in relation to the
description of the measures taken in response to the remarks made by the European Data Protection
Supervisor under Article 31.’
[323]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 3.3, p. 15.
[324]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 3.3, p. 15.
[325]
Network of Data Protection Officers of the EU institutions and bodies, ‘Professional Standards for
Data Protection Officers of the EU institutions and bodies working under Regulation (EC) 45/2001’ (14
October 2010), p. 8 https://ec.europa.eu/anti-fraud/sites/antifraud/files/docs/body/dpo_standards.pdf
accessed 11 May 2019. Council Regulation (EC) 45/2001 of 18 December 2000 on the protection of
individuals with regard to the processing of personal data by the Community institutions and bodies
and on the free movement of such data [2000] OJ L8/1.
[326]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 3.3, p. 15.
[327]
Compare the Network of Data Protection Officers of the EU institutions and bodies, ‘Professional
Standards for Data Protection Officers of the EU institutions and bodies working under Regulation
(EC) 45/2001’ (14 October 2010), § 4.1, p. 13 https://ec.europa.eu/anti-
fraud/sites/antifraud/files/docs/body/dpo_standards.pdf accessed 11 May 2019.
[328]
Article 38(4) of the GDPR reads as follows, ‘Data subjects may contact the data protection officer
with regard to all issues related to processing of their personal data and to the exercise of their rights
under this Regulation.’
[329] See for example the (standard) GDPR certification trajectory at www.eipacc.eu. See also Kadir,
Romeo F., Business Companion Data Protection – Practical GDPR Guidance, EIPACC (2021),
www.dataprotectionbooks.com. For a comprehensive collection of official GDPR resource documents,
see also Kadir, Romeo F. (Ed.), GDPR Official Resources – A comprehensive collection of the most
important official sources for a better understanding of the GDPR, EIPACC (2021),
www.dataprotectionbooks.com. See also e-Dictionary Privacy & Data Protection,
https://privapedia.com/dictionary.php.
[330]
See among others the data management model of DAMA (www.dama.org) as discussed in § 7.1.4.
[331]
With regard to GDPR management value in general, see also § 6.1.5.
[332]
For more detail, see hereinafter the Table of reference ARP (in § 10.5) where the focus point of
the DPO work plan is categorized in vision, mission and strategy (VMS) of the DPO work plan.
[333]
WP 173, Opinion 3/2010 on the principle of accountability (13 July 2010), § 25, p. 8.
[334] In accordance with recital 51, personal data which are, by their nature, particularly sensitive in
relation to fundamental rights and freedoms merit specific protection as the context of their processing
could create significant risks to the fundamental rights and freedoms. For more a more detailed
analysis, see also Kadir, Romeo F., Business Companion Data Protection – Practical GDPR Guidance,
EIPACC (2021), www.dataprotectionbooks.com. For a comprehensive collection of official GDPR
resource documents, see also Kadir, Romeo F. (Ed.), GDPR Official Resources – A comprehensive
collection of the most important official sources for a better understanding of the GDPR, EIPACC
(2021), www.dataprotectionbooks.com. See also e-Dictionary Privacy & Data Protection |
https://privapedia.com/dictionary.php.
[335]
Keeping such records shall ex Article 30(5) of the GDPR not apply to an enterprise or an
organisation employing fewer than 250 persons unless the processing it carries out is likely to result in
a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing
includes special categories of data as referred to in Article 9(1) or personal data relating to criminal
convictions and offences referred to in Article 10.
[336]
For more detail, see chapter 3, paragraph 3.3 (risk orientation in the DPO work plan).
[337]
With regard to issue management in the case of integrity risks, see among others De
Nederlandsche Bank, ‘Integrity Risk Analysis: More where necessary, less where possible’ (17 August
2015) http://www.toezicht.dnb.nl/en/binaries/51-234068.PDF accessed 12 May 2019.
[338]
In this regard, the DPO can work together closely with the Chief Information Security Officer
(CISO).
[339]
Compare also the EDPS which mentions within this context, an ‘annual work programme and an
annual report’ that ‘may be submitted by the DPO on his/her activities. A work programme of the DPO
should define its priorities and show which results the DPO wants to achieve in terms of raising
awareness, inventory, notifications, prior checking and register, etc.’ According to EDPS,
‘Implementing rules concerning the tasks, duties and powers of the Data Protection Officer (Article
24.8)’ (29 July 2010), § 3, p. 5 https://edps.europa.eu/sites/edp/files/publication/10-07-
29_guidelines_dpo_tasks_en.pdf accessed 15 May 2019.
[340]
See also the Ethics Advisory Group of the EDPS. According to the EDPS, ‘This Ethics Advisory
Group … will enable the realisation of the benefits of technology for society and the economy in ways
that reinforce the rights and freedoms of individuals.’ Press Release EDPS/2016/05 (Brussels, 28
January 2016) https://edps.europa.eu/sites/edp/files/edpsweb_press_releases/edps-2016-05-
edps_ethics_advisory_group_en.pdf accessed 15 May 2019.
[341]
Compare Network of Data Protection Officers of the EU institutions and bodies, ‘Professional
Standards for Data Protection Officers of the EU institutions and bodies working under Regulation
(EC) 45/2001’ (14 October 2010), § 4.1, p. 13 https://ec.europa.eu/anti-
fraud/sites/antifraud/files/docs/body/dpo_standards.pdf accessed 11 May 2019.
[342]
See Article 39(1) of the GDPR.
[343]
Network of Data Protection Officers of the EU institutions and bodies, ‘Professional Standards for
Data Protection Officers of the EU institutions and bodies working under Regulation (EC) 45/2001’ (14
October 2010), § 5.1, p. 14 https://ec.europa.eu/anti-
fraud/sites/antifraud/files/docs/body/dpo_standards.pdf accessed 11 May 2019.
[344]
Network of Data Protection Officers of the EU institutions and bodies, ‘Professional Standards for
Data Protection Officers of the EU institutions and bodies working under Regulation (EC) 45/2001’ (14
October 2010), § 5.3, p. 15 https://ec.europa.eu/anti-
fraud/sites/antifraud/files/docs/body/dpo_standards.pdf accessed 11 May 2019.