Handbook Certified Data Protection Officer Practical Work Plan Guidance

© 2021
European Institute for Privacy, Audit, Compliance & Certification

(EIPACC)
Further inquiries can be addressed to:
publications@eipacc.eu
Recommended Citation:
Kadir, Romeo F., Handbook Certified Data Protection Officer (DPO) –
Practical Work Plan Guidance, EIPACC (2021),
www.dataprotectionbooks.com
ISBN/EAN 9789083115450
NUR 820
BISAC LAW059000
© 2021
European Institute for Privacy, Audit, Compliance & Certification
(EIPACC)
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or
transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise,
without the publisher’s prior consent. Except for the quotation of short passages for the purposes of
criticism and review, no part of this publication may be reproduced, stored in a retrieval system, or
transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or
otherwise, without the prior written permission of the publisher or a license.
Without limiting the rights under copyright reserved above, no part of this book may be reproduced,
stored in or introduced into a retrieval system, or transmitted, in any form or by any means (electronic,
mechanical, photocopying, recording or otherwise) without the written permission of both the copyright
owner and the author of the book.
Every effort has been made to obtain permission to use all copyrighted illustrations reproduced in this
book. Nonetheless, whosoever believes to have rights to this material is advised to contact the
publisher.
Fictitious names of companies, products, people, characters and/or data that may be used herein (in
case studies or in examples) are not intended to represent any real individual, company, product or
event.
European Institute for Privacy,
This publication is translated from Dutch into English. The
Audit, Compliance & Certification (EIPACC) takes no responsibility for the quality of
the translations into other languages. The views expressed in this handbook do not bind EIPACC. The
handbook refers to a selection of commentaries, manuals and other primary sources. EIPACC takes no
responsibility for their content, nor does their inclusion amount to any form of endorsement of these
publications.
EIPACC has no responsibility for the persistence or accuracy of URLs for external or third-party
internet websites referred to in this publication and does not guarantee that any content on such
websites is, or will remain, accurate or appropriate.
FOREWORD
Providing for a practical guide for the Data Protection Officer (DPO) lies at
the heart of this publication. As stated by the European Data Protection Board
(EDPB) it is best practice for the DPO to have a work plan. What does such a
work plan look like? Providing an answer to that question lies at the core of
this publication. According to the EDPB, it is valued a good practice for the
DPO (or the organisation) to compose a work plan, but the form or content of
such a work plan is not discussed by the EDPB. In order to answer this
central question, the two following (more concrete) ‘lines of orientation for a
DPO work plan’ are being applied.
Firstly, the text as enshrined in the General Data Protection Regulation
(GDPR) itself codifies an important line of orientation in the embodiment of
Articles 37 to 39 of the GDPR in which the designation, positions and tasks
of the DPO are discussed.
Secondly, an orientation line is found in the typical role the DPO is playing in
the “daily data protection practice” which can be inferred from, among
others, an action plan (or work plan) from an enterprise (institution or
organisation). In pursuit of compliance with the obligations pursuant to the
GDPR, at least the following steps (in any form or comparable language) can
usually be distinguished.
1. Establish GDPR policies.
2. Make an inventory of personal data.
3. Perform a GDPR baseline.
4. Perform a GDPR gap-analysis.
5. Perform a GDPR implementation.
6. Perform GDPR review and update.
7. Perform GDPR assurance and audit.
8. Compose and communicate the GDPR accountability and reports.
The approach of “two lines of orientation” that is chosen for this practical
guidance deliberately pursues to serve justice to the dichotomous practice of
everyday life in which many DPOs operate. On the one hand, there is this
continuous expectation that the DPO ‘will just take care of all we need to do’,
while on the other hand, Articles 37 to 39 of the GDPR actually actively
construct a certain distance between the DPO and the more operational
GDPR activities. A special reason for this is to the benefit of preserving the
independent functioning of the DPO which is emphasized among others in
recital 97 of the GDPR.
Taking into account previous feedback on the legibility (and feedback on
earlier manuscripts of this book), a deliberate choice is made to ‘where
appropriate‘ just repeat (copy-paste) the content of certain previous
paragraphs and/or parts of the book to promote the legibility and learning
effects.
The mission, vision and strategy of the DPO work plan are taken as a starting
point to compose general ‘tables of reference for the DPO’, which entail
‘connecting factors for more depth’ of each of the subjects that are mentioned
in the specific chapters. The lay-out of these tables are equal in every chapter
and are primarily intended for orientation for more concrete elaboration by
the DPO in his or her work plan in accordance with their own enterprise,
institution or organisation.
The GDPR defines a number of important tasks for the DPO which are in
some way positioned on a ‘thin line of fragile checks and balances’ of various
GDPR stakeholders. The specific positioning of the DPO is also relevant for
the success of one of the most important goals of the GDPR, protecting the
fundamental rights and freedoms of natural persons (‘data subjects’ in the
GDPR) and in particular the right to protection of their personal data pursuant
to Article 1(2) GDPR.
According to the European Data Protection Board (formerly operating as
WP29), the DPO (or the organisation) should avail of a work plan which the
organisation will use as a basis for providing, among others, ‘necessary
resources’ for the DPO. With the entry into force of the GDPR as of 25 May
2018, the need to work on professional maturity of the Data Protection
Officer (DPO) became more and more urgent. Moreover, the Spanish
supervisory authority (AEDP) was the first European privacy supervisory
authority that (although not based on Article 42 GDPR) to publish a
“Certification Scheme of Data Protection Officers” in which a number of
concrete knowledge and competence areas are mentioned, followed by the
‘CNIL Certification Scheme of DPO Skills and Knowledge’ in September
2018. This certification scheme of the French Data Protection Authority
introduced certification criteria setting out, in particular, the conditions for
admissibility of applications and the list of 17 DPO skills and knowledge
required to be certified and also contained accreditation criteria setting out
the requirements applicable to certification bodies wishing to be accredited
by the CNIL to certify DPO skills and knowledge.
This publication is part of a larger series of publications for the professional
DPO. Especially for junior and medior/advanced (and even some
senior/expert) level DPO’s the following two additional sources are
considered to be an indispensable work of reference:
Handbook Certified Data Protection Officer, Body of Knowledge

& Skills (BOKS), EIPACC (2021) and
Business Companion Data Protection, Practical GDPR Guidance,
EIPACC (2021)
GDPR Official Resources, A comprehensive collection of the
most important official resources for a better understanding of
GDPR, EIPACC (2021)
This complete body of reference (which can be retrieved from
www.dataprotectionbooks.com) is also very suited (thus recommended) for a
larger group of data protection practitioners, such as:
1. Certified data protection officers (CDPOs)

2. Privacy Officers
3. GDPR managers
4. GDPR lawyers
5. GDPR IT specialists
6. GDPR IT lawyers
7. GDPR compliance specialists
8. GDPR security specialists
9. CISOs
10. Chief Technology Officers
11. Chief Data Officers
12. Head of Privacy Policy
13. Head of Legal Affairs
14. VP Digital Ethics
15. Thought leaders in Artificial Intelligence (AI)
16. Head of AO / IC
17. Data privacy activists
18. GDPR business model managers
19. General Counsels
20. All other employees / officers / experts involved with data
protection
Those who are looking for an introductory level course to prepare for a better
understanding of key concepts of the GDPR are referred to ’Privacy and Data
Protection, Certified GDPR Compliance, which can be accessed by visiting:
https://www.udemy.com/course/european-institute-certified-gdpr-data-
protection-compliance/
While researching and compiling publications relevant for this handbook, we
have been guided by the so called FAIR principles. Findable, Accessible,
Interoperable and Reusable resources were collected and organized in a
chronological order to produce a book that would meet the first needs of
Europeans and non-Europeans who are professionally (as data protection
practitioner, controller, employee, consultant, scholar or otherwise) or
personally (as a citizen, data subject et cetera) interested in the role,
positioning and tasks of the Data Protection Officer as envisaged in the
GDPR.
Meanwhile, it has been more than 20 years (starting back in 2001) since I, in
the capacity of ‘first DPO in the Netherlands for a non-departmental agency
and former board member/vice-president of the Dutch Association of Data
Protection Officers, emphasized the importance of developing a solid
‘knowledge curriculum’ for the DPO in practice. Since 2007 – when I
conducted the first ‘Professional Training for the DPO’ for the Dutch Privacy
Academy (NPA) – the number of practical knowledge and competence
requirements has risen and the DPO has, more than ever, become a ‘jack of
all trades’ that needs to constantly keep in mind the practice of the
organisation and all the interests that are involved with this. In light of this
background, the following considerations have, among others, contributed to
the creation of this practical guidance.
1. The entry into force and applicability of the GDPR as of 25th of May 2018
has triggered the need for taking the position of DPO more seriously as it
introduces a new generation of DPOs. In the spirit of ‘nobility obliges’, it is
my conviction that more experienced (senior) DPOs (maybe more than ever
before) should share their knowledge and experience with each other and
especially with the new flock of DPOs. Moreover, regular professional
feedback (sparring) sessions amongst DPOs can, according to me, provide for
a certain enrichment of insights and experiences between professionals,
which we need for reaching new maturity levels. In that respect, fuelling the
new DPO with some practical orientation points is one of the ambitions of
this practical guidance.
2. As mentioned above this practical guidance is part of a larger training
program for future Data Protection Officers, especially those who aspire to
get certified as per the CDPO Certification Scheme of the European
Association of Data Protection Professionals (EADPP). As constituent
Chairman of this EADPP Certification Committee a comprehensive DPO
Body of Knowledge & Skills was designed for future DPO’s to get in
command of required expertise and competencies. See also
www.certifieddataprotectionofficers.com.
On the other hand, this practical guidance is part of a strongly practice-based
implementation training (GDPR implementation management with sufficient
attention to the position of the DPO) which is suitable for everybody that
deals with the GDPR professionally or is interested in the GDPR for other
reasons.
3. To some extent, the content of this book is promoting a more contentious
debate on the professionalization of the DPO in general and in the area of
‘fundamental rights and freedoms’ in particular. The significance of this is
also highlighted by the European Data Protection Board while stating that,
‘DPOs should be given the opportunity to stay up to date with regard to
developments within data protection. The aim should be to constantly
increase the level of expertise of DPOs and they should be encouraged to
participate in training courses on data protection…’. Within the context of the
continuous learning needs of the DPO, this handbook hopes to contribute to
the development of next levels of professional DPO maturity.
4. The practical approaches of this book are written as a ‘first impression’ of
what the role of the DPO could entail within the meaning of the GDPR,
taking into account the longitudinal study (almost three decades) of the
phenomenon “personal life” and many years of experience as a DPO
practitioner. Although the DPO as such is not a new position in European
data protection law, it is noted that in the present codification of the DPO in
the GDPR, this “officer with a special mission” is relatively new (explicitly
multidisciplinary) and needs to gain the necessary experience. In my view it
could help to share already existing knowledge, experience and practical
insights with the “DPO 3.0.
5. Having a background as a seasoned DPO practitioner (see
www.romeokadir.eu) it may not come as a total surprise that in my opinion
the context in which a DPO ought to function deserves more attention. In the
first place for the practising DPO, in the second place for all stakeholders of a
professionally performing DPO and finally for securing the fundamental
rights to privacy (private life) and data protection as important societal
achievements of data subjects acting in multiple societal roles (citizen,
customer, consumer, client, patient, employee, parent etc.) in our civilized
societies and in the daily practice of every enterprise, institution or
organisation.
Last but not least, a word of sincere thanks to all students, the many
participants of various DPO trainings, candidate-DPOs, fellow DPOs, GDPR
specialists, colleague professors and others who contributed in their own way
to intellectually sharpen the thoughts of (voluntary) designation, positioning,
tasks and the practical functioning of the DPO. This book is also the result of
this highly appreciated dynamic.
On behalf of the entire editorial team, we wish you an interesting DPO
learning experience.
Romeo F. Kadir
President of the EADPP CDPO Certification Academic Board

European Association Data Protection Professionals (EADPP)
Amsterdam (the Netherlands) | European Union | 2021

ABBREVIATIONS AND
ACRONYMS
ARP Accountability and Reporting plan
BCR Binding corporate rule
CB Certifying Body
CCTV Closed circuit television
CETS Council of Europe Treaty Series
Charter Charter of Fundamental Rights of the European Union
CIS Customs information system
CJEU Court of Justice of the European Union (prior to December 2009,
European Court of Justice, ECJ)
CNIL Commission Nationale de l’Informatique et des Libertés (France)
CoE Council of Europe
Convention 108 Convention for the Protection of Individuals with regard to Automatic Processing
of Personal Data (Council of Europe)
COSO Committee of Sponsoring Organizations of the Treadway Commission
CRM Customer relations management
C-SIS Central Schengen Information System
DIT Data Inventory Template
DPIA Data Protection Impact Assessment
DPO Data Protection Officer
DPA Data Protection Authority
EADPP European Association of Data Protection Professionals
EAW European Arrest Warrant
EDPB European Data Protection Board
ECHR European Convention for Human Rights
EIPACC European Institute for Privacy, Audit, Compliance & Certification
ENISA EU Agency for Network and Information Security
EC European Community
ECHR European Convention on Human Rights
ECtHR European Court of Human Rights
EDPB European Data Protection Board
EDPS European Data Protection Supervisor
EEA European Economic Area
EFSA European Food and Safety Authority
EFTA European Free Trade Association
EIPACC European Institute for Privacy, Audit, Compliance and Certification
ENISA European Network and Information Security Agency
ENU Europol National Unit
EP EuroPrivacy (Seal)
EPPO European Prosecutor’s Office
ESMA European Securities and Markets Authority
eTEN Trans-European Telecommunication Networks
EU European Union
EuroPriSe European Privacy Seal
EuroPrivacy European Privacy Seal for Comprehensive GDPR Compliance
EU-LISA EU Agency for Large-scale IT Systems
FRA European Union Agency for Fundamental Rights
GAT Gap Analysis Template
GDPR General Data Protection Regulation
GDPR-e General Data Protection Regulation e-learning
GIP GDPR Implementation Plan
GRP GDPR Review Plan
GPS Global positioning system
IAPP International Association of Privacy Professionals
IoT Internet of Things
ISO International Standards Organization
ISMS Information Security Management System
ICCPR International Covenant on Civil and Political Rights
ICT Information and communications technology
ISP Internet service provider
JSB Joint Supervisory Body
NGO Non-governmental organisation
N-SIS National Schengen Information System
OECD Organisation for Economic Co-operation and Development
OJ Official Journal
PbD Privacy by Design
PDPF Personal Data Process Flow
PET Privacy Enhancing Technologies
PIA Privacy Impact Assessment
PII Personally Identifiable Information
PIN Personal identification number
PNR Passenger name record
PPEP Privacy Permanent Education Programme
PRIVACAD Privacy Academy (privacad.com)
PRIVAPEDIA Privacy and data protection Terms & Definitions (privapedia.com)
RIP Roadmap Inventory Plan
RUP Review and Update Plan
SCG Supervision Coordination Group
SEPA Single Euro Payments Area
SIS Schengen Information System
SWIFT Society for Worldwide Interbank Financial Telecommunication
STIP Strategically Targeted Implementation (action) for Privacy compliance
TEU Treaty on European Union
TFEU Treaty on the Functioning of the European Union
UDHR Universal Declaration of Human Rights
UN United Nations
VIS Visa Information System
VMS Vision, Mission and Strategy
WP29 Working Party 29 (predecessor of the European Data Protection Board)
Table of Contents
FOREWORD
ABBREVIATIONS AND ACRONYMS
CHAPTER 1
GENERAL INTRODUCTION
1.1 Introduction
1.2 Recognition of the DPO in the GDPR
1.3 Designating a DPO
1.3.1 Historical experiences with the functioning of the DPO
1.3.2 Mandatory designation in accordance with the GDPR
1.3.3 DPO of the processor
1.3.4 A DPO for multiple organisations
1.3.5 Operational aspects of the DPO appointment
1.3.6 Requirements of the DPO pursuant to the GDPR
1.3.7 The designation on a voluntary basis in accordance with the GDPR
CHAPTER 2
TASKS, POSITIONING AND PROFILE OF THE DPO
2.1 Legal tasks (GDPR)
2.2 Optional tasks
2.3 Task specific competencies
2.4 Positioning
2.4.1 Legal requirements of the DPO positioning under the GDPR
2.4.3 Positioning of the DPO as line of defence
2.4.4 Task-oriented (operational) positioning
2.5 Position profile of the DPO
2.5.1 Position analysis of the DPO
2.5.2 Position profile: positioning of the DPO
2.5.3 Position profile: profile of competencies
2.5.4 Recruitment and selection of the suitable DPO
CHAPTER 3
FRAMEWORK & STRUCTURE
3.1 Introduction
3.1.1 Work plan of the DPO
3.1.2 Drivers for a DPO work plan
3.1.3 Business case for a professional DPO work plan
3.1.4 DPO Work Plan Quadrant
3.2 Starting points for the framework and structure of the DPO work plan
3.2.1 GDPR Tasks of the DPO
3.2.2 Positioning in accordance with the GDPR
3.2.3 Multi-disciplinary perspectives
3.2.4 GDPR core themes of the DPO work plan
3.2.5 Ontology of the DPO work plan
3.2.6 Supported by necessary resources
3.2.7 Planning
3.3 Framework of the DPO work plan
3.3.1 Basic framework of a DPO work plan
3.3.2 Substantive requirements of the DPO work plan
3.3.3 Risk orientation in the DPO work plan
3.3.4 Scope of the DPO work plan
3.3.5 Success factors for a professional DPO work plan
3.4 Structure of a professional DPO work plan
3.4.1 Basic design the DPO work plan
3.4.2 Six strategic pillars of the professional DPO work plan
3.4.3 General Overview of a DPO Work Plan
3.5 DPO work plan infographic of DPO competencies & skills
CHAPTER 4
VISION, MISSION & STRATEGY (VMS)
4.1 Introduction
4.1.1 Vision, mission and strategy of a professional DPO work plan
4.1.2 Determining the vision of a professional DPO work plan
4.1.3 The mission of a professional DPO work plan
4.2 Stakeholders VMS of the DPO work plan
4.2.1 The European legislator and VMS of a DPO work plan
4.2.2 European Commission and VMS of a DPO work plan
4.2.3 The European Data Protection Supervisor (EDPS)
4.2.4 EDPB and VMS of a DPO work plan
4.2.5 Association of EU DPOs and VMS of the DPO work plan
4.2.6 Controller and VMS of the DPO work plan
4.2.7 Professional DPO and VMS of the DPO work plan
4.2.8 Internal stakeholders and VMS of the DPO work plan
CHAPTER 5
INVENTORY OF PROCESSING ACTIVITIES AND DPO WORK PLAN
5.1 Introduction
5.1.1 Definition of making an inventory
5.1.2. Ratio and goal of inventory
5.1.3 Personal data belong to the DNA of the organisation
5.1.4 Personal data and business intelligence
5.1.5 Making an Inventory of personal data in the GDPR
5.1.6 General GDPR privacy duty of care of the controller
5.1.7 Importance for the DPO of taking stock of personal data
5.1.8 Substantiation of data subject rights
5.1.9 Implementation trap of abstract privacy concepts
5.2 Inventory of personal data: goals and side effects
5.2.1 General goals of a GPDR Inventory
5.2.2 Side Effects of a GDPR Inventory
5.3 Inventory of personal data process steps
5.3.1 Step 1 | Determine the goal of the inventory
5.3.4 Step 4 | Identify sources of personal data
5.3.5 Step 5 | Complete the DIT
5.3.6 Personal Data Process Flow (PDPF)
5.3.7 Data quality management
5.3.8 Support by IT
5.4 Inventory of personal data
5.4.1 The reasoning behind an inventory plan
5.4.2 Roadmap of an inventory plan
5.4.3 Success factors for a good inventory plan
5.5. Role of the DPO and inventory of personal data
5.6 DPO Work Plan Table of Reference: GDPR inventory
CHAPTER 6
DPO WORK PLAN GDPR COMPLIANCE BASELINE AND GAP-ANALYSIS
6.1 Introduction
6.1.1 Definitions of a GDPR baseline and GDPR gap-analysis
6.1.2 Rationale of a GDPR baseline and GDPR gap-analysis
6.1.3 Goals and side effects of baseline and gap-analysis
6.1.4 Dream team for a GDPR baseline and gap-analysis
6.1.5 Management value of a GDPR baseline and gap-analysis
6.1.6 Parameters of the GDPR baseline and GDPR gap-analysis
6.1.7 Differences: GDPR baseline and a GDPR gap-analysis
6.1.8 Taxonomy of obligations pursuant to the GDPR
6.1.9 The interest of the DPO in a GDPR baseline and GDPR gap- analysis
6.1.10 Action scheme
6.2 GDPR baseline: process steps
6.2.1 Step 1: determine the goals of a GDPR baseline
6.2.2 Step 2: Determine the scope of the GDPR baseline
6.2.3 Step 3: Identify the components of the particular GDPR obligation(s)
6.2.4 Step 4: determine the relevant parameters per component
6.2.5 Step 5: determine whether the action is or is not carried out per parameter
6.2.6 Step 6: Total compliance values and compliance status
6.2.7 Record all steps in a well-structured accountability model
6.2.8 Use the knowledge and (IT) expertise present at the organisation
6.2.9 Issues of quality
6.2.10 GDPR baseline in perspective
6.3 GDPR gap-analysis: process steps
6.3.1 Logical process steps of a GDPR gap-analysis
6.3.3 Step 1: determine the goal(s) of the gap-analysis
6.3.4 Step 2: determine the scope of the GDPR gap-analysis
6.3.5 Step 3: compose the Gap Analysis Template (GAT)
6.3.6 Step 4: fill out the GDPR ambition level in the GAT
6.3.7 Step 5: specify the measures in the GAT
6.3.8 Step 6: fill out the actions (to be carried out) in the GAT
6.3.9 A clear GDPR implementation plan
6.3.10 GDPR gap-analysis and data governance
6.3.11 Organise knowledge and (IT) expertise
6.3.12 Ratio and intended effect of GDPR measures and actions
6.4 GDPR baseline and GDPR gap-analysis: roadmap
6.4.1 Why a roadmap for the GDPR baseline and GDPR gap-analysis?
6.4.2 Roadmap of a GDPR baseline and GDPR gap-analysis
6.5 Success factors for a GDPR baseline and GDPR gap-analysis
6.6 Role of the DPO in a GDPR baseline and gap-analysis
CHAPTER 7
GDPR IMPLEMENTATION AND DPO WORK PLAN
7.1 Introduction GDPR implementation plan
7.1.1 What is a GDPR implementation plan (GIP)?
7.1.2 Rationale of a GIP
7.1.3 Goals of a GIP
7.1.4 Scope of a GIP
7.1.5 Logical process steps of the GIP
7.1.6 Ideal team for a GIP
7.1.7 Management value of a GIP
7.1.8 The importance of a good GIP for the DPO
7.1.9 Action scheme
7.2 GIP: goals and side effects
7.2.1 General goals of a GIP
7.2.2 Side effects of a GIP
7.3 GIP: process steps
7.3.1 Step 1: compose a GDPR implementation team
7.3.2 Step 2: determine what has to be implemented
7.3.3. Step 3: define what has to be implemented
7.3.4 Step 4: design what has to be implemented
7.3.5 Step 5: check the proper functioning and effectiveness of the measures
7.3.6 Step 6: proof reports of the implemented GDPR measures
7.3.7 A clear GIP
7.4 GIP: Roadmap
7.4.1 Why a roadmap for the GIP?
7.4.2 Roadmap of a GIP
7.4.3 Success factors for a GIP
7.5 GIP: Role of the DPO
CHAPTER 8
REVIEW AND UPDATE OF A DPO WORK PLAN
8.1 Introduction GDPR review and update plan
8.1.1 What is a GDPR review and update plan (RUP)?
8.1.2 Ratio of a RUP
8.1.3 Goals of a RUP
8.1.4 Scope of a RUP
8.1.5 Logical process phases RUP
8.1.6 The ideal team for GDPR review and update
8.1.7 Management value of a RUP
8.1.8 Importance of the DPO for a good RUP
8.1.9 Action scheme
8.2 RUP: Goals and side effects
8.2.1 General goals of a RUP
8.2.2 Side effects of a RUP
8.3 GDPR review plan (GRP): Process steps
8.3.1 Step 1: compose a GDPR review team
8.3.2 Step 2: establish which GDPR components have to be reviewed
8.3.3 Step 3: define what has to be reviewed
8.3.4 Step 4: Establish the GDPR review criteria
8.3.5 Step 5: Perform the actual GDPR review
8.3.6 Step 6: Report on the actually performed GDPR review
8.3.7. A clear GDPR review plan (GRP)
8.3.8 Organise knowledge and expertise around review
8.4 GDPR Update plan (GUP): Process steps
8.4.1 Step 1: Compose a GDPR update team
8.4.2 Step 2: determine which GDPR measures/actions have to be updated
8.4.3 Step 3: Define what has to be updated
8.4.4 Step 4: Determine the GDPR update requirements
8.4.5 Step 5: perform the actual GDPR update
8.4.6 Step 6: Report on the actually performed GDPR update
8.4.7 A clear GUP
8.4.8 Organise knowledge and expertise around the GDPR update
8.5 GDPR review and update plan (RUP): roadmap
8.5.1 Why a roadmap for the RUP?
8.5.3 Success factors for the good performance of a RUP
8.6 GDPR review and update plan (RUP): role of the DPO
CHAPTER 9
GDPR ASSURANCE AND GDPR AUDIT IN THE DPO WORK PLAN
9.1 Introduction GDPR assurance and GDPR audit
9.1.1 What is GDPR assurance and GDPR audit
9.1.2 Ratio of GDPR assurance and GDPR audit
9.1.3 Objectives of GDPR assurance and GDPR audit
9.1.4 Scope of GDPR assurance and GDPR audit
9.1.5 Logical process phases of GDPR assurance and GDPR audit
9.1.6 Ideal teams for GDPR assurance and GDPR audits
9.1.7 Management value of GDPR assurance and GDPR audits
9.1.8 Importance of the DPO in GDPR assurance and GDPR audits
9.1.9 Action scheme
9.2 GDPR assurance and GDPR audits: objectives and side effects
9.2.1 General objectives of GDPR assurance and GDPR audits
9.3 GDPR Assurance: Process steps
9.3.1 Step 1: Compose a GDPR Assurance team
9.3.2 Step 2: Determine the subject of GDPR assurance
9.3.3 Step 3: Establish the scope of GDPR assurance
9.3.4 Step 4: Determine the applicable GDPR review criteria
9.3.5 Step 5: Perform the actual GDPR Assurance activities
9.3.6 Step 6: Report on the performed GDPR assurance activities
9.3.7 A clear GDPR Assurance plan
9.3.8 Organise knowledge and expertise around GDPR assurance
9.4 GDPR Assurance: Roadmap
9.4.1 Why a roadmap for GDPR assurance?
9.4.2 Roadmap GDPR assurance
9.4.3 Success factors for the proper performance of GDPR assurance
9.5 GDPR audit: Process steps
9.5.1 Step 1: Compose a GDPR audit team
9.5.2 Step 2: Determine the subject of the GDPR audit
9.5.4 Step 4: Determine the applicable GDPR audit criteria
9.5.5 Step 5: Perform the actual GDPR audit activities
9.5.6 Step 6: Report on the performed GDPR audit activities
9.5.7 A clear GDPR audit (action) plan
9.5.8 Organise knowledge and expertise around the GDPR audit
9.6 GDPR audit: Roadmap
9.6.1 Why a roadmap for GDPR audits?
9.6.2 Roadmap of the GDPR audit
9.6.3 Success factors for proper performance of GDPR audits
9.7 GDPR Assurance and GDPR Audits: the role of the DPO
CHAPTER 10
ACCOUNTABILITY AND REPORTING IN A DPO WORK PLAN
10.1 Introduction accountability and reporting in the GDPR
10.1.1 An Accountability and Reporting Plan (ARP)
10.1.2 Rationale of an ARP
10.1.3 Goals of an ARP
10.1.4 Scope of an ARP
10.1.5 Logical process phases of an Accountability and Reporting plan
10.1.6 Management value of an ARP
10.1.7 Importance of the DPO in an ARP
10.2 ARP: Goals and side effects
10.2.1 Main goals of an ARP
10.2.2 Side effects of an ARP
10.3 GDPR accountability and reporting: process steps
10.3.1 Step 1: Determine the subject of accountability reports
10.3.2 Step 2: Identify and approach the stakeholders of the DPO accountability report
10.3.3 Step 3: Determine the scope of the DPO accountability report
10.3.4 Step 4: Compose a first draft of the DPO accountability report
10.3.5 Step 5: Involve all GDPR stakeholders
10.3.6 Step 6: Compose the final version of the DPO accountability report
10.4 Accountability and reports: points of interest for the DPO
10.5 Table of reference DPO work plan: ARP
ANNEXURES
1. REGULATION (EU) 2016/679 [GDPR]
2. DIRECTIVE (EU) 2016/680 [CRIMINAL OFFENCES]
3. DIRECTIVE (EU) 2016/681 OF THE EUROPEAN PARLIAMENT AND OF THE

COUNCIL
4. REGULATION (EU) 2018/1725 OF THE EUROPEAN PARLIAMENT AND OF THE

COUNCIL
5. DECISION OF THE EUROPEAN DATA PROTECTION SUPERVISOR
6. WP 243 rev.01 Guidelines on Data Protection Officers (‘DPOs’), 5 April 2017
7. WP243 ANNEX - FREQUENTLY ASKED QUESTIONS
8. AEPD Certification scheme
9. CNIL DPO Certification
10. EADPP CDPO Certification Code of Conduct
11. EADPP CDPO Certification Mechanism (PPT)
12. LIST OF DPA’s in the European Economic Area (EEA)

1
CHAPTER 1
GENERAL INTRODUCTION
1.1 Introduction
The GDPR, which came into effect on 25 May 2018, provides a modernised,
accountability-based compliance framework for data protection in Europe,
which especially resonates to the tasks and positioning of the Data Protection
Officers (DPO). The designation of a DPO who operates at the heart of this
new legal framework for many organisations, facilitating (amongst others)
compliance with the provisions of the GDPR, is mandatory for certain
controllers and processors. This will be the case for all public authorities and
bodies (irrespective of what data they process), and for other organisations
which - as a core activity - monitor individuals systematically and on a large
scale, or that process special categories of personal data on a large scale.
Even when the GDPR does not specifically require the appointment of a
DPO, organisations may sometimes find it useful to designate a DPO on a
voluntary basis. The EDPB encourages these voluntary (internal or external)
efforts. Even back in 2010, the EDPB (WP29)[1] (predecessor of the European
Data Protection Board) already pointed out that, in the light of
‘Accountability as a driver for effective implementation of data protection
principles’, that any organisation could, in addition to measures like
performing a DPIA also consider the ‘appointment of data protection
officers’ in given cases.
The GDPR increasingly puts the (voluntary) appointment of the DPO on the
agenda of various enterprises and organisations. After the Dutch privacy
legislation came into force in September 2001, I was part of the initial board
to constitute the Dutch association of DPOs (NGFG) which acted as a
‘representative body’ of Dutch DPOs. As a newly designated Secretary of the
Board (acting Vice-President) of this brand-new association of Data
protection officers were at an early stage confronted with the challenge of
‘DPO professionalism by design’ which become more of challenge with the
entry into force of the GDPR as this added to expectations of DPO
professionalism.
The legally enshrined function of the DPO is paramount in promoting the
factual guarantee of privacy and data protection in daily policies and daily
operations of the organisation. The DPO fulfils an essential role as internal
expert in the area of privacy and data protection for daily practice. The
constructive contribution of promoting the factual protection is invigorated,
because of the vision of the European Data Protection Board that the DPO (or
the organisation) has to draw up a work plan, among others to substantiate
the ‘necessary resources’ that the organisation has to provide.
Given the size and structure of the organisation, it may be necessary to set up
a DPO team (a DPO and his/her staff), according to the EDPB.[2] In such
cases, the internal structure of the team and the tasks and responsibilities of
each of its members should be clearly drawn up. Similarly, when the function
of the DPO is exercised by an external service provider, a team of individuals
working for that entity may effectively carry out the tasks of a DPO as a
team, under the responsibility of a designated lead contact for the client.
In light of further professionalization and increasing the expertise of the DPO
and the continuous training that is part of it, this practical guidance for the
DPO work plan entails a few core processes that are key in this book
(chapters 3 to 10) which is preceded by some general remarks in chapter 1
and a short discussion of the tasks, positioning and professional profile of the
DPO in chapter 2. Of course, wherever the text mentions the word ‘he’,
naturally also includes ‘she’ within its ambit.
To this end of transparency, this handbook DPO work plan framework as
discussed in this guidance is structured along the lines of the following ten
chapters.
Whereas the foundation of the DPO in the GDPR is deployed in chapter 1

and the tasks, positioning and profile of the DPO are elaborated in chapter 2,
the framework and structure of the DPO work plan is introduced in chapter 3,
and detailed in subsequent chapters (4-10).
1.2 Recognition of the DPO in the GDPR

The GDPR recognises the DPO as a key player in the new data governance
system and lays down certain conditions for his or her appointment,
positioning and tasks, according to the EDPB (WP29) in its guidelines on
DPOs.[3] The aim of these guidelines is to clarify the relevant provisions in
the GDPR in order to help controllers and processors to comply with the law,
and also to assist DPOs in their role. The guidelines also provide best practice
recommendations, building on the experience gained in some EU Member
States, such as in the area of a work plan for the DPO. Although the DPO
was mentioned in Directive 95/46[4], it was not made obligatory.
Nevertheless, several EU Member States have promoted the appointment of
the DPO in one way or another.
Before the adoption of the GDPR, the EDPB (WP29) repeatedly argued[5] that
the DPO is a ‘cornerstone of accountability’ and that appointing a DPO can
facilitate compliance and furthermore, become a competitive advantage for
businesses. In addition to facilitating compliance through the implementation
of accountability tools (such as facilitating or carrying out data protection
impact assessments and data protection audits), DPOs act as intermediaries
between relevant stakeholders (e.g. supervisory authorities, data subjects, and
business units within an organisation).
1.3 Designating a DPO

According to Article 37 (1) GDPR, the controller and the processor shall
designate a data protection officer in any case where:
(a) the processing is carried out by a public authority or body, except for
courts acting in their judicial capacity.
(b) the core activities of the controller or the processor consist of
processing operations which, by virtue of their nature, their scope
and/or their purposes, require regular and systematic monitoring of
data subjects on a large scale. or
(c) the core activities of the controller or the processor consist of
processing on a large scale of special categories of data pursuant to
Article 9 and personal data relating to criminal convictions and
offences referred to in Article 10 GDPR.
As to the designation of DPOs, Articles 37 (2) to (7) provide as follows.
2. A group of undertakings may appoint a single data protection

officer provided that a data protection officer is easily accessible
from each establishment.
3. Where the controller or the processor is a public authority or body,
a single data protection officer may be designated for several such
authorities or bodies, taking account of their organisational
structure and size.
4. In cases other than those referred to in paragraph 1, the controller
or processor or associations and other bodies representing
categories of controllers or processors may or, where required by
Union or Member State law shall, designate a data protection
officer. The data protection officer may act for such associations
and other bodies representing controllers or processors.
5. The data protection officer shall be designated on the basis
of professional
qualities and, in particular, expert knowledge of data protection law

and
practices and the ability to fulfil the tasks referred to in Article 39.
6. The data protection officer may be a staff member of the

controller or processor or fulfil the tasks on the basis of a service
contract.
7. The controller or the processor shall publish the contact details
of the data
protection officer and communicate them to the supervisory

authority.
1.3.1 Historical experiences with the functioning of the DPO

The construction of the DPO as an officer on a special mission who ‘monitors
the compliance internally’ finds its origin in German law. German law has
traditionally known a supervisory authority within the own corporation. In
Article 18(2) of Regulation 95/46, this has been translated in the possibility
for Member States to, as an alternative for a notification at a governmental
supervisory authority, notify a supervisor appointed by a controller or
organisation of controllers. Nevertheless, the regulation of this institution in
certain sectors was to a significant extent connected to an already existing
practice. These privacy officers[6] and “privacy commissions of supervision”
were operating in a number of organisations. In practice, there have been
positive experiences with such officers and commissions. Within an
enterprise, organisation, industry or public sector, the DPO soon turned into
an oracle for the employees.
The introduction to European data protection law to opt for the designation of
a data protection officer (DPO) was inspired by German law. The first
difference between for example Dutch law and the German regulation was
that pursuant to Dutch law designation of a DPO was mandatory. The
controller that did not designate an officer fell automatically under the
supervision based on public law. He also had to report on the non-exempted
data processes there. If the controller decided to designate an officer, the
Dutch supervisory authority was supposed to be notified about this
designation. In that case public law-based supervision of the controller could
be reduced to supervision of the DPO task performance. The second
difference with German law was that an officer could also be appointed for a
group of enterprises or organisations. This could lead to the introduction of
an institution for the whole industry, that, if there was a code of conduct,
could supervise compliance with that code. This officer was not meant as an
extension of the supervisory authority of the government, neither was he seen
as a whistle-blower.[7]
1.3.2 Mandatory designation in accordance with the GDPR

The obligation to designate a DPO is connected to two categorical situations
as mentioned in the GDPR.
1. Prepositions as mentioned in Article 37(1) of the GDPR. The following
three prepositions are mentioned referred to (and elaborated upon below).
a. the processing is carried out by a public authority or body, except for
courts acting in their judicial capacity.[8]
b. the core activities[9] of the controller or the processor consist of processing
operations which, by virtue of their nature, their scope and/or their purposes,
require regular and systematic monitoring of data subjects on a large scale.
c. the core activities of the controller or the processor consist of processing
on a large scale of special categories of data pursuant to Article 9 and
personal data relating to criminal convictions and offences referred to in
Article 10.
2. Situations as mentioned in Article 37(4) of the GDPR. The controller or
processor or associations and other bodies representing categories of
controllers or processors may or, where required by Union or Member State
law shall, designate a data protection officer. The data protection officer may
act for such associations and other bodies representing controllers or
processors.
1.3.2.1 Public authority or body

The GDPR itself does not indicate what the defining elements of a ‘public
authority or body’ are. The EDPB (WP29)[10] considers that such a notion is
to be determined under national law. Accordingly, public authorities and
bodies include national, regional and local authorities, but the concept, under
the applicable national laws, typically also includes a range of other bodies
governed by national public law.[11] In such cases, the designation of a DPO is
mandatory.
A public task may be carried out, and public authority may be exercised not
only by public authorities or bodies but also by other natural or legal persons
governed by public or private law (in regulated sectors from each Member
State) such as public transport services, water and energy supply, road
infrastructure, public service broadcasting, public housing or disciplinary
bodies for regulated professions.
In these cases, data subjects may be in a very similar situation to when their
data are processed by a public authority or body. In particular, data can be
processed for similar purposes and individuals often have similarly little or
no choice over whether and how their data will be processed and may thus
require the additional protection that the designation of a DPO can bring.
Even though there is no obligation in such cases, the EDPB (EDPB (WP29))
[12]
recommends, as a good practice, that private organisations carrying out
public tasks or exercising public authority designate a DPO. Such a DPO’s
activity should also cover all processing operations carried out, including
those that are not related to the performance of a public task or exercise of
official duty (e.g. the management of an employee database).
1.3.2.2 Core activities
Recital 97 of the GDPR specifies that the core activities of a controller relate
to its ‘primary activities and do not relate to the processing of personal data
as ancillary activities’. ‘Core activities’ can be considered as the key
operations necessary to achieve the controller’s or processor’s goals.
According to EDPB (WP29)[13], however, ‘core activities’ should not be
interpreted as excluding activities where the processing of data forms an
inextricable part of the controller’s or processor’s activity. For example, the
core activity of a hospital is to provide health care. However, a hospital could
not provide healthcare safely and effectively without processing health data,
such as patients’ health records. Therefore, processing these data should,
according to EDPB (WP29), be considered to be one of any hospital’s core
activities and hospitals must therefore designate at least one DPO.
As another example, mentioned by EDPB (WP29), a private security
company carries out the surveillance of a number of private shopping centres
and public spaces. Surveillance is the core activity of the company, which in
turn is inextricably linked to the processing of personal data. Therefore, this
company must also designate a DPO.
On the other hand, all organisations carry out certain activities, for example,
paying their employees or having standard IT support activities. These are
necessary support functions for the organisation’s core activity or main
business. Even though these activities are necessary or essential, they are
usually considered ancillary functions rather than the core activity.
1.3.2.3 Large scale
Article 37(1)(b) and (c) require that the processing of personal data be carried
out on a large scale in order for the designation of a DPO to be triggered. The
GDPR however does not define what constitutes large scale.[14]
According to recital 91, ‘large-scale processing operations which aim to
process a considerable amount of personal data at regional, national or
supranational level and which could affect a large number of data subjects
and which are likely to result in a high risk’ would be included, in particular.
On the other hand, the recital specifically provides that ‘the processing of
personal data should not be considered to be on a large scale if the
processing concerns personal data from patients or clients by an individual
physician, other health care professional or lawyer’.
EDPB (WP29)[15] thinks it is important to consider that while the recital
provides examples at the extremes of the scale (processing by an individual
physician versus processing of data of a whole country or across Europe).
there is a large grey zone in between these extremes. In addition, it should be
borne in mind that this recital refers to data protection impact assessments.
This implies that some elements might be specific to that context and do not
necessarily apply to the designation of DPOs in the exact same way.
According to EDPB (WP29)[16], it is indeed not possible to give a precise
number either with regard to the amount of data processed or the number of
individuals concerned, which would be applicable in all situations. This does
not exclude the possibility, however, that over time, a standard practice may
develop, for specifying in objective, quantitative terms what constitutes
‘large scale’ in respect of certain types of common processing activities. The
EDPB (WP29) also plans to contribute to this development, by way of
sharing and publicising examples of the relevant thresholds for the
designation of a DPO.
In any event, the EDPB (WP29) recommends that in particular the following
factors be considered when determining whether the processing is carried out
on a large scale:
1. The number of data subjects concerned - either as a specific number

or as a proportion of the relevant population.
2. The volume of data and/or the range of different data items being
processed.
3. The duration, or permanence, of the data processing activity.
4. The geographical extent of the processing activity.
Examples of ‘large-scale processing’ provided by the EDPB (WP29)[17]
include:
1. Processing of patient data in the regular course of business by a

hospital.
2. Processing of travel data of individuals using a city’s public
transport system (e.g., tracking via travel cards).
3. Processing of real time geo-location data of customers of an
international fast- food chain for statistical purposes by a processor
specialised in providing these services.
4. Processing of customer data in the regular course of business by an
insurance company or a bank.
5. Processing of personal data for behavioural advertising by a search
engine.
6. Processing of data (content, traffic, location) by telephone or
internet service providers.
The Dutch DPA has clarified the regulation for large scale processing in the
health care sector. For general practice centres and institutions for specialist
medical care, not being hospitals, data processing occurs on a large scale if
that practice or institution has registered more than 10.000 patients or if they
treat on average more than 10.000 patients per year and the data of the
patients are in one information system.
The EDPB (WP29) also gives examples that do not constitute large-scale
processing:
1. Processing of patient data by an individual physician.

2. Processing of personal data relating to criminal convictions and
offences by an individual lawyer.
1.3.2.4 Regular and systematic monitoring

The notion of ‘regular and systematic monitoring’ of data subjects is not
defined in the GDPR, but the concept of ‘monitoring the behaviour of data
subjects’ is mentioned in recital 24 and clearly includes all forms of tracking
and profiling on the internet, including for the purposes of behavioural
advertising. In order to determine whether a processing activity can be
considered to monitor the behaviour of data subjects, it should be ascertained
whether natural persons are tracked on the internet including potential
subsequent use of personal data processing techniques which consist of
profiling a natural person, particularly in order to take decisions concerning
her or him or for analysing or predicting her or his personal preferences,
behaviours and attitudes, as recital 24 states. Note that Recital 24 focuses on
the extra-territorial application of the GDPR. In addition, there is also a
difference between the wording ‘monitoring their behaviour’ (Article 3(2)(b))
and ‘regular and systematic monitoring of data subjects’ (Article 37(1)(b))
which could therefore be seen as constituting a different notion.[18]
According to EDPB (WP29)[19], the notion of monitoring is not restricted to
the online environment and online tracking should only be considered as one
example of monitoring the behaviour of data subjects.
EDPB (WP29)[20] interprets ‘regular’ as meaning one or more of the
following:
1. Ongoing or occurring at particular intervals for a particular period.
2. Recurring or repeated at fixed times.
3. Constantly or periodically taking place.
EDPB (WP29) interprets ‘systematic’ as meaning one or more of the
following.
1. Occurring according to a system.
2. Pre-arranged, organised or methodical.
3. Taking place as part of a general plan for data collection.
4. Carried out as part of a strategy.
EDPB (WP29)[21] sums up the following examples of activities that are
considered as regularly and systematically observing data subjects:
1. operating a telecommunications network.
2. providing telecommunications services.
3. email retargeting.
4. profiling and scoring for purposes of risk assessment (e.g. for purposes
of
credit scoring establishment of insurance premiums, fraud
prevention,
detection of money-laundering).
5. location tracking, for example, by mobile apps.
6. loyalty programs.
7. behavioural advertising.
8. monitoring of wellness, fitness and health data via wearable devices.
9. closed circuit television.
10. connected devices e.g. smart meters, smart cars, home automation.
1.3.2.5 Special categories of data: criminal data

In accordance with Article 37(1)(c) of the GDPR, controllers and processers
shall designate a DPO when their core activities consist of processing on a
large scale of special categories of data pursuant to Article 9 and personal
data relating to criminal convictions and offences referred to in Article 10.
Article 37(1)(c) addresses the processing of special categories of data
pursuant to Article 9, and personal data relating to criminal convictions and
offences set out in in Article 10. Although the provision uses the word ‘and’,
there is no policy reason for the two criteria having to be applied
simultaneously. The text should therefore be read to say ‘or’, according to the
EDPB (WP29).[22]
1.3.3 DPO of the processor
The criteria of Article 37 of the GDPR also apply to the designation of a DPO
by the processor. The processor is defined in Article 4(8) of the GDPR as a
natural or legal person, public authority, agency or other body which
processes personal data on behalf of the controller. Conform Article 4(7), the
controller is defined as a natural or legal person, public authority, agency or
other body which, alone or jointly with others, determines the purposes and
means of the processing of personal data. where the purposes and means of
such processing are determined by Union or Member State law, the controller
or the specific criteria for its nomination may be provided for by those.
Depending on who fulfils the criteria on mandatory designation, in some
cases only the controller or only the processor, in other cases both the
controller and its processor are required to appoint a DPO (who should then
cooperate with each other).
According to the EDPB (WP29)[23], it is important to highlight that even if the
controller fulfils the criteria for mandatory designation its processor is not
necessarily required to appoint a DPO. This may, however, be a good
practice. The EDPB (WP29) gives the following examples.
1. A small family business active in the distribution of household

appliances in a single town uses the services of a processor whose
core activity is to provide website analytics services and assistance
with targeted advertising and marketing. The activities of the
family business and its customers do not generate processing of
data on a ‘large-scale’, considering the small number of customers
and the relatively limited activities.
2. However, the activities of the processor, having many customers
like this small enterprise, taken together, are carrying out large-
scale processing. The processor must therefore designate a DPO
under Article 37(1)(b). At the same time, the family business itself
is not under an obligation to designate a DPO.
3. A medium-size tile manufacturing company subcontracts its
occupational health services to an external processor, which has a
large number of similar clients. The processor shall designate a
DPO under Article 37(1)(c) provided that the processing is on a
large scale. However, the manufacturer is not necessarily under an
obligation to designate a DPO.
4. The DPO designated by a processor should also oversee activities
carried out by the processor organisation when acting as a data
controller in its own right (e.g. HR, IT, logistics).
1.3.4 A DPO for multiple organisations

Article 37 (2) allows a group of undertakings to designate a single DPO
provided that he or she is easily accessible from each establishment. In order
to ensure that the DPO, whether internal or external, is accessible it is
important to ensure that their contact details are available in accordance with
the requirements of the GDPR.[24] The notion of accessibility refers,
according to the EDPB (WP29)[25], to the tasks of the DPO as a contact point
with respect to:
1. The data subjects: see Article 38(4). Data subjects may contact
the data protection officer with regard to all issues related to
processing of their personal data and to the exercise of their
rights under this regulation.
2. The supervisory authority: see Article 39(1)(e). The DPO
acts as a contact point for the supervisory authority on issues
relating to processing, including the prior consultation referred
to in Article 36 and to consult, where appropriate, with regard
to any other matter.
2. Internally within the organisation: considering that one of the
tasks of the DPO is ‘to inform[26] and advise the controller and
the processor and the employees who carry out processing of
their obligations pursuant to this Regulation’ (Art. 39(1)(a)).
1.3.4.1 Support by a DPO team
It may be necessary to set up a DPO team, according to the EDPB (WP29)[27]

all members of the team must be in a position to efficiently communicate
with data subjects and cooperate with the supervisory authorities concerned
(Art. 39(1)(d) GDPR). This also means that this communication must take
place in the language or languages used by the supervisory authorities and the
data subjects concerned. The personal availability of a DPO (whether
physically on the same premises as employees, via a hotline or other secure
means of communication) is essential to ensure that data subjects will be able
to actually contact the DPO.
1.3.4.2 A DPO for several public authorities or bodies
Based on Article 37(3) of the GDPR, a single DPO may be designated for
several public authorities or bodies, taking account of their organisational
structure and size. The same considerations with regard to resources and
communication apply.
Based on the fact that the DPO is in charge of a variety of tasks, the
controller or the processor must ensure that a single DPO, with the help of a
team if necessary, can perform these tasks efficiently despite being
designated for several public authorities and bodies, according to the EDPB
(WP29).[28]
1.3.5 Operational aspects of the DPO appointment

Prior to the actual designation and formal notification of the DPA, it is
recommended for transparency reasons, that the processor or controller at
least pays attention to the two following operational aspects concerning the
proper functioning of the DPO.
1. Accessibility and localisation of the DPO[29]
To ensure that – in compliance with Section 4 of the GDPR – the DPO

is accessible, the EDPB (WP29)[30] recommends that the DPO should
be located within the European Union, whether or not the controller or
the processor is established in the European Union. However, it cannot
be excluded that, in some situations where the controller or the
processor has no establishment within the European Union[31], a DPO
may be able to carry out his or her activities more effectively if located
outside the EU.
2. Publication and communication of the DPO’s contact detail

Article 37(7) of the GDPR requires the controller or the processor
to:
1. Publish the contact details of the DPO
2. Communicate the contact details to the relevant supervisory

authorities.
The objective of these requirements is, according to the EDPB (WP29)[32], to
ensure that data subjects (both inside and outside of the organisation) as well
as the supervisory authorities can easily, directly and confidentially[33] contact
the DPO without having to contact another part of the organisation. It should
be noted that the DPO shall be bound by secrecy or confidentiality
concerning the performance of his or her tasks, in accordance with Union or
Member State law (Art. 38(5) GDPR).
The contact details of the DPO should include information allowing data
subjects and the supervisory authorities to reach the DPO in an easy way (a
postal address, a dedicated telephone number, and a dedicated e-mail
address).[34] When appropriate, for purposes of communications with the
public, other means of communications could also be provided, for example,
a dedicated hotline, or a dedicated contact form addressed to the DPO on the
organisation’s website.
Article 37(7) of the GDPR does not require that the published contact details
should include the name of the DPO. Whilst it may be a good practice to do
this, according to the EDPB (WP29)[35], it is for the controller and the DPO to
decide whether this is necessary or helpful in the particular circumstances.
As a matter of good practice, the EDPB (WP29) recommends that an
organisation informs the supervisory authority and employees of the name
and contact details of the DPO. For example, the name and contact details of
the DPO could be published internally on organisation’s intranet, internal
telephone directory, and organisational charts. It should be noted that Article
33(3)(b) GDPR, which describes information that must be provided to the
supervisory authority and to the data subjects in case of a personal data
breach, unlike Article 37(7) GDPR, specifically also requires the name (and
not only the contact details) of the DPO to be communicated.
1.3.6 Requirements of the DPO pursuant to the GDPR

Article 37(5) GDPR states that the data protection officer shall be designated
on the basis of professional qualities and, in particular, expert knowledge of
data protection law and practices and the ability to fulfil the tasks referred to
in Article 39.
1.3.6.1 Professional qualities

Although Article 37(5) does not specify the professional qualities that should
be considered when designating the DPO, it is a relevant element that DPOs
should have expertise in national and European data protection laws and
practices and an in-depth understanding of the GDPR, according to the EDPB
(WP29).[36] It is also helpful if the supervisory authorities promote adequate
and regular training for DPOs.
The EDPB (WP29)[37] also notes that knowledge of the business sector and of
the organisation of the controller is useful. The DPO should also have
sufficient understanding of the processing operations carried out, as well as
the information systems, and data security and data protection needs of the
controller. In the case of a public authority or body, the DPO should also
have a sound knowledge of the administrative rules and procedures of the
organisation.
1.3.6.2 Expertise in the field of legislation

The required level of expertise is not strictly defined – according to the
EDPB (WP29)[38] – but it must be commensurate with the sensitivity,
complexity and amount of data and organisational processes. For example,
where a data processing activity is particularly complex, or where a large
amount of sensitive data is involved, the DPO may need a higher level of
expertise and support.
According to the EDPB (WP29)[39], there is also a difference depending on
whether the organisation systematically transfers personal data outside the
European Union or whether such transfers are occasional. The DPO should
thus be chosen carefully, with due regard to the data protection issues that
arise within the organisation.
Recital 97 explicitly states that the necessary level of expert knowledge
should be determined according to the data processing operations carried out
and the protection required for the personal data being processed. Concerning
the requirement of having sufficient knowledge, Zwenne[40] observes that the
Dutch DPA also has a role in this respect. In the light of monitoring
compliance with the obligation of designating a DPO, the supervisory
authority can demand proof that the DPO has obtained of will be obtaining
the required expertise (and professional qualities) shortly, according to
Zwenne. Zwenne also thinks it is conceivable that the supervisory authority
would attach significance to the verification by a professional (representative)
body or association.
1.3.6.3 Expertise concerning the data protection practice

Guidance on the implementation of appropriate measures and on the
demonstration of compliance by the controller or the processor, especially
with regard to the identification of the risks related to the processing, their
assessment in terms of origin, nature, likelihood and severity, and the
identification of best practices to mitigate the risk, could be provided in
particular by means of approved codes of conduct, approved certifications,
guidelines provided by the Board or indications provided by a data protection
officer. The EDPB may also issue guidelines on processing operations that
are considered to be unlikely to result in a high risk to the rights and
freedoms of natural persons and indicate what measures may be sufficient in
such cases to address such risk, according to recital 77 of the GDPR.
Article 39(2) GDPR is recalled which entails that the DPO shall in the
performance of his or her tasks have due regard to the risks associated with
processing operations, taking into account the nature, scope, context and
purposes of processing.
1.3.6.4 Ability to fulfil the following tasks (as mentioned in Article 39 of

the GDPR)
Ability to fulfil the tasks incumbent on the DPO should be interpreted as both
referring to their personal qualities and knowledge, but also to their position
within the organisation, as stated by the EDPB (WP29).[41]
Personal qualities should include for instance integrity and high professional
ethics. the DPO’s primary concern should be enabling compliance with the
GDPR. The DPO plays a key role in fostering a data protection culture within
the organisation and helps to implement essential elements of the GDPR,
such as the principles of data processing,[42] data subjects’ rights, data
protection by design and by default, records of processing activities, security
of processing, and notification and communication of data breaches.
The personal qualities of the DPO are used to perform the following tasks of
the DPO conform pursuant to Article 39.
1. To inform and advise the controller or the processor and the

employees who carry out processing of their obligations pursuant to
this Regulation and to other Union or Member State data protection
provisions.
2. To monitor compliance with this Regulation, with other Union or
Member State data protection provisions and with the policies of
the controller or processor in relation to the protection of personal
data, including the assignment of responsibilities, awareness-raising
and training of staff involved in processing operations, and the
related audits.
3. To provide advice (where requested) as regards the data protection
impact assessment and monitor its performance pursuant to Article
35 GDPR.
4. To cooperate with the supervisory authority.
5. To act as the contact point for the supervisory authority on issues
relating to processing, including the prior consultation referred to in
Article 36, and to consult, where appropriate, with regard to any
other matter.
6. To have due regard to the risk associated with processing
operations, taking into account the nature, scope, context and
purposes of processing Article 38(3) of the GDPR can be added to
this list.
7. Report directly to the highest management level of the controller or
the processor.
1.3.6.5 DPO on the basis of a service contract (external DPO)

The position of the DPO can also be exercised on the basis of a service
contract concluded with an individual or an organisation outside the
controller’s/processor’s organisation.
In the case of an external DPO, it is essential that each member of the
organisation exercising the functions of a DPO fulfils all relevant
requirements of Section 4 of the GDPR (e.g., it is essential that no one has a
conflict of interests), according to the EDPB (WP29).[43]
It is equally important that each such member be protected by the provisions
of the GDPR (e.g. no unfair termination of contractual services for activities
as a DPO but also no unfair dismissal of any individual member of the
organisation carrying out the DPO tasks). At the same time, individual skills
and strengths can be combined so that several individuals, working in a team,
may more efficiently serve their clients, according to EDPB (WP29).[44]
For the sake of legal clarity and good organisation it is recommended by the
EDPB (WP29) to have a clear allocation of tasks within the DPO team it is
advised to assign a single individual as a lead contact person ‘in charge’ of
each client. In general, it is also useful to specify these points in the relevant
service agreement.
1.3.7 The designation on a voluntary basis in accordance with
the GDPR
Sections 37(1) and 37(4) GDPR specifically describe conditions leading to a
mandatory designation of the DPO. This can be read in a way that there are
also situations in which a DPO is designated on a non-mandatory (voluntary)
basis. Taking into account the own considerations – one can decide to
designate a DPO even if this is not mandatory.
In case of an optional designation, according to the EDPB (WP29),[45] the
following considerations should be taken into account.
1. The EDPB (WP29) recommends that controllers and processors

document the internal analysis carried out to determine whether or
not a DPO is to be appointed, in order to be able to demonstrate that
the relevant factors have been taken into account properly. This
analysis is part of the documentation under the accountability
principle. It may be required by the supervisory authority and
should be updated when necessary, for example if the controllers or
the processors undertake new activities or provide new services that
might fall within the cases listed in Article 37(1).
2. When an organisation designates a DPO on a voluntary basis, the
same requirements under Articles 37 to 39 will apply to his or her
designation, position and tasks as if the designation had been
mandatory.
3. This does not prevent an organisation, which does not wish to
designate a DPO on a voluntary basis and is not legally required to
designate a DPO, to nevertheless employ staff or outside
consultants with tasks relating to the protection of personal data. In
this case it is important to ensure that there is no confusion
regarding their title, status, position and tasks. Therefore, it should
be made clear, in any communications within the company, as well
as with data protection authorities, data subjects, and the public at
large, that the title of this individual or consultant is not a ‘DPO’.
This is also relevant for chief privacy officers ('CPO's) or other
privacy professionals already in place today in some companies,
who may not always meet the GDPR criteria, for instance, in terms
of available resources or guarantees for independence, and
therefore, cannot be considered and referred to as DPOs.[46]
4. The DPO, whether mandatory or voluntary, is designated for all the
processing operations carried out by the controller or the processor.
CHAPTER 2
TASKS, POSITIONING AND PROFILE OF THE
DPO
2.1 Legal tasks (GDPR)
A number of mandatory legal tasks has been explicitly stated in the GDPR
from which the key position of the DPO can be inferred. Next to these legal
tasks, a DPO may fulfil other tasks and duties whereby the controller or
processor shall ensure that any such tasks and duties do not result in a
conflict of interests (Article 38(6)). Recital 97 specifies that the DPO ‘should
assist the controller or processor to monitor internal compliance with this
Regulation’. Prior to the GDPR it has been food for many thoughts as to
which tasks should be considered part of the function of the DPO. A division
can be made between a number of legal tasks at one side and conditionally
accepted optional tasks. Conditional because as per Article 38(6) the DPO
may only fulfil other tasks and duties under the condition that the controller
or processor shall ensure that any such tasks and duties do not result in any
conflict of interests.
According to Article 39(1) of the GDPR, the DPO shall have at least the
following tasks:
1. To inform and advice.

2. To monitor compliance.
3. To provide advice.
4. To cooperate.
5. To act as contact point.
Ad 1
To inform and advice the controller or the processor and the employees who
carry out processing of their obligations pursuant to this Regulation and to
other Union or Member State data protection provisions. Where appropriate,
the controller or processor could develop data protection guidelines or
programmes that set out when the DPO must be consulted.[47]
Ad 2
To monitor compliance with this Regulation, with other Union or Member
State data protection provisions and with policies of the controller or
processor in relation to the protection of personal data, including the
assignment of responsibilities, awareness-raising and training of staff
involved in processing operations and related audits.
As part of these duties to monitor compliance, DPOs may, in particular
collect information to identify processing activities, analyse and check the
compliance of processing activities, and inform, advise and issue
recommendations to the controller or the processor.
Monitoring of compliance does not mean that it is the DPO who is personally
responsible for non-compliance. The GDPR makes it clear that it is the
controller, not the DPO, who is required to ‘implement appropriate technical
and organisational measures to ensure and to be able to demonstrate that
processing is performed in accordance with this Regulation’ (Article 24(1)).
Data protection compliance is a corporate responsibility of the data
controller, not of the DPO, according to the EDPB (WP29).[48]
Ad 3
To provide advice (where requested) concerning the data protection impact
assessments and monitor its performance pursuant to Article 35 of the GDPR.
According to Article 35(1), it is the task of the controller, not of the DPO, to
carry out, when necessary, a DPIA. However, the DPO can play a very
important and useful role in assisting the controller. Following the principle
of data protection by design, Article 35(2) specifically requires that the
controller ‘shall seek advice’ of the DPO when carrying out a DPIA. Article
39(1)(c) GDPR, in turn, tasks the DPO with the duty to ‘provide advice
where requested as regards the [DPIA] and monitor its performance’.
The EDPB (WP29)[49] recommends that the controller should seek the advice
of the DPO, on the following issues, amongst others:
1. Whether or not to carry out a DPIA.

2. What methodology to follow when carrying out a DPIA.
3. Whether to carry out the DPIA in-house or whether to outsource it.
4. What safeguards (including technical and organisational measures)
to apply to mitigate any risks to the rights and interests of the data
subjects.
5. Whether or not the data protection impact assessment has been
correctly carried out.
6. Whether its conclusions (to go ahead or not with the processing and
what safeguards to apply) are in compliance with the GDPR.
If the controller disagrees with the advice provided by the DPO, the DPIA
documentation should specifically justify in writing why the advice has not
been taken into account.[50]
The EDPB (WP29) further recommends that the controller clearly outlines,
for example in the DPO’s contract, but also in information provided to
employees, management (and other stakeholders, where relevant), the precise
tasks of the DPO and their scope, in particular with respect to carrying out the
DPIA.
Ad 4
To cooperate with the supervisory authority. The DPO cooperates with the
competent supervisory authorities with regard to any action taken to ensure
compliance with the GDPR.[51]
Ad 5
To act as the contact point for the supervisory authority on issues relating to
processing, including prior consultation referred to in Article 36, and to
consult, where appropriate, with regard to any other matter.
Pursuant to the EDPB (WP29)[52], the DPO acts as a contact point to facilitate
access by the supervisory authority to the documents and information for the
performance of the tasks mentioned in Article 57, as well as for the exercise
of its investigative, corrective, authorisation, and advisory powers mentioned
in Article 58. The DPO is bound by secrecy or confidentiality concerning the
performance of his or her tasks, in accordance with Union or Member State
law (Article 38(5)). However, the obligation of secrecy/confidentiality does
not prohibit the DPO from contacting and seeking advice from the
supervisory authority, according to the EDPB (WP29).[53]
In accordance with the second paragraph of Article 39 GDPR, the DPO shall
in the performance of his/her tasks have due regard to the risk associated with
processing operations, taking into account the nature, scope, context and
purposes of processing. According to the EDPB (WP29)[54], this article recalls
a general and common-sense principle, which may be relevant for many
aspects of a DPO’s day-to-day work. In essence, it requires DPOs to
prioritise their activities and focus their efforts on issues that present higher
data protection risks. This does not mean that they should neglect monitoring
compliance of data processing operations that have comparatively lower level
of risks, but it does indicate that they should focus, primarily, on the higher-
risk areas.
This selective and pragmatic approach should help DPOs (in the view of the
EDPB (WP29)) advise the controller what methodology to use when carrying
out a DPIA, which areas should be subject to an internal or external data
protection audit, which internal training activities to provide to staff or
management responsible for data processing activities, and which processing
operations to devote more of his or her time and resources to.
Pursuant to Article 38 of the GDPR, the following tasks can be added to

above-mentioned tasks:
1. Directly report to the highest management level of the controller or

the processor (Art.38(3) GDPR).
2. Act as a contact point for data subjects. Data subjects may contact
the data protection officer with regard to all issues related to
processing of their personal data and to the exercise of their rights
under this Regulation (Art. 38(4) GDPR).
2.2 Optional tasks

Pursuant to Article 38(6) GDPR a number of optional tasks are imaginable
(depending on the specific organisation), among which the following:
1. To promote awareness.
2. To promote permanent education.
3. To handle complaints.
4. To handle incidents.
5. To act as confidential adviser.
6. To make an inventory of data processes.
7. To develop norms.
8. To advise on technology and security of personal data.
9. To provide information.
10. To perform supervisory related privacy-audits.[55]
The GDPR in principle allows the data protection officer to fulfil other tasks
and duties. The controller or processor shall ensure that any such tasks and
duties do not result in a conflict of interests, in accordance with Article 38(6)
GDPR. In general, there is a conflict of interests when the other task or duty
of the DPO has direct or indirect consequences for the adequate performance
of the legal tasks of the DPO.
The EDPB (WP29)[56] rightly so points out that in practice DPOs often create
inventories and hold a register of processing operations based on information
provided to them by the various departments in their organisation responsible
for the processing of personal data. This practice has been established under
many current national laws and under the data protection rules applicable to
the EU institutions and bodies.[57]
Article 39(1) provides for a list of tasks that the DPO must perform as a legal
minimum. Therefore, nothing prevents the controller or the processor from
assigning the DPO with the task of maintaining the record of processing
operations, as stated in Article 30 GDPR, under the responsibility of the
controller or processor. Such a record should be considered as one of the
tools enabling the DPO to perform its tasks of monitoring compliance,
informing and advising the controller or the processor.
In any event, the record required to be kept under Article 30 GDPR should
also be seen as a tool allowing the controller and the supervisory authority,
upon request, to have an overview of all the personal data processing
activities that an organisation is carrying out. It is thus a prerequisite for
compliance, and as such, an effective accountability measure.
2.3 Task specific competencies

In order to exercise his or her monitoring task, the DPO should have access to
all systems where data might be processed. The DPO needs to have all
necessary resources for proper access to other internal services (departments),
such as Human Resources, legal, IT, security, (or services of similar nature)
in such a way that the DPO effectively gains access to and receives essential
support, input and information from those other services (departments), as
stated by the EDPB (WP29).[58]
If the DPO encounters irregularities, it is captured in his task and his
appointment that he directly reports such irregularities to the controller or the
organisation for which he is appointed. The DPO has an advising role
towards the controller. The controller decides whether he will carry out the
advice of the DPO. The DPO is not obliged to report irregularities to the
DPA. However, the DPA is capable of performing her capacities at all times,
even when a DPO is appointed within the organisation or industry.
2.4 Positioning
2.4.1 Legal requirements of the DPO positioning under the

GDPR
With regard to the positioning of the DPO, Article 38 of the GDPR states the
following:
1. Involvement in a proper and timely manner.

2. Access to personal data and processing operations.
3. Resources to carry out tasks and maintain expert knowledge.
4. No instructions regarding the exercise of tasks.
5. No dismissal or penalty for performing the tasks.
6. Report directly to the highest management level.
7. Contact point with regard to all issues related to processing of
personal data.
8. Functional secrecy/confidentiality.
9. No conflict of interests in other tasks.
10. Designation of one single DPO for a group of undertakings is
possible supposed that the requirement of ‘ease of accessibility’ has
been fulfilled.
11. A single DPO for various public institutions can be appointed
according to their organisational structure and size.
Ad 1
Proper involvement and in a timely manner
The controller and the processor shall ensure that the data protection officer is
involved, properly and in a timely manner, in all issues which relate to the
protection of personal data (Art. 38(1) GDPR).
According to the EDPB (WP29)[59], it is crucial that the DPO, or their team, is
involved from the earliest stage possible in all issues relating to data
protection. In relation to data protection impact assessments, the GDPR
explicitly provides for the early involvement of the DPO and specifies that
the controller shall seek the advice of the DPO when carrying out such
impact assessments. Ensuring that the DPO is informed and consulted at the
outset will facilitate compliance with the GDPR, ensure a privacy by design
approach and should therefore be standard procedure within the
organisation’s governance.
In addition, it is important that the DPO could be considered as a discussion
partner within the organisation and that he or she is part of the relevant
working groups dealing with data processing activities within the
organisation. Consequently, the organisation – in the vision of the EDPB
(WP29)[60] - should ensure:
1. The DPO is invited to participate regularly in meetings of senior

and middle management.
2. The presence of the DPO is recommended where decisions with
data protection implications are taken. All relevant information
must be passed on to the DPO in a timely manner in order to allow
him or her to provide adequate advice.
3. The opinion of the DPO must always be given due weight. In case
of disagreement, the EDPB (WP29) recommends, as good practice,
to document the reasons for not following the DPO’s advice.
4. The DPO must be promptly consulted once a data breach or another
incident has occurred.
Ad 2
Access to personal data and processing operations
The controller and processor shall support the DPO in performing the tasks
referred to in Article 39 by providing access to personal data and processing
operations (Art. 38(2)).
Ad 3
Resources to carry out tasks and maintain expert knowledge
The controller and processor shall support the DPO in performing the tasks
referred to in Article 39 by providing resources necessary to carry out those
tasks and to maintain his or her expert knowledge (Art. 38(2)).
According to the EDPB (WP29)[61], the following items, in particular, are to
be considered:
1. Active support of the DPO’s function by senior management (such

as at board level).
2. Sufficient time for DPOs to fulfil their duties. This is particularly
important where the DPO is appointed on a part-time basis or
where the external DPO carries out data protection in addition to
other duties. Otherwise, conflicting priorities could result in the
DPO’s duties being neglected. Having sufficient time to devote to
the proper performance of DPO tasks is paramount. It is a good
practice to establish a percentage of time for the DPO function
where it is not performed on a full-time basis. It is also good
practice to determine the time needed to carry out the function, the
appropriate level of priority for DPO duties, and for the DPO (or
the organisation) to draw up a work plan
3. Adequate support in terms of financial resources, infrastructure
(premises, facilities, equipment) and staff where appropriate.
4. Official communication of the designation of the DPO to all staff to
ensure that their existence and function is known within the
organisation.
5. Necessary access to other services/departments, such as Human
Resources, legal, IT, security, etc., so that DPOs can receive
essential support, input and information from those other
services/departments.
6. Continuous training. DPOs should be given the opportunity to stay
up to date with regard to relevant developments in the field of data
protection. The aim should be to constantly increase the level of
expertise of DPOs and they should be encouraged to participate in
training courses on data protection and other forms of professional
development, such as participation in privacy fora, workshops, etc.
7. Given the size and structure of the organisation, it may be
necessary to set up a DPO team (comprising of a DPO and his/her
staff). In such cases, the internal structure of the team and the tasks
and responsibilities of each of its members should be clearly drawn
up. Similarly, when the function of the DPO is exercised by an
external service provider, a team of individuals working for that
entity may effectively carry out the tasks of a DPO as a team, under
the responsibility of a designated lead contact for the client.
In general, the more complex and/or sensitive the processing operations, the
more resources must be given to the DPO. The data protection function must
be effective and sufficiently well-resourced in relation to the data processing
being carried out.
Ad 4
No instructions regarding the exercise of tasks
The controller and processor shall ensure that the data protection officer does
not receive any instructions regarding the exercise of those tasks (Art. 38(3)).
This paragraph establishes some basic guarantees to help ensure that DPOs
are able to perform their tasks with a sufficient degree of autonomy within
their organisation. Moreover, DPOs, whether or not they are an employee of
the controller, should be in a position to perform their duties and tasks in an
independent manner.[62] According to the EDPB (WP29)[63], the above-
mentioned means that, in fulfilling their tasks under Article 39, DPOs must
not be instructed how to deal with a matter, for example, what result should
be achieved, how to investigate a complaint or whether to consult the
supervisory authority. Furthermore, they must not be instructed to take a
certain view of an issue related to data protection law, for example, a
particular interpretation of the law.
The autonomy of DPOs does not, however, mean that they have decision-
making powers extending beyond their tasks pursuant to Article 39 GDPR, as
stated by the EDPB (WP29). The controller or processor remains responsible
for compliance with data protection law and must be able to demonstrate
compliance to Article 5(2) GDPR. If the controller or processor makes
decisions that are incompatible with the GDPR and the DPO's advice, the
DPO should be given the opportunity to make his or her dissenting opinion
clear to the highest management level and those making the decisions. Article
38(3) GDPR provides that the DPO shall directly report to the highest
management level of the controller or the processor.
Such direct reporting ensures that the senior management (e.g. board of
directors) is aware of the DPO’s advice and recommendations as part of the
DPO’s mission to inform and advise the controller or the processor. Another
example of direct reporting is the drafting of an annual report of the DPO’s
activities provided to the highest management level.
Ad 5
No dismissal or penalty for performing the tasks
The DPO shall not be dismissed or penalised by the controller or the
processor for performing his tasks (Art. 38(3) GDPR).
Protection against dismissal and penalisation also strengthens the autonomy
of DPOs and helps to ensure that they act independently and enjoy sufficient
protection in performing their data protection tasks, as stated by the EDPB
(WP29).[64]
Penalties are only prohibited under the GDPR if they are imposed as a result
of the DPO carrying out their duties as a DPO. For example, a DPO may
consider that a particular processing is likely to result in a high risk and
advise the controller or the processor to carry out a data protection impact
assessment but the controller or the processor does not agree with the DPO’s
assessment. In such a situation, the DPO cannot be dismissed for providing
this advice.
Penalties may take a variety of forms and may be direct or indirect. They
could consist of, for example:
1. absence or delay of promotion.
2. prevention from career advancement.
3. denial from benefits that other employees receive.
It is not necessary that these penalties be actually carried out, a mere threat is
sufficient as long as they are used to penalise the DPO on grounds related to
their DPO activities.
As a normal management rule and as it would be the case for any other
employee or contractor under, and subject to, applicable national contract or
labour and criminal law, a DPO could still be dismissed legitimately for
reasons other than for performing his or her tasks as a DPO (for instance, in
case of theft, physical, psychological or sexual harassment or similar gross
misconduct).
In this context it is noted by the EDPB (WP29) that the GDPR does not
specify how and when a DPO can be dismissed or replaced by another
person.
However, the more stable a DPO’s contract is, and the more guarantees can
be built in against unfair dismissal. the more likely they will be able to act in
an independent manner. Therefore, the EDPB (WP29) should welcome
efforts by organisations to this effect.
Ad 6
Directly report to the highest management level
The DPO shall directly report to the highest management level of the
controller or the processor (Art. 38(3)).
Ad 7
Contact point with regard to all issues related to processing of personal
data
Data subjects may contact the data protection officer with regard to all issues
related to processing of their personal data (Art. 38(4)).
Ad 8
Functional secrecy/confidentiality
The data protection officer shall be bound by secrecy or confidentiality
concerning the performance of his or her tasks, in accordance with Union or
Member State law (Art. 38(5)).
Ad 9
No conflict of interests in other tasks
The data protection officer may fulfil other tasks and duties. The controller or
processor shall ensure that any such tasks and duties do not result in a
conflict of interests (Art. 38(6)).
EDPB (WP29)[65] considers that the absence of conflict of interests is closely
linked to the requirement to act in an independent manner. Although DPOs
are allowed to have other functions, they can only be entrusted with other
tasks and duties provided that these do not give rise to conflicts of interests.
This entails in particular that the DPO cannot hold a position within the
organisation that leads him or her to determine the purposes and the means of
the processing of personal data. Due to the specific organisational structure in
each organisation, this has to be considered case by case.
As a rule of thumb, conflicting positions within an organisation may include:
1. Senior management positions such as:
a. Chief executive.
b. Chief operating officer.
c. Chief financial officer.
d. Chief medical officer.
e. Head of marketing department.
f. Head of Human Resources.
g. Head of IT departments.[66]
2. Roles lower down in the organisational structure if such positions

or roles lead to the determination of purposes and means of
processing.
3. In addition, conflict of interests may also arise for example if an
external DPO is asked to represent the controller or processor
before the Courts in cases involving data protection issues.
Depending on the activities, size and structure of the organisation, the EDPB
(WP29)[67] thinks it can be good practice for controllers or processors to:
1. Identify the positions which would be incompatible with the

function of DPO.
2. Draw up internal rules to this effect in order to avoid conflicts of
interests.
3. Include a more general explanation about conflicts of interests.
4. Declare that their DPO has no conflict of interests with regard to its
function as a DPO, as a way of raising awareness of this
requirement.
5. Include safeguards in the internal rules of the organisation and to
ensure that the vacancy notice for the position of DPO or the
service contract is sufficiently precise and detailed in order to avoid
conflict of interests. In this context, it should also be borne in mind
that conflicts of interests may take various forms depending on
whether the DPO is recruited internally or externally.
Ad 10
If easily accessible, a DPO for a group of undertakings is possible
A group of undertakings may appoint a single data protection officer
provided that a data protection officer is easily accessible from each
establishment (Art. 37(2) GDPR).
Ad 11
A DPO for various public institutions with respect to the structure and size
Where the controller or the processor is a public authority or body, a single
data protection officer may be designated for several such authorities or
bodies, taking account of their organisational structure and size (Art. 37(3)
GDPR).
2.4.3 Positioning of the DPO as line of defence

To the extent that the DPO acts as compliance officer that is clothed with
powers of supervision and compliance with legal obligations, the question
can be raised as to the positioning of the DPO in the meaning of ‘Lines of
Defence’. In the compliance literature, the positioning of the independent
(internal or external) supervisor is mentioned as the ‘Three Lines of Defence’
which is more than just the structure of the organisation and naming the roles.
Starting point of this model is that the responsible manager is responsible for
his own processes. Next to that, there has to be a function that supports,
advises, coordinates and monitors whether the first line actually takes its
responsibilities. This is the second line. Certain policy preparatory tasks and
organising integral risk assessments are also tasks of the second line. Finally,
it is desirable that there is a function within the organisation that monitors
whether the interaction between the first and second line operates smoothly
capable of forming an objective and independent judgement. This function is
the third line that operates completely separate from all other organisation
parts. In general, the following benefits of the ‘Lines of Defence’ model are
mentioned:
1. An actual effective management of the risks of (privacy) non-compliance.
2. Lower compliance costs.
3. Efficient performance of audits, reviews, scans and such.
4. An unambiguous definition of privacy risks.
5. Better construction of (privacy) governance.
6. More transparency.
7. Strengthening of accountability for risk-management and internal control.
8. Strengthening of risk awareness.
It could be argued that there is only one line of defence and that is the
enterprise as a whole, represented by the business. This discussion, should
not only be about the ‘order’ of lines, but also about the desirable role that
every function within the company should capture. In this approach the
desirable role for compliance would be the protection of the ‘license to
operate’ of the enterprise (controller in the sense of Article 4 GDPR).
2.4.4 Task-oriented (operational) positioning

With regard to the more operational aspects of the positioning of the DPO
within the organisation, the following can be derived from Article 38 of the
GDPR:
1. The controller and the processor shall ensure that the data
protection officer is involved, properly and in a timely manner, in
all issues which relate to the protection of personal data (Art. 38(1)
GDPR).
2. The controller and processor shall support the data protection
officer in performing the tasks referred to in Article 39 by
providing resources necessary to carry out those tasks and access to
personal data and processing operations, and to maintain his or her
expert knowledge (Art. 38(2) GDPR).
3. The controller and processor shall ensure that the data protection
officer does not receive any instructions regarding the exercise of
those tasks. He or she shall not be dismissed or penalised by the
controller or the processor for performing his tasks. The data
protection officer shall directly report to the highest management
level of the controller or the processor (Art. 38(3) GDPR).
4. Data subjects may contact the data protection officer with regard to
all issues related to processing of their personal data and to the
exercise of their rights under this Regulation (Art. 38(4) GDPR).
5. The data protection officer shall be bound by secrecy or
confidentiality concerning the performance of his or her tasks, in
accordance with Union or Member State law (Art. 38(5) GDPR).[68]
6. The data protection officer may fulfil other tasks and duties. The
controller or processor shall ensure that any such tasks and duties
do not result in a conflict of interests (Art. 38(6) GDPR).
2.5 Position profile of the DPO
2.5.1 Position analysis of the DPO
The first step in the development of a proper position (job) profile is making
a proper analysis of the position of the DPO (position analysis).[69] Making
position analysis can be traced back to earlier time and movement studies
during the end of 19th and beginning of the 20th century. that is the period of
large-scale industrialisation. According to Smit[70], a position analysis can be
described as a systematically collecting function-related information, on one
hand about the content of the position (tasks, roles, responsibilities and
competencies) and on the other hand about the requirements and
characteristics that are necessary to fulfil the position (knowledge, skills,
competences, abilities, personal and cognitive characteristics). While in
traditional methods of a position analysis, the position itself is the starting
point of research, modern approaches, according to Smit[71], work according
to the following principles: outside-in and top-down. Assuming development
of the environment, objectives for the organisation could be set. These goals
are elaborated on in objectives or contributions of organisation units
(departments and teams) to eventually arrive at the level of the position
(category) and a description of tasks and/or roles. The final step is then the
translation to the requirements that are posed on the position manager. Terms
of the required capacities or characteristics are usually displayed as criteria
and competencies of attitude. Traditionally, the position analysis focuses on
the individual position and position management. But, naturally, it is also
possible to make an analysis of team assignments and team competences.
There are many options to bring function-related characteristics and criteria
into account. In practice, a number of position analysis methods and
instruments are used. An interview, often on the basis of a structured
questionnaire (see example) in which the most important subjects are
indicated, is frequently used. Although a bit out-dated in mainstream, the
following interview-methods are explicitly mentioned by Smit (especially
having regard to the position of the DPO).
1. Position Analysis Questionnaire (PAQ) and the 360° model.

2. Critical Incidents Technique (CIT).
3. Repertory Grid.
Ad 1
Interview method Position Analysis Questionnaire (PAQ) and 360° model
The ‘Position Analysis Questionnaire’ of McCormick (1976) is beyond any
doubt the most famous one. The questionnaire consists of almost 200
questions with regard to position elements defined in terms of the required
behaviour. Usually there is a collection of information through interviews
with position managers. Nowadays it is good practice to collect information
according the 360°model. Next to the position manager himself, the
supervisor, colleague position manager and a client (internal or external)
constitute various sources of information concerning the activities, results
and competences of the position. Taking into account various angles, a more
complete image can be acquired.
Ad 2
Interview method Critical Incidents Technique (CIT)
Another frequently used method is the Critical Incidents Technique. Flanagan
already developed this method in 1954. The core of the method consists of
the collection of examples of behaviour in which the officer performs well
and in which he does not perform well. By means of interviews, according to
behaviour-based techniques, one can get some sense of the required qualities
in important terms of employment. Questions that can be raised are, for
example:
1. Describe a situation or occasion of under-performance and out-

performance?
2. What can be inferred from these situations?
3. Describe the context in which the occasion occurred.
4. What happened?
5. Who were involved?
6. What was expected of the DPO?
7. How did the DPO respond? According to which motive and
intention?
8. What was the result of this deed?
9. How does one appreciate the result?
10. How does one appreciate the chosen deed: effective/ineffective?
Ad 3
Interview method Repertory Grid
The interview method Repertory Grid of Kelly (1955) is similar but applies a
somewhat different approach. Supervisors are asked to indicate how a
successful employee distinguishes themselves from a less successful
employee. In order to get more insight in the requirements of the function of
the data protection officer, the following questions can be raised.
1. How does the difference between an effective and less effective officer
appear?
2. Imagine the best DPO. Why does he stand out?
3. In What fields should this DPO accomplish to excel?
4. What is the simplest way for the DPO to inflict damage to the
organisation?
After these preliminary questions, one endeavours to get a clearer picture of
the desired behaviour through more detailed questions. Subsequently, a
connection is made with the requirements which an officer (DPO) ideally
should meet. In order to obtain an image as complete as possible, it is
recommended to interview various informants that deal with the officer
(DPO) from various positions. A considerable number of collected critique
incidents form the basis for a classification in categories in which the analyst
in various phases repeatedly consults the stakeholders to determine whether
he is on the right track. The resulting categories serve as a reference point for
deriving and determining the function requirements. Usually, this
determination of categories of behaviour and the derivation of the function
requirements occur in group meetings.
Above-mentioned methods mostly provide a description of the function
content and requirements in terms of education and experience etc.
2.5.2 Position profile: positioning of the DPO

With regard to the position of the DPO, the following is mentioned in Article
38 of the GDPR:
1. The controller and the processor shall ensure that the data
protection officer is involved, properly and in a timely manner, in
all issues which relate to the protection of personal data.
providing resources necessary to carry out those tasks and access to
personal data and processing operations, and to maintain his or her
expert knowledge.
3. The controller and processor shall ensure that the data protection
those tasks. He or she shall not be dismissed or penalised by the
controller or the processor for performing his tasks. The data
protection officer shall directly report to the highest management
level of the controller or the processor.
exercise of their rights under this Regulation.
accordance with Union or Member State law.
do not result in conflict of interests.
2.5.3 Position profile: profile of competencies

The recruitment and selection of capable DPOs is not easy. Especially since
the employer generally has no clear idea of which criteria the desirable
candidate should meet. In practice, it often happens that employers think of
the content of the function that does not necessarily correspond with the
content that the law and regulation envision, let alone the required
competencies for the functioning of the DPO.
It is human nature to intuitively pose all sorts of (realistic and unrealistic)
requirements on the functioning of another. In that sense we are all ‘intuitive
psychologists’, for instance because the theoretical basis does not always
suffice the requirements of scientific methodology, with reference to Smit.
Moreover, because relevant laws and regulations in this regard do not stand
out because of their clarity and sharpness, extra width is offered to the
intuitive approach. Compare in this respect for example paragraph 2 of
Article 39 of the GDPR which mentions that the DPO in the performance of
his/her tasks have due regard to the risk associated with processing
operations, taking into account the nature, scope and purposes of processing.
The competencies that are needed to accomplish these are not specified.
2.5.3.1 Integrity and credibility of the DPO

Integrity within the meaning of candour, honesty, trustworthiness (as a
historically and culturally determined ethnic notion that is incorporated in
diverse professional standards) is an essential element of the credibility of the
functioning of key figures in any organization. Whether it concerns DPOs,
confidential counsellors, consultants, accountants, solicitors or colleagues
with an exemplary position, it should be kept in mind. however, that concrete
fulfilment of the term integrity can vary according to different segments of
the company or organisation. In a way the integrity of the DPO can be
interpreted as the desirable social behaviour for the organisation concerned,
in which two complex factors are specifically relevant:
1. Integrity in the broad sense: Integrity is not always easily captured

ex-ante (before-hand) in a general unambiguous definition. In this
regard however, the work of Van der Maesen de Sombreff[72] is
worth mentioning, who developed a method in which, he with the
help of beliefs and experience of diverse data subjects, illustrated
what integrity entails within a specific company or organisation and
the diverse aspects that are relevant in that case.
2. Measurability of the lack of integrity: How does one measure
whether a (candidate) DPO maintains integrity or not? Even in
apparently ‘evident cases of conflicting behaviour’ such as
possessing a criminal history (for example relating to a previous
conviction due to reckless behaviour in traffic) do not necessarily
lead to the conclusion that the candidate DPO is not suitable for the
functioning of a DPO. The obtaining or otherwise of a Legal
Certificate of Conduct could be meaningful in this respect.
2.5.3.2 Emotional competence of the DPO

A valuable element in the functioning of the DPO is the degree to which
there is emotional competence. Emotional intelligence, emotional
competence and EIQ (Emotional Intelligence Quotient) are constructions
within the selection process of the search for a suitable DPO. The mental
legacy of Goleman[73] is interesting in this sense. In his approach it is
considered key that for good functioning, emotional intelligence is more
important than intellectual intelligence which can be measured with
traditional IQ tests. Substantiating these claims, he refers to innumerable
acclaims of leading supervisors of the American business world.
Goleman acknowledges that emotional intelligence is relevant for the good
functioning of the DPO, but the question whether that has the significance
that Goleman intends, is up for debate. If the DPO wants to function well, it
is evident that he/she has to deal with (sometimes challenging) social
situations. Every function entails an interaction with other people. In the role
of inquirer, advisor and professional that monitors the compliance with
GDPR obligations, various DPO specific social competencies can be desired,
one could think of (not exclusively) for example:
Diplomatic performance.
deal with conflicts.
Independent positioning.
Empathic ability, having regard for the emotions of colleagues.
Affinity with a variety of aspects of activities of colleagues (good
capacity of experience).
Being accessible for everybody within the organisation.
Patience and the capacity of listening.
Balanced personality.
Capacity to be objective and remain distant to case specificity.
Readiness to introspection.
Readiness to accountability.
Being able to deal with vulnerabilities and the solitude of the
function of the DPO.
2.5.3.3 Leadership of the DPO
It is undisputed, especially as far as the exemplary nature that the DPO fulfils
is concerned with that the function of the DPO requires a certain degree of
leadership. The line of thought concerning the leadership qualities and
leadership styles that belong to the DPO, however, has yet to be evolved.
Concerning leadership in a general sense (with the goal to develop
assessments), considerable research has been executed, that could perhaps
give some guidance to acquire the necessary insights, whether or not based
on the competency framework of Quinn.[74]
The model of Quinn describes eight management models that are effective in
relation to a certain context. These roles distinguish between roles with the
alleged dimension ‘internal orientation’ versus ‘external orientation’ and the
dimension ‘control’ versus ‘flexibility’, thus four quadrants that can be
visualized as follows.
2.5.3.4 Role matrix competencies of the DPO
In fulfilling their activities, the DPO takes on diverse roles (see hereafter also
paragraph 3.5, figure 3.18 Roadmap framework and structure DPO work
plan). From this role perspective, the tasks, goals or results to be
accomplished as DPO are related to the role (or roles) that the DPO should
ideally fulfil in a company (or organisation) as collaboration. The role of the
DPO fits in the development in which, within the framework of increasingly
dynamic functions, it is no longer sufficient to allocate activities, function
requirements and competencies in a tight (static) function description.[75] The
description of roles on a higher abstraction level comes towards the desire to
describe what is expected from the DPO. A role matrix perspective of the
DPO does not only encompass a set of activities and corresponding
competencies, but also envisions the core of what should be expected of the
DPO.
The used language for role descriptions usually has a visual and sometimes
metaphorical character, because of which the desired behaviour of the DPO
can be described in an effective manner. Moreover, role descriptions have a
more open character instead of a (restricted) enumeration of activities.
therefore, a margin of appreciation is left to the DPO himself.
A position analysis in terms of roles that could be relevant for the function of
the DPO, has already been elaborated on by McLagan in 1989. Although this
position analysis was developed for the field of human resource development,
the followed approach in which a picture is painted of the field in terms of
task fields, activities guidelines for behaviour (ethics), roles and competences
is also applicable for the DPO. Schematically, the development of this role
matrix of the function of the DPO (based on the extract of the role
competences matric as enclosed in the ASTD report)[76] could look like this,
in the form of a table of reference, to provide an example.
2.5.3.5 Other means of profiling the function of the DPO

People develop theories about people. According to Verhoeven & Koch[77] as
a matter of fact, we are all psychologists, intuitive psychologists admittedly,
because our ‘theory formation’ does not always develop according to the
strict rules as prescribed by scientific methodology prescribes. Recruiters also
have various ideals, images and hypotheses in mind when thinking about
characteristics of candidates that are related to their suitability for a function.
2.5.3.6 Biographical questionnaires

In the fifties of the 20th century, a lot of research was conducted on the
accuracy of clinical versus actuarial prediction. Clinical prediction means that
experts of their own decision models, their personal expertise, intuition and
experience could lead to predictions of human behaviour. This could be for
example: the chance that a candidate DPO would be successful in the
function for which he applied. In actuarial prediction the same questions are
answered, but then by a computer that is programmed with rules that are
composed on the basis of statistically proven coherences between variables.
The input that the computer receives, is partly biological data (age, gender,
education level etc.), but also information derived from results of intelligence
and personality tests. The earlier mentioned researches constantly show that
actuarial prediction is more accurate than the clinical vision of the expert,
according to Smit.[78]
Where possible, data should be encountered in expert systems. The idea of
the biographical questionnaire is precisely based on this principle. The
construction of said list commences with the draining of implicit models and
rules as used by experts. These experts can be recruiters, managers, or the
people who fulfil the function themselves. Moreover, customers or colleagues
from other departments could provide valuable insights in some instances.
They all have ideas on how to differentiate between successful and less
successful officers, and to which variables this relates. A first orientation
provides the constructor of the biographical questionnaire a broad scale of
insights. Certain subjects make a comeback[79]:
1. Education level, area, institute.

2. Curriculum, school grades, school-awards and number of re-sits.
3. Work experience, domestic as well as abroad.
4. Work experience during studies.
5. Additional activities, such as volunteer work, board experience,
spare time activities.
6. Memberships (professional) associations.
7. Previous (sales)results.
8. Non-Professional results (fields such as sports and such).
9. Provider of income, civil status, family situation in which one is
brought up.
10. Areas of interest.
2.5.4 Recruitment and selection of the suitable DPO
On the basis of acquired information before-hand and datasets with regard to
a certain candidate, the recruiter could form an image of the future suitable
candidate for the function of DPO.
The recruiter that solely depends on his clinical judgment deprives the
organisation, the applicant and last but not the least himself. The use of some
simple tools can drastically improve the application procedure, according to
Smit.[80] In order to reduce the subjective influence of the recruiter/selector, it
could be concluded with analogy to Smit, that adding structure and objective
instruments (like function-related profiles of competencies) could promote
the chance of successfully selecting a suitable DPO.
During the selection interview, the STAR-method[81] could promote an
objective criterium-based debate on previous behaviours. Both the structure
and the reliability of the assessment will thus be enhanced. After all, by
consistently assessing (qualifying) the mentioned DPO competences right
after the job interview, the objectivity can be enhanced. Prediction templates
can also help the recruiter in assessing the candidate DPO.
On the basis of the results of personality tests and intelligence scores, a
relationship is made with the required competence. By using plusses and
minuses, the relationship can be visualized between the predictor with the
specific competence of the required DPO. An empty cell could mean that
there is no relationship.
Dependent on the required competences of the DPO and the before-hand
defined predictors, a prediction template for a successful DPO could look like
the following.
3
CHAPTER 3
FRAMEWORK & STRUCTURE
3.1 Introduction
3.1.1 Work plan of the DPO
Although the DPO does not receive any instructions in as per Article 38(3) of
the GDPR. As far as task performance in the sense of Article 39 is concerned,
the DPO directly reports pursuant to the same Article 38(3) GDPR to the
highest management level of the controller within the organisation (usually
the president of the board or colleague-president with privacy and data
protection in his portfolio). The GDPR however does not elaborate any
further on what ‘directly report’ exactly entails. As far as this matter is
concerned, the EDPB (WP29)[82] notes that such direct reporting ensures that
senior management (e.g. board of directors) is aware of the DPO’s advice and
recommendations as part of the DPO’s mission to inform and advise the
controller or the processor. Another example of direct reporting is the
drafting of an annual report of the DPO’s activities provided to the highest
management level.
Pending further guidelines concerning the requirements of the DPO’s work

plan, in light of the ratio and spirit of the GDPR. it seems reasonable that the
DPO is supposed ‘to account for’ his/her tasks. But, to account for what? It
seems plausible that the DPO at least reports directly in the same way as the
DPO is used to do in a professional capacity interpreting the fulfilment of
tasks and roles within the meaning of Articles 37 to 39 GDPR.
Professional and qualitative fulfilment of the tasks and roles of the DPO
requires an underlying (and well thought of) work plan of the DPO.
A work plan of the DPO is described (for example) as an internal document
(program) in discussing in which way and on the basis of which
considerations the DPO fulfils his/her tasks and responsibilities within its
own organisation as well as the underlying vision, mission and strategy of the
DPO’s work plan. In this work plan (tailored to its own organisation), the
DPO amongst others has the opportunity to display that the following
requirements of Article 37(5) GDPR (for the appointment of the DPO) are de
facto fulfilled.
1. Professional qualities.
2. Expertise in the area of legislation.
3. Expertise in the area of data protection practice.
3.1.2 Drivers for a DPO work plan

Just like every other professional, it is also assumed that the DPO as
envisaged by the GDPR is aiming for a ‘professional performance’ of
important legal tasks, duties and responsibilities. Without any doubt, personal
drivers of individual DPOs will vary, however in general it could be argued
that the following drivers can be distinguished.
1. Key positions and roles in data protection – especially those in

which a serious level of (regulated) independence is involved are
accompanied by corresponding responsibilities which are implicitly
or explicitly accepted by professionals.
2. In capturing a Leadership role, the DPO should be able to
elaborate, fulfil, frame and work based on his own vision, mission
and strategy on privacy and data protection in an inspiring way to
the daily practice of the organisation.
3. In pursuance of Professional Accountability for both the
substantive prioritization and the financial expenses of scarce
means (people and money), A DPO should maintain undisputed
(corporate) transparency standards. After all, pursuant to Article
38(2) of the GDPR the DPO could be regarded as entitled to
manage ‘an independent DPO budget’. In accordance with the
above-mentioned article, the controller and processor support the
DPO in performing his tasks referred to in Article 39 by providing
access to personal data and processing operations and resources
necessary to carry out those tasks and to maintain their expert
knowledge.
4. Increasing the degree of acceptance, the DPO that next to being a
colleague (often) also fulfils a special legally based independent
task, is confronted, in the area of amongst others supervising the
compliance with privacy legislation and regulation by colleagues,
with this dichotomy. A well-established (and clearly
communicated) DPO work plan could reduce unnecessary
misunderstandings and contribute to increase the acceptance of the
DPO as a ‘colleague on a special mission’.[83]
5. 5. Applying knowledge and skills, the suitable DPO requires
sufficient knowledge and skills to fulfil the tasks as referred in
Article 39. According to the EDPB (WP29)[84] this means that the
DPO shall be designated on the basis of professional qualities and,
in particular, expert knowledge of data protection law, regulations
and (best) practices and the ability to professionally perform his/her
tasks.
The necessary level of expert knowledge should be determined in particular

in accordance with the data processing operations carried out and the
protection required for the personal processed data. For example, where a
data processing activity is particularly complex, or where a large amount of
sensitive data is involved, the DPO may need a higher level of expertise and
support. Possible relevant skills and expertise entail:
1. Expertise in national and European data protection laws and

practices and an in-depth understanding of the GDPR.
2. Insight in the executed processes.
3. Understanding of information systems and data security.
4. Knowledge of the industry and the organisation.
5. Ability to promote a culture of data protection within the
organisation.
6. Making a careful balance of interests visible, a professional DPO is
expected to comply with necessary diligence in the performance of
his/her tasks and responsibilities. Consequently, the DPO should
pay due attention to Art. 39(2) GDPR in the performance of their
tasks to the risk associated with processing operations, taking into
account the nature, scope, context and purposes of processing.
3.1.3 Business case for a professional DPO work plan

Next to the above-mentioned drivers for a good work plan (from the
perspective of the DPO as a professional), it is advisable to approach the
DPO work plan from a more business case perspective in which the costs and
benefits are centralised. Business case in this context means more objective
reasons to support a professional DPO work plan in which the benefits (or
justification) exceed the costs, while at the same time taking into account the
increase of the degree of acceptance within the organisation.
3.1.3.1 Benefits (justification)

Apart from the fact that appointing a DPO is mandatory under certain
circumstances, the fundamental question could be raised as to the added
value of the DPO and in particular the added value of a professional DPO
work plan.
What are the benefits (advantages, added value, favourable consequences) of
a professional work plan for the DPO himself as a professional on the one
hand and on the other hand for the organisation as a whole? Hereinafter ten
benefits are suggested and clarified for further consideration.
1. DPO tasks and process management.

2. Improve the synergy with other business units.
3. Secure the interests of stakeholders.
4. Good cooperation with the DPA.
5. Prudent reporting of audit results.
6. Risk and incidents administration.
7. Prevent restoration costs of privacy non-compliance.
8. Restrict accountability of suffered damage.
9. Reputational management.
10. Enrich an integral privacy corporate culture.
Ad 1
DPO tasks and process management
That knowledge plays an important role in modern organisations, and
sometimes even a crucial role in our society can be considered an important
finding of (amongst others) Mackenzie Owen.[85] Complex, fast changing
company processes impose high requirements on the knowledge level of the
organisation. Organisations are becoming more dependent on educated
employees, each with unique knowledge that cannot be replaced without
notice.
Given this context, it can be argued that the DPO, who in practice is often
appreciated as being a top expert within the organisation with unique
knowledge in the field of privacy and data protection, fulfils a number of
important tasks.
Drawing up of a professional work plan contributes to a professional
performance of legal tasks of the DPO. In general, the following benefits for
the DPO can be related to (work)process management improvement:
1. The DPO is capable of qualitatively better performance of

tasks.
2. The DPO is better equipped to substantiate the necessity of a specific
financial budget.
3. The DPO can organise himself in such a way that excessive
stress is avoided.
4. The DPO can deploy IT more efficiently to support (simplify)
its own AO/IC.
5. The DPO can accomplish more, with less support of (for
example HR).
6. The DPO reduces the chances of making errors.
7. The DPO can save time because of good process management.
8. The DPO responds quicker and more efficiently to changes in
processes.
9. The DPO can better serve internal stakeholders (colleagues, Works
Council etc.).
10. The DPO can better serve external stakeholders (DPA, data
subjects).
Ad 2
Improve the synergy with other business units
Continuity of primary business processes should ideally experience no
nuisance as result of the performance of DPO tasks, unless, of course,
pressing issues exist and in which the necessary internal procedures and
processes are attended to in a correct manner. From this mutual dependency
perspective, continuous monitoring for good cooperation and underlying
processes is key and should not suffer from financial constraints. Ergo, a
good and timely, qualitatively good collaboration between the DPO on the
one hand and management of primary company processes on the other hand,
could be at the basis of making sure that the professional performance of
DPO tasks and duties do not interfere with the continuity of primary
company processes.
Ad 3
Secure the interests of stakeholders
A professional DPO work plan can benefit from the relationship with the
(internal and external) stakeholders when sufficient attention is being paid to
all interests concerned. The GDPR pays attention to the interests of a good
relationship with stakeholders in different contexts, such as the following.
1. Controller and processor. The controller and the processor shall

ensure that the data protection officer is involved, properly and in a
timely manner, in all issues which relate to the protection of
personal data.
2. Supervisory authority DPA. Article 39(1) (d) of GDPR the DPO
cooperates with the supervisory authority as one of the minimum
mandatory tasks.
3. Data subjects. Data subjects may contact the DPO with regard to
exercise of their rights under the GDPR, according to Article 38(4).
Ad 4
Cooperating well with the Data Protection Authorities (DPA)
In the context of performance of the tasks, the DPO is expected to cooperate
with the DPA as per Article 39(1)(d) of the GDPR and the DPO acts as the
contact point for the DPA pursuant to Article 39(1)(e). What this entails
exactly is for the time being not completely clear, although this relation will
without any doubt lead to further actions of the DPO that methodically and
systematically deserves proper attention.
According to the EDPB (WP29),[86] these tasks refer to the role of ‘facilitator’
of the DPO. The DPO acts as a contact point to facilitate access by the
supervisory authority to the documents and information for the performance
of the tasks mentioned in Article 57 GDPR, as well as for the exercise of its
investigative, corrective, authorisation, and advisory powers mentioned in
Article 58 GDPR. As already mentioned, the DPO is bound by secrecy or
confidentiality concerning the performance of his or her tasks, in accordance
with Union or Member State law (Article 38(5) GDPR).
The quality of the relationship between the DPO and the DPA is not without
interest. After all, the DPA acts in a reserved way with respect to
organisations where a DPO is monitoring compliance with data protection.[87]
Ad 5
Prudent reporting of audit results
A professional DPO work plan accounts for the findings of internal and
external audits in the sense that sufficient attention is being paid to possible
risks of GDPR non-compliance in the interest of the organisation itself.
Relating to that, the DPO could give internal independent advice or provide
for requested advice concerning Data Protection Impact Assessments
(DPIAs) and the importance of the timely GDPR (follow-up) audits could be
emphasized.
The importance of this is for instance obvious in the case of data breaches.
The interests of compliance with the duty to report data breaches should
enjoy special attention from the DPO. Not only because data breaches could
harm (given specific circumstances) the good reputation of an organisation,
but also because of the very fact that violation of this could be followed by
serious financial consequences (after all, a fine could – apart from other
GDPR possibilities of fines – extend to € 820.000 or even 10% of the annual
turnover). This fine (and sphere of accountability) requires the professional
DPO work plan to effectively contribute to this perspective of important
GDPR compliance.
Ad 6
Risk and incidents management
The concept of ‘risk’ plays a central role in the GDPR. With respect to the
enhancement of reputation management, a proper functioning incidents
management is indispensable. Risks and incidents could produce important
signals for the DPO about the possible forms of non-compliance with rights
and obligations in the area of privacy and data protection. Spending proper
attention to risk and incidents management as part of a professional DPO
work plan could therefore make important contributions to managing risks
and incidents in the area of privacy and data protection at organisation level.
This would have a direct effect within the context of updates of fines and
penalty payments by the DPA and restrict claims for consequential damages
as a (direct or indirect) result of GDPR non-compliance.
Some advantages for the organisation of proper attention to risk and incidents
management in the DPO work plan could be for example (depending on the
circumstance) the following:
1. Handle risks effectively and in a timely manner.

2. Connect to management actions.
3. Opening debates on risk acceptance.
4. Better providing of professional service by the organisation (better
customer experience).
5. Reducing the amount of management time to deal with minor

problems.
6. More internal focus on doing the right things well.
7. A better basis for determining strategies.
8. Obtaining competitive advantage.
9. A more efficient use of resources.
10. Less recovery costs as a direct effect of non-compliance.
Ad 7
Prevent compliance recovery costs of privacy non-compliance
Research on the costs of non-compliance of the renowned Ponemon Institute
(also involving Chief Privacy Officers) shows that restoration (project) costs
to get from non-compliance to compliance, can be considerable. Ergo, this
research concludes that ‘the cost of non-compliance can be more expensive
than investing initially in compliance activities’.[88] The conclusion that
follows is, ‘On average, non-compliance cost is 2.65 times the cost of
compliance…’
A good work plan could effectively contribute to prevent (or at least reduce)
reparation costs in case of non-compliance. However, these benefits are
difficult to quantify beforehand. The performance of a thorough risk impact-
analysis on the specific company processes (where a lot of personal data are
processed) could paint a clear picture of the benefits.
Figure 3.1 Ponemon Total compliance cost

framework
Source: Ponemon Institute, The True Cost of Compliance (January 2011),
p. 23
Ad 8
Restrict accountability for damage suffered
According to recital 74 of the GDPR, the responsibility and liability of the
controller for any processing of personal data carried out by the controller or
on the controller's behalf should be established. The controller should be
obliged to implement appropriate and effective measures and be able to
demonstrate the compliance of processing activities with this Regulation,
including the effectiveness of the measures. Those measures should take into
account the nature, scope, context and purposes of the processing and the risk
to the rights and freedoms of natural persons.
The risk to the rights and freedoms of natural persons, of varying likelihood
and severity, may result from personal data processing which could lead to
physical, material or non-material damage, according to recital 75 of the
GDPR. A professional DPO work plan could (among others) contribute to an
interesting reduction of GDPR violations and as a logic result of that also
reduce the risk that data subjects use the right to claim damages by invoking
Article 82 GDPR. This article states, ‘Any person who has suffered material
or non-material damage as a result of an infringement of this Regulation shall
have the right to receive compensation from the controller or processor for
the damage suffered.’
Ad 9
Reputation management
To some extent, the DPO could be qualified as one of the guards of the
reputation of the organisation, in particular where the processing of data is at
stake, taking into account the DPO tasks of Article 39 of the GDPR.
Reputation in that sense could also be qualified as the judgment of the public
of the accountability of a person or enterprise in the long term. In a certain
sense the reputation of a company can be viewed as the sum of judgments on
various aspects of the functioning of the organisation and on various
moments, by various stakeholders. One could agree that this means that the
reputation fluctuates through time. In light of this the prevention of large
fluctuations in the privacy and data protection reputation of the organisation
deserves and justifies an important place in a well-thought (professional)
DPO work plan. Good reputation retrospectively creates a certain value for
all relevant stakeholders.[89]
Ad 10
Enrichment of a corporate privacy integrity culture
A corporate privacy (and data protection) integrity culture directly influences
the achievements and therefore the results of an enterprise. A corporate
privacy integrity culture is therefore something to be taken seriously. What
does this mean in practice? The approach of the Dutch Central Bank (DNB)
provides interesting insights in this regard. DNB envisions a corporate
integrity culture as, ‘a sphere and climate in which one, besides complying
with legislation and regulation, also behaves and operates in a way that is
explainable and justifiable. A culture in which one operates according to the
spirit of the law.’[90] DNB distinguishes between the following seven
elements of a corporate integrity culture.
1. Balancing of interests equally: acknowledge and explicitly weigh all

relevant interests.
2. Operate consistently in line with the goals.
3. Negotiability: stimulating a positive critical attitude of employees
and giving space to discussions about decisions, other views,
mistakes and taboos.
4. Exemplary behaviour (tone at the top): good behaviour at the top
(personal integrity, among others preventing (a façade of) a conflict
of interests).
5. Feasibility: set realistic targets and remove perverse stimuli and
diversions.
6. Transparency: record and communicate goals and fundamental
choices to all stakeholders.
7. Non-compliance leads to consequences.
According to DNB, the most important pillars to achieve behavioural

integrity (within the meaning of taking accountability, justified behaviours
and operating according to the spirit of the law) are operating
(communicating) in a balanced way (the first element) and consistently (the
second element), while the other five elements form the core to achieve this.
A good DPO work plan also takes into account above-mentioned seven
elements (especially considering the reasoning and spirit) as a basis for a
corporate privacy integrity culture of GDPR compliance within the
organisation. Accountability and justification of GDPR compliant behaviours
are important perspectives in this respect.
3.1.3.2 Costs
The costs of the DPO work plan should be part of a separately and
independently managed operational budget of the DPO. Pursuant t0 Article
38(2) of the GDPR, the DPO is supported by the controller (and processor) in
performing the tasks referred to in Article 39 GDPR by providing resources
necessary to carry out those tasks and to maintain his or her expert
knowledge.
In general, the more complex and/or sensitive the processing operations, the
more resources must be allocated for the DPO. The data protection function
must be effective and sufficiently well-resourced in relation to the data
processing being carried out, according to the EDPB (WP29).[91] According
to the EDPB, the following items, in particular, are to be considered in the
debate concerning ‘necessary resources’ for the DPO:

as at board level).
2. Sufficient time for DPOs to fulfil their duties. This is particularly
important where the DPO is appointed on a part-time basis or where
the employee carries out data protection in addition to other duties.
Otherwise, conflicting priorities could result in the DPO’s duties
being neglected. Having sufficient time to devote to DPO tasks is
paramount. It is a good practice to establish a percentage of time for
the DPO function where it is not performed on a full-time basis. It is
also good practice to determine the time needed to carry out the
function, the appropriate level of priority for DPO duties, and for the
DPO (or the organisation) to draw up a work plan.
organisation.
5. Necessary access to other services, such as Human Resources, legal,
IT, security, etc., so that DPOs can receive essential support, input
and information from those other services.
up to date with regard to developments within data protection. The
aim should be to constantly increase the level of expertise of DPOs
and they should be encouraged to participate in training courses on
data protection and other forms of professional development, such as
participation in privacy fora, workshops, etc.
7. Given the size and structure of the organisation, it may be necessary
to set up a DPO team (a DPO and his/her staff). In such cases, the
internal structure of the team and the tasks and responsibilities of
each of its members should be clearly drawn up. Similarly, when the
function of the DPO is exercised by an external service provider, a
team of individuals working for that entity may effectively carry out
the tasks of a DPO as a team, under the responsibility of a designated
lead contact for the client.
In practice, the controller often forgets the costs (that are generally not
attributed to the DPO-budget) with regard to:
1. The external project manager: this project manager coordinates and

facilitates the DPO work plan.
2. Hiring other third parties.
3. Communication etc.
In principle, the costs for information security should be attributed to

company processes and corresponding budgets. In any case they belong to
current tracks/projects. The following information security costs are usually
not part of the independently managed DPO work plan budget:
1. Recruitment of employees.
2. Putting in order the administration of vital information systems.
3. Acquisition, implementation and administration of firewall, anti-
virus software and ‘intrusion-detection and intrusion-prevention
systems.’
4. Unification with a ‘security operations centre’ (SOC).
5. Restriction of risks by, for example, equipping facilities to escape.
6. Re-design costs of company processes.
7. Development, implementation and audits of policy and procedures
(for example policy with regard to passwords and mobile devices).
8. Re-design of software (‘secure software development).
9. Launch of specific functions, such as ‘Chief information security
officer’ (CISO).
10. Recruitment/hiring of third parties for guidance, education and
training.
11. Following the Masterclass Information Security.
12. Attendance to congresses and symposiums concerning information
safety and security.
13. Unforeseen costs.
It seems justifiable to reserve a certain percentage of the budgeted expenses
for company processes for costs with regard to ‘monitoring the compliance
with obligations of the GDPR’ by the DPO provided that the independence of
the DPO is safe in performing the tasks mentioned in Article 39 of the
GDPR.
3.1.4 DPO Work Plan Quadrant

A professional DPO work plan is characterized by a number of professional
vantage points (chapter 2), meets the requirements of a GDPR compliant
risk-oriented structure (see section 3.3.3) and dictates a logical coherent
structure along the lines of a clear step by step approach. These angles play a
central role in the approach of a professional DPO work plan as discussed in
this book. By doing so, two orientation lines that are mentioned in the preface
serve as a guideline for the DPO (Articles 37 to 39 GDPR on the one hand
and ‘data protection practice’ of the enterprise, institution or organisation on
the other hand). In the following chapters the design, approach and structure
of a professional DPO work plan is discussed in the primary context of
Article 39 GDPR with special attention to Article 39(1)(b) of the GDPR, ‘to
monitor compliance with this Regulation, with other Union or Member State
data protection provisions and with the policies of the controller or processor
in relation to the protection of personal data, including the assignment of
responsibilities, awareness-raising and training of staff involved in processing
operations, and the related audits.’
Figure 3.2 DPO work plan quadrant
3.2 Starting points for the framework and structure of the

DPO work plan
3.2.1 GDPR Tasks of the DPO

The primary starting point of task descriptions for the DPO can be found in
the formal legal description of tasks as can be derived from Articles 37 to 39
GDPR. In the performance of these DPO-tasks, the nature of the organisation
and the complexity of the processing of personal data needs to be taken into
account on the basis of Article 39(2) of the GDPR. In essence the following
assignment of the DPO can be subdivided in various tasks that the DPO that
needs to be fulfilled in a professional way.
1. to inform and advise the controller or the processor and the

employees who carry out processing of their obligations pursuant to
this Regulation and to other Union or Member State data protection
provisions.
2. to monitor compliance with this Regulation, with other Union or
Member State data protection provisions and with the policies of the
controller or processor in relation to the protection of personal data,
including the assignment of responsibilities, awareness-raising and
training of staff involved in processing operations, and the related
audits.
3. to provide advice (where requested) as regards the data protection
35.
4. to cooperate with the supervisory authority.
5. to act as the contact point for the supervisory authority on issues
relating to processing, including the prior consultation referred to in
Article 36, and to consult, where appropriate, with regard to any
other matter.
6. to have due regard to the risk associated with processing operations,
taking into account the nature, scope, context and purposes of
processing.
Pursuant to Article 38(3) of the GDPR the following can be added to this
list
7. report directly to the highest management level of the controller or

the processor.
Next to these so-called Article 39 tasks, the DPO can also fulfil other tasks
and functions provided that they are compatible with a good performance of
the Article 39 tasks, which means that the independent functioning of the
DPO cannot be questioned. Also, a possible conflict of interests should be
beyond any doubt. Because of the fact that these possible tasks of the DPO
may vary from organisation to organisation, it will only be touched upon only
briefly.[92]
3.2.2 Positioning in accordance with the GDPR

The second starting point of a professional DPO work plan can be derived
from Article 38 of the GDPR in which the following is mentioned with
regard to the positioning of the DPO:
1. Properly and timely involvement, in all issues which relate to the

protection of personal data (Art. 38(1) GDPR).
providing access to personal data and processing operations (Art.
38(2) GDPR)
officer in performing the tasks referred to in Article 39 GDPR by
providing resources necessary to carry out those tasks and to
maintain his or her expert knowledge (Art. 38(2) GDPR).
4. 4. The controller and processor shall ensure that the data protection
those tasks (Art. 38(3) GDPR).
5. The DPO shall directly report to the highest management level of
the controller or the processor (Art. 38(3) GDPR).
all issues related to processing of their personal data (Art. 38(4)
GDPR).
accordance with Union or Member State law (Art. 38(5) GDPR).
do not result in a conflict of interests (Art. 38(6) GDPR).
9. With regard to the positioning of the DPO, the following is also
relevant:
A group of undertakings may appoint a single data protection officer

provided that a data protection officer is easily accessible from each
establishment (Art. 37(2) GDPR).

a single data protection officer may be designated for several such
authorities or bodies, taking account of their organisational
structure and size (Art. 37(3) GDPR).
3.2.3 Multi-disciplinary perspectives
Professional performance of DPO-tasks requires taking into account diverse

perspectives (aspects) in a responsible way in how to deal with and answer to
questions concerning privacy and data protection. Pursuant to recital 4 of the
GDPR, the processing of personal data should be designed to serve mankind.
The right to the protection of personal data is not an absolute right. it must be
considered in relation to its function in society and be balanced against other
fundamental rights, in accordance with the principle of proportionality.
In performing the tasks mentioned in Article 39 of the GDPR, the DPO shall
in the performance of his or her tasks under Article 39 (2) GDPR have ‘due
regard’ to the risk associated with processing operations, taking into account
the nature, scope, context and purposes of processing personal data. Although
‘due regard’ is not elaborated on in more detail in the GDPR, it is indicative
of the fact that diverse perspectives are to be taken into account in the context
of a professional performance of the DPO tasks. More concretely, one could
think of diverse disciplinary interests, boundaries and opportunities from (for
example) the following disciplines (also called the ‘Privacy table of 5’):
1. Legal.
2. Compliance.
3. Ethics.
4. Security.
5. Information Technology (IT).
Of course, depending on the relevance for the organisation, company or
institute, other disciplines could be added as well. This disciplinary diversity
deserves a strategically significant position in every professional DPO work
plan.
Figure 3.3 Multi-disciplinary in the DPO work plan
3.2.4 GDPR core themes of the DPO work plan
The above-identified core GDPR themes have to be developed in practice for
the specific teams of the own organisation and in such a way that the DPO
can effectively and efficiently fulfil his or her legal (Article 39 GDPR) tasks.
A starting list of possible themes could (by way of example) consist of the
following items.[93]
1. Principles relating to processing of personal data and the meaning of

this for the own organisation.
2. Obligations of the own organisation concerning outsourcing.
3. Obligations of the own organisation concerning the duty to report
data breaches.
4. Obligations of the own organisation concerning international data
traffic.
5. Obligations of the own organisation concerning (complaint) rights of
data subjects.
6. Obligations of the own organisation concerning performance of Data
Protection Impact Assessments (DPIA’s).
7. Obligations of the own organisation concerning GDPR audits.
8. Obligations of the own organisation concerning data protection by
design.
9. Obligations of the own organisation concerning privacy by default.
10. Obligations of the own organisation concerning documentation
duties.
3.2.5 Ontology of the DPO work plan

On the basis of the above visualised findings (diverse perspectives, multiple
disciplines and core themes of the GDPR), a categorised image (ontology)[94]
can be illustrated of the task-oriented substantive domain of the DPO work
plan which could be visualised as follows.
Figure 3.4 Ontology of the DPO work plan

3.2.6 Supported by necessary resources
As discussed above, the controller and processor support the DPO – pursuant
to Article 38(2) GDPR – in performing the tasks referred to in Article 39 by
providing access to personal data and processing operations and to provide
him resources necessary to carry out those tasks and to maintain his or her
expert knowledge.
In a professional DPO work plan, explicit attention is paid to the expectations

of the specific DPO in which way ‘necessary resources’ in his or her opinion
should be made available (expectation management). In this context it is
interesting to note the wordings of the initial GDPR proposal of the European
Commission of January 25, 2012 in which Article 36(3) mentions that, ‘The
controller or the processor shall support the data protection officer in
performing the tasks and shall provide staff, premises, equipment and any
other resources necessary to carry out the duties and tasks referred to in
Article 37.’[95]
3.2.7 Planning
Without a plan, the DPO is like a ship lost at sea in absence of a map,
compass or radio. The DPO knows where to end up approximately, but the
chances of actually arriving there are small (also because of continuously
unexpected storms which lead to a completely different navigational route).
Planning ought to be an integral component of the design process (set-up) of
the professional DPO work plan.
In order to realise the set goals in the DPO work plan, planning is
indispensable. More specifically also because of the following obvious
reasons.
1. Planning gives the DPO the opportunity to set priorities and to focus.
2. Planning provides the DPO with insights of available timelines.
3. Planning increases the effective results.
4. Planning helps to achieve the set goals from the DPO work plan.
5. Planning increases the chance that the DPO enforces certain
activities or that they at least will be maintained and completed.
6. Planning helps the DPO to stay on track.
7. Planning prevents important tasks becoming urgent tasks (stress
prevention).
8. Planning increases insights in the necessary resources (inventory or
capital) and contributes to better estimates of support as needed by
the DPO.
9. Planning increases the acceptance level of DPO-activities, because
one will not ‘be surprised by action.’
10. Planning of the DPO promotes a better resource planning (in
particular for human resources) especially where resources are
shared with other departments (for example privacy implementation
teams).
3.2.7.1 Short-term (Priority matrix of Eisenhower)
Which activities of the DPO should have priority, is not always easy to
determine. Therefore, setting priorities is an important time-management
skill. In essence setting priorities is nothing else than keeping yourself busy
with important tasks. How can you use your time efficiently and complete
what you want to do?
The statement of former general and president of the United States, Dwight
D. Eisenhower, ‘What is important is seldom urgent and what is urgent is
seldom important,’ is the fundament of the so-called Priority matrix of
Eisenhower that is mainly known because of Stephen Covey (time-
management-guru). The Priority matrix of Eisenhower consists of four
quadrants that arise by putting two opposing values across from each other:
important versus unimportant and urgent versus non-urgent. Important
means, in this context, matters that catch the eye and/or concern many
people. Unimportant in this context means matters that should be completed
before a specific time. In the form of a diagram, it can be illustrated as
follows.
Figure 3.5 DPO Work Plan Priority Matrix (Eisenhower’s priority)
3.2.7.2 Long-term (maturity model)
Applying a maturity model, allows the organisation to better understand ‘own

degree of adulthood (maturity)’ of methods used and processes used which
helps setting a solid base to define (and utilize) a structured long-term
perspective.
It could be useful to explore an action plan for realising specific goals

(targets) where the DPO wants to perform his or her (ambition driven) task.
In particular, it could be useful when a DPO wants to synchronize his or her
own work plan with a (possible available) maturity model for a GDPR
business implementation plan (or implementation program) of the controller
(often carried out or monitored by the internal ‘data protection office’ or a
similar department).
It is beyond the scope of this current publication to thoroughly explore the
science behind composing and designing frameworks of maturity models.
However,
for illustrative purposes, an example is given of a (potential) framework for a
maturity model that could be included in the DPO work plan.
Figure 3.6 GDPR Maturity index
3.3 Framework of the DPO work plan

3.3.1 Basic framework of a DPO work plan
What would a basic framework of a DPO work plan look like? In absence of
any substantial guidance by Data Protection Authorities and the European
Data Protection Board (EDPB), it is advised to frame a DPO work plan as
close to Articles 37-39 GDPR as possible, as this is the core provision for
DPO tasks in the GDPR.
The formal GDPR tasks of the DPO should be connected with the internal
organisation based ‘six DPO task-pillars’ of the DPO and strategically
harmonized[96] at the highest management level. As can be inferred from
Articles 37-39 GDPR the following strategic pillars of any DPO work plan
can be derived.
1 Informing and advising the controller or processor and the
employees of the organization.
2 Monitor compliance with the GDPR and internal policies.
3 Cooperate with the supervisory authority.
4 Act as contact point for the supervisory authority.
5 Act as contact point for data subjects.
6 Performance of other tasks with due regard for GDPR Risks
Next to these six strategic pillars of a DPO work plan – which are discussed
in detail below in Section 3.4 - a key consideration for any DPO work plan is
the positioning derived from Articles 37 to 39 of the GDPR and internal
statute of the DPO which are the foundations of the job profile of the DPO as
adjusted to the specific organisation
In the context of alignment with the highest management level, hereinafter
the concrete steps that the DPO undertakes will be discussed in more detail.
After this alignment with the highest management level, all outcomes are to
be coordinated with all relevant stakeholders.
The execution of the DPO work plan will be directly reported to the highest
management level.
Figure 3.7 Basic Framework of a DPO Work plan Infographic

3.3.2 Substantive requirements of the DPO work plan
With regard to the substantive privacy and data protection themes, the DPO
work plan should at least take into account all relevant norms, rights and
obligations pursuant to:
1. The GDPR.
2. Other Union data protection provisions.
3. Domestic data protection provisions, such as:
national implementation laws and regulations

other legislation and regulation
industry codes of conduct
industry security codes
4. Specific (internal) regulations of the organisation.
3.3.2.1 GDPR
The core of the DPO work plan is compliance with obligations under the
GDPR[97] and other Union or Member State data protection provisions. For a
brief discussion of GDPR themes, see the discussion in previous pages.
3.3.2.2 Other data protection provisions from the European Union

The DPO plan also pays attention, if relevant for the enterprise, organisation
or institution, to other data protection provisions of the EU such as the
Telecommunications Directive.[98]
3.3.2.4 Specific (internal) regulations of the organisation
Provided that it is applicable, the DPO work plan thematically takes into
account the existence of all internal regulations in the area of privacy and
data protection. Ergo, in case of possible contradictions with the EU
regulations of higher order (GDPR or otherwise), the DPO ought to ask for
attention to this and if necessary, undertake all actions needed while taking
into account the professional performance of all formal task as depicted in
Article 39 of the GDPR.
3.3.3 Risk orientation in the DPO work plan

The term ‘risk’ plays an important role in the GDPR. The risks (with varying
likelihood and severity) that are associated with the rights and freedoms of
natural persons could, according to recital 75 of the GDPR, lead to:
1. Physical, material or non-material damage, in particular where the

processing may give rise to one or more of the following cases.
2. Discriminatory actions.
3. Identity theft.
4. Identity fraud.
5. Financial loss.
6. Damage to reputation.
7. Loss of confidentiality of personal data protected by professional
secrecy.
8. Unauthorised reversal (decoding) of pseudonymisation.
9. Any other significant economic or social disadvantage.
10. Where data subjects might be deprived of their rights and
freedoms or prevented from exercising control over their personal
data.
11. Where personal data are processed which reveal racial or ethnic
origin, political opinions, religion or philosophical beliefs, trade
union membership, and the processing of genetic data, data
concerning health or data concerning sex life or criminal
convictions and offences or related security measures.
12. Where personal aspects are evaluated, in particular analysing or
predicting aspects concerning performance at work, economic
situation, health, personal preferences or interests, reliability or
behaviour, location or movements, in order to create or use
personal profiles.
13. Where personal data of vulnerable natural persons, in particular of
children, are processed.
14. Where processing involves a large amount of personal data and
affects a large number of data subjects.
Guidance on the implementation of appropriate measures and on the
demonstration of compliance by the controller or the processor, especially
concerning the identification of the risk related to the processing, their
assessment in terms of origin, nature, likelihood and severity, and the
identification of best practices to mitigate the risk, could be provided in
particular by means of approved codes of conduct, approved certifications,[99]
guidelines provided by the EDPB or indications provided by a data protection
officer, according to recital 77 of the GDPR.
In light of the of above-mentioned, a risk-oriented approach in any DPO
work plan should explicitly be considered. Moreover, this could be realised
by diverse risk management approaches. Hereafter the strands of the general
risk management framework of COSO-ERM will be discussed.
3.3.3.1 COSO-ERM risk management model

The goal of risk management is to identify risks in a timely manner, to
estimate the impact as correctly as possible, aiming for the co-workers
concerned to respond in a timely manner and insofar as possible take
appropriate measures in such a way that risk management can effectively
contribute to risk predictability of the organisation in light of future
management measures.
The COSO ERM-model is by far the most frequently used framework for
assessing and designing risk management. Already a few decades ago, the
Committee of Sponsoring Organizations of the Treadway Commission
(COSO),[100] composed the Internal Control Integrated Framework to help
enterprises and other organisations in assessing and improving internal
control systems. COSO identifies the connections and shows relations
between, on the one hand risks of enterprises and on the other hand, the
internal control system. In light of the formulated mission and vision of the
enterprise, management identifies, defines and derives strategic goals. COSO
is based on the philosophy that internal control is a process focused on
obtaining a reasonable level of security concerning reaching goals in the
following four domains:
1. Strategic: reaching strategic goals.

2. Operational: effective and efficient business processes.
3. Reporting: reliability of (financial) information transfer.
4. Compliance: compliance with relevant legislation and regulation.
3.3.3.2 Elements of risk control
The risk control thinking of COSO is based on the following eight so-called
elements of every ‘control and inspection’ system. These elements are
derived from the way in which the board and management style of leading
and is therefore directly interconnected to the process of leadership.
1. Internal Environment: this means the attitude and behaviour of the

internal organisation. The risk management philosophy, the risk
appetite, integrity and the ethical values of the organisation are part
of the internal environment.
2. Objective Setting: this means that the goals should be present
before potential situations can be identified that could influence the
reaching of those goals.
3. Event Identification: this means that internal and external situations
that have an influence on reaching set goals need to be identified.
The distinction between risks and opportunities plays a central role
here.
4. Risk Assessment: this means that risks should be analysed in terms
of opportunities and impact. On that basis, a suitable measure can
be formulated. Risks can be assessed before and after the effects of
additional measures that were taken.[101]
5. Risk Response: this means the most suitable response should be
selected – prevent, accept, control or transfer – and elaborated on in
more concrete actions per risk to bring the scope of the risks in line
with the risk appetite of the entire organisation.
6. Control Activities: this means that policy and procedures are
drafted and implemented in order to actually enshrine the chosen
risk response in the organisation.
7. Information and Communication: this means that relevant
information is identified, saved and communicated in a way that
enables the data subject to carry out their activities.
8. Monitoring: this means that the effectivity of the enterprise risk
management is monitored and updated for improvement.
3.3.3.3 DPO PRISC MODEL ®
Referring to recital 77 of the GDPR, stating that the DPO can give
indications for appropriate measures to the controller or processor concerning
the risk of the processing, the so-called DPO Privacy Risk Model
(abbreviated: DPO PRISC Model) can be helpful.[102]
In the preceding years, while training many DPOs at the Dutch Privacy
Academy (NPA), a number of concrete subsequent steps are formulated in
order to achieve a sound way of risk-oriented performance of GDPR tasks for
the DPO. This was based on an elaborate background study of the COSO-
model, the GDPR and DPO perspectives with diverse multidisciplinary
backgrounds. The diagram below illustrates an abstract example of the core
elements (basic categorization) of the DPO PRISC Model.®
Figure 3.8 PRISC MODEL 2018
3.3.4 Scope of the DPO work plan

The DPO is expected to execute his or her tasks in the full range of all
obligations pursuant to the GDPR. In the formulation of Article 39(1) GDPR,
‘The data protection officer shall have at least the task to inform and advise
the controller or the processor and the employees who carry out processing of
their obligations pursuant to this Regulation and to other Union or Member
State data protection provisions.’ It does not surprise that this general work
assignment could entail quite a challenge for a number of DPOs. In
pursuance of achieving memorable results and plan concrete activities based
on a planning that meets all SMART criteria (Specific, Measurable, Agreed,
Realistic, Time-restricted), it is recommended to clearly delineate the scope
of the DPO work plan (for example for the relevant year) with regard to
priorities, further task-oriented activities and possible ‘other task and duties’
within the meaning of Article 38(6) GDPR. For a possible outline of
delineation, see the diagram below.
Figure 3.9 Scope DPO work plan
3.3.5 Success factors for a professional DPO work plan

From diverse studies, it has become apparent that multiple critical success
factors can be identified. Some studies name only critical success factors,
others include factors subdivided in diverse categories, others construct a
division in success factors on the management level on the one hand and
success factors at implementation level on the other hand.
In her study, Van Bergenhenegouwen[103] has identified ninety-seven critical
success factors which she inferred from a thorough literature research that are
important for the success of a project or implementation track. Naturally,
every identified critical success factor is more or less influencing impact on
the success of a specific project or specific implementation. Based on the
Standish Group Chaos Report 2011,[104] one could distinguish the following
factors that contribute to reaching upfront set goals in any DPO work plan:
1. Strong involvement of team members.

2. Strong involvement of higher management.
3. Proper planning.
4. Realistic expectations.
5. Smaller project milestones.
6. Project co-workers with sufficient expertise.
7. Competent project co-workers.
8. Ownership of the principal with the project management.
9. Clearly formulated vision & corporate objectives.
10. Hard-working, result-oriented staff.
3.4 Structure of a professional DPO work plan
In the preceding paragraphs, diverse aspects of a professional DPO work plan

have been presented with as a starting point the tasks of the DPO as laid
down in Article 39 GDPR.
In the following paragraphs the coherence between many diverse aspects lies
at the focus of discussion and more attention is paid to the further elaboration
of the structure of the above-mentioned six pillars of the basic framework of
a professional DPO work plan. Per pillar, an example of a structure is drawn
up, to be made fit for practice of the DPO.
3.4.1 Basic design the DPO work plan

The basic design of any professional DPO work plan should at least consist
of the following five components.
1. Scope of the work plan.

2. GDPR risk-orientation of the work plan.
3. GDPR core themes for the work plan.
4. GDPR starting point for the work plan.
5. Business case (added value) of the work plan.
Figure 3.10 Basic structure DPO work plan
3.4.2 Six strategic pillars of the professional DPO work plan

The legal tasks of the DPO as depicted in Article 39 GDPR is apt to be
elaborated on (in absence of specified qualification criteria of DPAs) for
further detailing by DPO, taking into account all specificities of the own
organisation. Although the GDPR does not provide for additional research to
the tasks of the DPO as mentioned in Article 39 GDPR, in the recitals of the
GDPR and in different alternative places of the legal text, some indications
can be inferred, in light of the ‘rationale and spirit’ of the GDPR.[105]
In the very setup (structure) of Article 39 GDPR itself, defining six tasks of
the DPO, some level of basic design can be found which for a diagram for a
‘DPO work plan by design’ which could serve as an open template for any
DPO work plan.
3.4.2.1 Pillar 1 | Inform and advise

The GDPR assignment of the DPO under this pillar consists of the following
elements.
1. To inform the controller or the processor and the employees who

carry out processing of their obligations pursuant to the GDPR and
to other Union or Member State data protection provisions in which
they shall have due regard to the risk associated with processing
2. To advise the controller or processor and the employees who carry
out processing of their obligations pursuant to the GDPR and to
other Union or Member State data protection provisions in which
they shall have due regard to the risk associated with processing
3. To provide advice where requested as regards the data protection
35 of the GDPR in which they shall have due regard to the risk
associated with processing operations, taking into account the
nature, scope, context and purposes of processing.
Figure 3.11 Pillar 1 of the DPO work plan: inform and advise
3.4.2.2 Pillar 2 | Monitor compliance

The GDPR assignment of the DPO under this pillar is to monitor the
compliance with:
1. The GDPR.
3. Member State data protection provisions.
4. The policy of the controller or processor with regard to the
protection of data, including the appointment of responsibilities,
awareness-raising and education of the with processing concerned
personnel and the specific audits.
The data protection officer shall in the performance of his or her tasks have
due regard to the risk associated with processing operations, taking into
account the nature, scope, context and purposes of processing, according to
Article 39(2) of the GDPR.
Figure 3.12 Pillar 2 of the DPO work plan: monitor compliance

3.4.2.3 Pillar 3 | Cooperate with the Data Protection Authorities
The GDPR assignment of the DPO under this pillar is to cooperate with the
Data Protection Authorities (DPA) by which due regard is given to the risk
associated with processing operations, taking into account the nature, scope,
context and purposes of processing, according to Article 39(2) of the GDPR.
According to the EDPB (WP29),[106] the tasks ‘cooperating’ and ‘acting as a
contact point’ refer to the role of ‘facilitator’ of the DPO mentioned in the
introduction to these Guidelines. The DPO acts as a contact point to facilitate
access by the supervisory authority to the documents and information for the
performance of the tasks mentioned in Article 57 GDPR, as well as for the
exercise of its investigative, corrective, authorisation, and advisory powers
mentioned in Article 58 GDPR. As already mentioned, the DPO shall be
bound by secrecy or confidentiality concerning the performance of his or her
tasks, in accordance with Union or Member State law (Article 38(5) of the
GDPR).
Figure 3.13 Pillar 3 of the DPO work plan: Cooperate with the Data
Protection Authorities
3.4.2.4 Pillar 4: contact point for the Data Protection Authorities
The assignment of the DPO under this pillar consists of acting as the contact
point for the supervisory authority on issues relating to processing, including
the prior consultation referred to in Article 36, and to consult, where
appropriate, with regard to any other matter (Article 39(1)(e) of the GDPR).
Figure 3.14 Pillar 4 of the DPO work plan: contact point for the Data
Protection Authorities
3.4.2.5 Pillar 5 | Contact point for data subjects
The assignment of the DPO under this pillar consist of acting as the contact
point for data subjects. They may contact the data protection officer with
regard to all issues related to processing of their personal data and to the
exercise of their rights under the GDPR (Article 38(4) of the GDPR).
Figure 3.15 Pillar 5 of the DPO work plan: contact point for the supervisory
authority
3.4.2.6 Pillar 6 | Other (optional) tasks
Based on Article 38(6) of the GDPR, the DPO may in principle fulfil other
tasks and duties next to the legal tasks. The controller or processor shall
ensure that any such tasks and duties do not result in a conflict of interests. In
general, there is conflict of interests when another task or duty of the DPO
has direct or indirect consequences for the good fulfilment of legal tasks of
the DPO ex Article 39 of the GDPR. This entails in particular that the DPO
cannot hold a position within the organisation that leads him or her to
determine the purposes and the means of the processing of personal data. Due
to the specific organisational structure in each organisation, this has to be
considered case by case. In addition, according to EDPB (WP29)[107], conflict
of interests may also arise for example if an external DPO is asked to
represent the controller or processor before the Courts in cases involving data
protection issues.
Examples of optional tasks of the DPO (provided that in specific

circumstances there is no case of a possible conflict of interests with one or
more of the mandatory GDPR tasks of the DPO) are:
1. Promoting awareness.
2. Promoting permanent education.
3. Handling complaints.
4. Handling incidents.
5. Acting as confidential counsellor.
6. Making an inventory of data processes.
7. Development of norms.
8. Advising on technology and security of data.
9. Providing information.
10. Executing (non) monitoring-related privacy audits.[108]
Figure 3.16 Pillar 6 of the DPO work plan: contact point for data subjects
3.4.3 General Overview of a DPO Work Plan
Figure 3.17 General overview of a DPO Work Plan
3.5 DPO work plan infographic of DPO competencies & skills

The following infographic depicts an overview of expected competencies (in
keywords) from the DPO within the meaning of Article 39 of the GDPR. In
practice, this infographic is used by several HR-departments for compiling a
DPO job profile specific to the organisation. Next to this, this infographic has
the potential to serve as a basis for setting up and structuring required (HRM)
aspects for a professional DPO work plan.
4
CHAPTER 4
VISION, MISSION & STRATEGY (VMS)
4.1 Introduction
4.1.1 Vision, mission and strategy of a professional DPO work

plan
In this chapter the vision, mission and strategy (VMS) of a professional DPO
work plan are the focus of attention. A DPO work plan could be described in
various ways, in absence of an unambiguous definition of the EDPB. A
practical indication of the DPO work plan could be an internal document
consisting of an overview of activities/projects which elaborates on the
relevant GDPR themes and methodology providing for the basis to account
for which DPO tasks are performed in which way and how DPO
responsibilities relate to that (as can be inferred from Articles 38 and 39 of
the GDPR). Obviously, this is where DPO accountability meets the need for
alignment with the vision, mission and strategy of the DPO work plan itself.
After discussing the general design and structure of the DPO work plan,
attention will be paid to the basic principles on which the subsequent steps of
the DPO work plan are structured, which is the main focus of this chapter.
Professional performance of tasks by the DPO – as described in the previous
chapters – requires from both the processor that has ‘appointed’ the DPO as
well as form the DPO himself a thorough insight in the fundamental character
of the tasks that have to be performed. Therefore, a clear picture of the
historical background, text, rationale and spirit of the ‘envisioned purpose’ of
the DPO and his/her work plan is crucial.
Figure 4.1 VMS of the DPO work plan
4.1.2 Determining the vision of a professional DPO work plan

Why is the DPO work plan called into existence, what is the ‘higher’ purpose
(i.e. ambition, objective) of the DPO work plan? In discussing the reason for
a DPO work plan, in chapter 3 diverse drivers (intrinsic motivators) have
been discussed. Like every other professional, the It is assumed that a DPO
usually also takes pride to accomplish a performance of tasks and
responsibilities that exceeds expectations and want to deliver as professional
as possible. Although in chapter 3, several personal drivers[109] were
distinguished and discussed for a DPO work plan for the individual DPO, but
what are the reasons of existence and the ultimate vision that are intended
with the positioning, tasks and roles of the DPO?
Based on sound legal and operation considerations, it could be argued that the
primary ‘reason of existence’ for the DPO could ultimately be derived from
various considerations of the GDPR and in particular Article 39 of the GDPR
pursuant to which the essence of DPO tasks is to accomplish compliance with
the obligations of the controller or processor and the employees who carry
out processing pursuant to the GDPR (and other Union of Member State data
protection provisions). All mandatory tasks of the DPO are further discussed
within this context.
More specifically with regard to the vision (ambition, objective) of a DPO
work plan a number of indications could be inferred from a further, thorough
analysis of publicly available documents of diverse main actors among which
the European Parliament and the European Council, European Commission,
European Data Protection Board, European Data Protection Supervisor
(EDPS), domestic legislator, Data Protection Authorities, involved faculties
and internal stakeholders. Because none of these main actors explicitly
mention a DPO work plan as discussed in this chapter (with the exception of
the EDPB (WP29)) – let alone that a vision, mission and strategy of the DPO
work plan is discussed by these main actors. It should therefore be noted that
the following discussions are mainly based on contextualized inferences.
4.1.3 The mission of a professional DPO work plan

What has to be done to realize the vision of the DPO’s work plan? Which
concrete task-oriented steps could be distinguished, forming the essence of
the ‘mission of the DPO’s work plan’? In this case, a connection can be
found with the added value of a DPO work plan (as discussed in chapter 3)
which essentially can be summarized as steps (actions) to be taken within the
context of the following focus areas.
1. DPO tasks and process management.[110]

2. Improve the synergy between business units.
4. Cooperation with the Data Protection Authority (DPA).
5. Prudent administration of audit results.[111]
6. Risk and incidents administration.[112]
7. Prevent restoration costs of privacy non-compliance.
8. Restrict accountability of suffered damage.[113]
9. Reputation management.
10. Enrich integer privacy of the corporate culture.
4.1.4 Strategy of the DPO work plan
Which projects have to be defined, prioritized and performed to attain the
steps as formulated in the mission (in other words, which strategy has to be
followed)? Per step it is should be defined which concrete projects (in the
sense of a series of coherent actions) have to be undertaken. Eventually these
projects have to be defined and assessed in terms of concrete actions
performed by the DPO in the context of the previous discussed vision and
mission of implementing legal tasks per Article 39 of the GDPR.
More specifically with regard to the strategy of the DPO work plan as
contextualized within the ambits of the DPO work plan vision and mission at
one side and public documents[114] at the other side, once again several
indications can be derived from diverse main actors (among which the
European Parliament and the European Council, European Commission,
European Data Protection Board, European Data Protection Supervisor
(EDPS), domestic legislator, Data Protection Authorities, involved faculties
and internal stakeholders).
With regard to the DPO work plan, the EDPB (WP29)[115] notes that ‘[…] it is
also good practice to determine the appropriate level of priority for DPO
duties, and for the DPO (or the organisation) to draw up a work plan.’ Please
note that remarkably the EDPB (WP29) places the work plan discussion right
at the centre of ‘necessary resources’, in the context of which the DPO is to
be supported by the organisation (controller).
4.1.5 VMS calibration of the DPO work plan
To a certain extent the cases connected to VMS[116] ‘force’ the DPO in some
ways to substantiate his/her work plan as profound as possible taking into
account relevant perspectives from various main actors such as the following.
1. European legislator (EP).

2. European Executive (European Commission).
3. European Data Protection Supervisor (EDPS).
4. Domestic legislator.
5. European Committee.
6. Data Protection Authorities.
7. Faculty of DPOs.
8. Professional perspective of the DPO concerned.
9. Perspective of the controller.
10. Perspective of the internal stakeholders of a professional DPO
work plan.
In other words, before the DPO work plan is elaborated upon in detail,
relevant insights need to be obtained from the views of at least the above-
mentioned main actors with regard to the good performance of tasks by the
DPO. The VMS of the DPO work plan has to be calibrated (adjusted) to the
diverse perspectives of the identifiable main actors, abbreviated, ‘VMS
calibration’, which can be visualized as follows.
Figure 4.2 Calibration VMS

4.1.6 Action scheme of this chapter
After the introduction, the terms vision, mission and strategy in the context of
the DPO work plan are clarified, these terms are studied in more detail in the
following paragraphs according to the schedule.
1. Perspectives of the identifiable main actors.
2. Table of reference implications for the core tasks of the DPO.
3. VMS diagram of the DPO work plan.
What is surprising in this approach, is that the results could lead to important
insights in what the DPO in practice ought to be doing for a professional
performance of tasks within the meaning of Article 39 of the GDPR.
Figure 4.4 VMS action plan

4.2 Stakeholders VMS of the DPO work plan
Figure 4.4 VMS General supervision

4.2.1 The European legislator and VMS of a DPO work plan
In order to portray an analytical landscape of direct and indirect indications of

the European Parliament and the European Council as to the mission of a
DPO work plan, it is necessary to perform a thorough analysis of relevant
official reports and meeting minutes based on a robust desk research. Based
on the fact that as of April 27, 2016 the official text of the GDPR was
formally adopted, for the sake of convenience, this final text is – for the sole
purpose of the present analysis - assumed to be considered as the primary
source from which findings of the European Parliament and European
Council can be inferred.
According to recital 77 of the GDPR, the appointed DPO can encourage

(enforce) accountability for:
1. The implementation of appropriate measures.

2. The identification of risks related to the processing of personal data,
their assessment in terms of origin, nature, likelihood and severity,
and the identification of best practices to mitigate the risk.
In light of the aforementioned, according to the European Parliament and the
European Council the following points deserve closer attention.
1. Article 35(2) of the GDPR in which it is stated that in case a DPO is

designated, the controller shall seek his advice when carrying out a
data protection impact assessment.
2. Article 38(1) of the GDPR: the controller and the processor shall
ensure that the data protection officer is involved, properly and in a
timely manner, in all issues which relate to the protection of personal
data.
3. Article 38(2) of the GDPR: the controller and processor shall support
the data protection officer in performing the tasks referred to in
Article 39 GDPR by providing resources necessary to carry out those
tasks and access to personal data and processing operations and to
maintain his or her expert knowledge.
4. Article 38(3) of the GDPR: the controller and processor shall ensure
that the data protection officer does not receive any instructions
regarding the exercise of those tasks. He or she shall not be
dismissed or penalised by the controller or the processor for
performing his tasks. The data protection officer shall directly report
to the highest management level of the controller or the processor.
5. Article 38(4) of the GDPR: data subjects may contact the data
protection officer with regard to all issues related to processing of
their personal data and to the exercise of their rights under this
Regulation.
6. Article 38(5) of the GDPR: the data protection officer shall be bound
by secrecy or confidentiality concerning the performance of his or
her tasks, in accordance with Union or Member State law.
7. Article 38(6) of the GDPR: the DPO may fulfil other tasks and
duties. The controller or processor shall ensure that any such tasks
and duties do not result in a conflict of interests.
8. Article 39 of the GDPR (tasks of the DPO): the DPO shall have at
least the following tasks:
a. To inform and advise the controller or the processor and the

employees who carry out the processing of their obligations
pursuant to this Regulation and to other Union or Member State
data protection provisions.
b. To monitor compliance with this Regulation, with other Union
or Member State data protection provisions and with the
policies of the controller or processor in relation to the
protection of personal data, including the assignment of
responsibilities, awareness-raising and training of staff involved
in processing operations, and the related audits.
c. To provide advice where requested as regards the data
protection impact assessment and monitor its performance
pursuant to Article 35.
d. To cooperate with the supervisory authority.
e. To act as the contact point for the supervisory authority on
issues relating to processing, including the prior consultation
referred to in Article 36, and to consult, where appropriate, with
regard to any other matter.
The data protection officer shall while performing his or her tasks have due
regard to the risks associated with the processing of personal data operations,
taking into account the nature, scope, context and purposes of processing.
Figure 4.5 VMS of the DPO work plan from the European Parliament and the
European Council
4.2.2 European Commission and VMS of a DPO work plan

As to the answer whether or not the European Commission explicitly has
communicated on the vision, mission, and strategy of a DPO work plan, her
proposal to the European Parliament and the European Council on the
protection of individuals with regard to the processing of personal data and
on the free movement of such data (General Data Protection Regulation),[117]
dated January 25, 2016, can perfectly serve as the primary source of
information.
As far as the European Commission is concerned, the following findings are
considered indicative of her approaches to the mission of a DPO work plan.
Some indications can be inferred from the following considerations.
1. Building trust in the online environment is the key to economic

development.[118] Lack of trust makes consumers hesitate to buy
online and adopt new services, including public e-government
services. If not addressed, this lack of confidence will continue to
slow down the development of innovative uses of new technologies.
This is why data protection plays a central role in the Digital Agenda
for Europe, and more generally in the Europe 2020 Strategy.[119]
2. Where the processing is carried out in the public sector or where, in
the private sector, processing is carried out by a large enterprise, or
where its core activities, regardless of the size of the enterprise,
involve processing operations which require regular and systematic
monitoring, a person should assist the controller or processor to
monitor internal compliance with this Regulation. Such data
protection officers, whether or not an employee of the controller,
should be in a position to perform their duties and tasks
independently.[120]
3. The following can be inferred from Article 22(1) and (2) of the
Proposal of the Commission of 2012.
A. The controller shall adopt policies and implement appropriate

measures to ensure and be able to demonstrate that the processing
of personal data is performed in compliance with this Regulation.
B. The measures provided for in paragraph 1 shall in particular
include:
Keeping records/documentation.
Implementing the data security requirements.
Performing a Data Protection Impact Assessment (DPIA).
Complying with the requirements for prior authorisation or
prior consultation of the supervisory authority.
Designating a data protection officer pursuant to Article 35(1)
GDPR.
The initial (2012) proposal of the European Commission for a General Data
Protection Regulation provides the following insights in the approach of the
European Commission.
Article 14(1)(a) GDPR (2012) Proposal (Information to the data subject)
Where personal data relating to a data subject are collected, the controller
shall provide the data subject with at least the following information: the
identity and the contact details of the controller and, if any, of the controller's
representative and of the data protection officer.
Article 31 GDPR (2012) Proposal (Notification of a personal data breach to
the supervisory authority)
1. In the case of a personal data breach, the controller shall without

undue delay and, where feasible, not later than 24 hours after having
become aware of it, notify the personal data breach to the
supervisory authority. The notification to the supervisory authority
shall be accompanied by a reasoned justification in cases where it is
not made within 24 hours.
2. Pursuant to point (f) of Article 26(2), the processor shall alert and
inform the controller immediately after the establishment of a
personal data breach.
3. The notification referred to in paragraph 1 must at least:
a. describe the nature of the personal data breach including the

categories and number of data subjects concerned and the
categories and number of data records concerned.
b. communicate the identity and contact details of the data
protection officer or other contact point where more
information can be obtained.
Article 35 GDPR (2012) Proposal (Designation of the data protection
officer)
1. The controller and the processor shall designate a data protection

officer in any case where:
a. the processing is carried out by a public authority or body. or

b. the processing is carried out by an enterprise employing 250
persons or more. or
c. the core activities of the controller or the processor consist of
processing operations which, by virtue of their nature, their
scope and/or their purposes, require regular and systematic
monitoring of data subjects.
2. In the case referred to in point (b) of paragraph 1, a group of

undertakings may appoint a single data protection officer.
the data protection officer may be designated for several of its
entities, taking account of the organisational structure of the public
authority or body.
4. In cases other than those referred to in paragraph 1, the controller
or processor or associations and other bodies representing
categories of controllers or processors may designate a data
protection officer.
5. The controller or processor shall designate the data protection
officer on the basis of professional qualities and, in particular,
expert knowledge of data protection law and practices and ability
to fulfil the tasks referred to in Article 37. The necessary level of
expert knowledge shall be determined in particular according to
the data processing carried out and the protection required for the
personal data processed by the controller or the processor.
6. The controller or the processor shall ensure that any other
professional duties of the data protection officer are compatible
with the person's tasks and duties as data protection officer and
do not result in a conflict of interests.
7. The controller or the processor shall designate a data protection
officer for a period of at least two (2) years. The data protection
officer may be re-appointed for further terms. During their term
of office, the data protection officer may only be dismissed, if the
data protection officer no longer fulfils the conditions required
for the performance of its duties.
8. The data protection officer may be employed by the controller or
processor or fulfil his or her tasks on the basis of a service
contract.
9. The controller or the processor shall communicate the name and
contact details of the data protection officer to the supervisory
authority and to the public.
10. Data subjects shall have the right to contact the data protection
officer on all issues related to the processing of the data subject’s
data and to request exercising the rights under this Regulation.
11. The Commission shall be empowered to adopt delegated acts in
accordance with Article 86 for the purpose of further specifying
the criteria and requirements for the core activities of the
controller or the processor referred to in point (c) of paragraph 1
and the criteria for the professional qualities of the data protection
officer referred to in paragraph 5.
Article 36 GDPR (2012) Proposal (Position of the data protection officer)
1. The controller or the processor shall ensure that the data protection
officer is properly and in a timely manner involved in all issues
which relate to the protection of personal data.
2. The controller or processor shall ensure that the data protection
officer performs the duties and tasks independently and does not
receive any instructions as regards the exercise of the function. The
data protection officer shall directly report to the management of the
controller or the processor.
3. The controller or the processor shall support the data protection
officer in performing the tasks and shall provide staff, premises,
equipment and any other resources necessary to carry out the duties
and tasks referred to in Article 37.
Article 37 (Tasks of the data protection officer)

1. The controller or the processor shall entrust the data protection
officer at least with the following tasks:
a. to inform and advise the controller or the processor of their

obligations pursuant to this Regulation and to document this
activity and the responses received.
b. to monitor the implementation and application of the policies
of the controller or processor in relation to the protection of
personal data, including the assignment of responsibilities, the
training of staff involved in the processing operations, and the
related audits.
c. to monitor the implementation and application of this
Regulation, in particular as to the requirements related to data
protection by design, data protection by default and data
security and to the information of data subjects and their
requests in exercising their rights under this Regulation.
d. to ensure that the documentation referred to in Article 28 is
maintained.
e. to monitor the documentation, notification and
communication of personal data breaches pursuant to Articles
31 and 32.
f. to monitor the performance of the data protection impact
assessment by the controller or processor and the application
for prior authorisation or prior consultation, if required
pursuant Articles 33 and 34.
g. to monitor the response to requests from the supervisory
authority, and, within the sphere of the data protection
officer's competence, co-operating with the supervisory
authority at the latter's request or on the data protection
officer’s own initiative.
h. to act as the contact point for the supervisory authority on
issues related to the processing and consult with the
supervisory authority, if appropriate, on his/her own
initiative.
2. The Commission shall be empowered to adopt delegated acts in

accordance with Article 86 for the purpose of further specifying
the criteria and requirements for tasks, certification, status, powers
and resources of the data protection officer referred to in
paragraph 1.
Article 43 GDPR (2012) Proposal (Transfers by way of binding corporate

rules)
1. A supervisory authority shall in accordance with the consistency

mechanism set out in Article 58 approve binding corporate rules,
provided that they:
a. are legally binding and apply to and are enforced by
every member within the controller’s or processor's
group of undertakings, and include their employees.
b. expressly confer enforceable rights on data subjects.
c. fulfil the requirements laid down in paragraph 2.
2. The binding corporate rules shall at least specify:
a. the structure and contact details of the group of undertakings

and its members.
b. the data transfers or set of transfers, including the categories
of personal data, the type of processing and its purposes, the
type of data subjects affected and the identification of the
third country or countries in question.
c. their legally binding nature, both internally and externally.
d. the general data protection principles, in particular purpose
limitation, data quality, legal basis for the processing,
processing of sensitive personal data. measures to ensure data
security. and the requirements for onward transfers to
organisations which are not bound by the policies.
e. the rights of data subjects and the means to exercise these
rights, including the right not to be subject to a measure based
on profiling in accordance with Article 20, the right to lodge a
complaint before the competent supervisory authority and
before the competent courts of the Member States in
accordance with Article 75, and to obtain redress and, where
appropriate, compensation for a breach of the binding
corporate rules.
f. the acceptance by the controller or processor established on
the territory of a Member State of liability for any breaches of
the binding corporate rules by any member of the group of
undertakings not established in the Union. the controller or
the processor may only be exempted from this liability, in
whole or in part, if he proves that that member is not
responsible for the event giving rise to the damage.
g. how the information on the binding corporate rules, in
particular on the provisions referred to in points (d), (e) and
(f) of this paragraph is provided to the data subjects in
accordance with Article 11.
h. the tasks of the data protection officer designated in
accordance with Article 35, including monitoring within the
group of undertakings the compliance with the binding
corporate rules, as well as monitoring the training and
complaint handling.
Figure 4.6 VMS of the DPO work plan from the European
Commission
4.2.3 The European Data Protection Supervisor (EDPS)

With regard to the DPOs of EU institutions, a special role is reserved for the
EDPS as becomes apparent from Regulation EC 45/2001.[121] Article 24 of
this Regulation has established the following as far as the appointment of a
DPO is concerned.
1. Each Community institution and Community body shall appoint at

least one person as data protection officer. That person shall have
the task of:
a. Ensuring that controllers and data subjects are informed of

their rights and obligations pursuant to this Regulation.
b. Responding to requests from the European Data Protection
Supervisor and, within the sphere of his or her competence,
cooperating with the European Data Protection Supervisor at
the latter's request or on his or her own initiative.
c. Ensuring in an independent manner the internal application of
the provisions of this Regulation.
d. Keeping a register of the processing operations carried out by
the controller, containing the items of information referred to
in Article 25(2).
e. Notifying the European Data Protection Supervisor of the
processing operations likely to present specific risks within the
meaning of Article 27.
2. The Data Protection Officer shall be selected on the
basis of his or her personal and professional qualities
and, in particular, his or her expert knowledge of data
protection.
3. The selection of the Data Protection Officer shall not be
liable to result in a conflict of interests between his or
her duty as Data Protection Officer and any other
official duties, in particular in relation to the application
of the provisions of this Regulation.
4. The Data Protection Officer shall be appointed for a
term of between two and five years. He or she shall be
eligible for reappointment up to a maximum total term
of ten years. He or she may be dismissed from the post
of Data Protection Officer by the Community institution
or body which appointed him or her only with the
consent of the European Data Protection Supervisor, if
he or she no longer fulfils the conditions required for
the performance of his or her duties.
5. After his or her appointment the Data Protection Officer
shall be registered with the European Data Protection
Supervisor by the institution or body which appointed
him or her.
6. The Community institution or body which appointed the
Data Protection Officer shall provide him or her with
the staff and resources necessary to carry out his or her
duties.
7. With respect to the performance of his or her duties, the
Data Protection Officer may not receive any
instructions.
Of particular interest for the DPO work plan are the following explicit
considerations made by the EDPS:
1. In § 3 (Tasks, duties and powers of the DPO) of the EDPS

Recommendation Implementing rules concerning the tasks, duties
and powers of the Data Protection Officer, EDPS Office, the
following passage is entailed, ‘An annual work programme and an
annual report may be submitted by the DPO on his/ her activities. A
work programme of the DPO should define its priorities and show
which results the DPO wants to achieve in terms of raising
awareness, inventory, notifications, prior checking and register,
etc.’
2. In § III.2 under 3 EDPS, Position paper on the role of Data
Protection Officers[122] in ensuring effective compliance with
Regulation (EC) 45/2001, the following is stated: ‘The EDPS
encourages DPOs to develop their own common principles of good
supervision (requirements, annual work programme, annual
report…) which will serve to measure the performance of their
work.’
Figure 4.7 VMS of the DPO work plan from the EDPS
4.2.4 EDPB and VMS of a DPO work plan
The cooperating European privacy authorities (previously called Working
Party 29, currently operating under European Data Protection Board)[123] have
published their Guidelines on Data Protection Officers (‘DPOs’) on
December 13, 2016 and revised it on April 05, 2017, also known as WP
243.01.
In § 3.2. of WP 234.01 (Necessary resources) the following is stated. Article
38 (2) of the GDPR requires the organisation to support its DPO by
‘providing resources necessary to carry out [their] tasks and access to
personal data and processing operations, and to maintain his or her expert
knowledge’. In particular the following remarks (items) are to be considered:

as at board level).
2. Sufficient time for FGs to fulfil their duties. This is particularly
important where the DPO is appointed on a part-time basis or where
the employee carries out data protection in addition to other duties.
Otherwise, conflicting priorities could result in the DPO’s duties
being neglected. Having sufficient time to devote to DPO tasks is
paramount. It is a good practice to establish a percentage of time for
the DPO function where it is not performed on a full-time basis. It is
also good practice to determine the time needed to carry out the
function, the appropriate level of priority for DPO duties, and for the
DPO (or the organisation) to draw up a work plan.
organisation.
5. Necessary access to other services, such as Human Resources, legal,
IT, security, etc., so that DPOs can receive essential support, input
and information from those other services.
up to date with regard to developments within data protection and
they should be encouraged to participate in training courses on data
protection and other forms of professional development, such as
participation in privacy fora, workshops, etc.
7. Given the size and structure of the organisation, it may be necessary
to set up a DPO team (a DPO and his/her staff). In such cases, the
internal structure of the team and the tasks and responsibilities of
each of its members should be clearly drawn up. Similarly, when the
function of the DPO is exercised by an external service provider, a
team of individuals working for that entity may effectively carry out
the tasks of a DPO as a team, under the responsibility of a designated
lead contact for the client.
In general, the more complex and/or sensitive the processing operations are,
the more resources must be allocated to the DPO. The data protection
function must be effective and sufficiently well-resourced in relation to the
data processing activities being carried out.
4.2.5 Association of EU DPOs and VMS of the DPO work

plan
In order to gain a broader, more representative understanding of the way
European Associations of professional DPOs approach the concept of a DPO
work plan - more importantly, as far as the vision, mission and strategy of a
professional DPO work plan is concerned - a number of relevant indicators
which originate from the following two professional associations of DPO’s
operating at EU/EEA level are considered:
1. Network EU DPOs (European network of EU Institutional DPOs)

and
2. European Association of Data Protection Professionals (EADPP)
4.2.5.1 Network of EU DPOs and VMS of the DPO work plan
The network of DPOs at community institutions within the meaning of (EC)

45/2001[124] has secured a number of important ‘Professional Standards’. In §
4.2 (Work Programme as Best Practice) the following is noted.[125]
‘In order to help focus his/her efforts, the DPO should prepare a work
programme at the beginning of each year for the upcoming year for the
attention of the senior management of the institution/body. The Work
Programme should specify what the DPO hopes to achieve over the course of
the year. This could include work to be done on:
1. Actions being taken regarding awareness such as info sessions etc.

2. Notifications, prior checks and the register.
3. Implementation of data protection requirements and EDPS
recommendations.
4. Systemic projects to be undertaken (e.g., creation of an electronic
register).
5. Efforts to be undertaken with respect to requests and complaints
from data subjects.
6. Areas which require special attention within the organization.’
4.2.5.2 EADPP and VMS of the DPO work plan
The primary aim of the European Association of Data Protection

Professionals (EADPP)[126] is to facilitate, organise, structure, and represent
European data protection professionals based on European perspectives and
the principles of the GDPR.
Pursuant to the EADPP CDPO Certification Body of Knowledge & Skills
(BOKS)[127] the DPO Work Plan is valued (Part D) as one of the four pillars
of DPO certification.
In order to prepare for the official EADPP CDPO Exam[128] all candidates
should be in command of the following.
1 Design of a DPO Work Plan
2 Management of a DPO Work Plan and Project Management
3 Allocation of sufficient resources for independent operations. Due
regard is paid to the following.
A. Article 38(2) of the GDPR requires the organisation to

support its DPO by ‘providing resources necessary to carry
out [their] tasks and access to personal data and processing
operations, and to maintain his or her expert knowledge’. The
following items, in particular, are to be considered:
1 Active support of the DPO’s function by senior management

(such as at board level).
2 Sufficient time for DPOs to fulfil their duties. This is particularly
important where an internal DPO is appointed on a part-time basis
or where the external DPO carries out data protection in addition
to other duties. Otherwise, conflicting priorities could result in the
DPO’s duties being neglected. Having sufficient time to devote to
DPO tasks is paramount. It is a good practice to establish a
percentage of time for the DPO function where it is not performed
on a full-time basis. It is also good practice to determine the time
needed to carry out the function, the appropriate level of priority
for DPO duties, and for the DPO (or the organisation) to draw up a
work plan.
B. Adequate support in terms of financial resources,
infrastructure (premises, facilities, equipment) and staff
where appropriate.
C. Official communication of the designation of the DPO to all
staff to ensure that their existence and function are known
within the organisation.
D. Necessary access to other services, such as Human
Resources, legal, IT, security, etc., so that DPOs can receive
essential support, input and information from those other
services.
E. Continuous training. DPOs must be given the opportunity to
stay up to date with regard to developments within the field
of data protection. The aim should be to constantly increase
the level of expertise of DPOs and they should be encouraged
to participate in training courses on data protection and other
forms of professional development, such as participation in
privacy fora, workshops, etc.
F. Given the size and structure of the organisation, it may be
necessary to set up a DPO team (a DPO and his/her staff). In
such cases, the internal structure of the team and the tasks and
responsibilities of each of its members should be clearly
drawn up. Similarly, when the function of the DPO is
exercised by an external service provider, a team of
individuals working for that entity may effectively carry out
the tasks of a DPO as a team, under the responsibility of a
designated lead contact for the client.
The EADPP CDPO certification scheme was developed in response to an

increasing call for a golden European standard to award best-in-class data
protection officers within the European (GDPR) context. The EADPP CDPO
exam is based on a comprehensive EADPP certification scheme paving the
way for data protection professionals to acquire a robust and a cross-
European Economic Area (EEA) validated certification as a Data Protection
Officer (CDPO).
Maintaining a golden CDPO standard (which is continuously being
evaluated) as per the GDPR holds many benefits, among which the following
quality improvement of GDPR accountability in general, continuing guard
for professional development of data protection officers for generations to
come, providing for a solid podium for development of best practices for
DPOs needed for performing their tasks as codified in the GDPR and paving
the way for representing the interests of professional and certified data
protection officers with all relevant levels of the European Union and
beyond.
Prior to taking the official EADPP CDPO exam it is mandatory to explicitly
accept the EADPP CDPO Certification Code of Ethics.[129]
DPOs certified in their professional activity according to the EADPP
Certification Scheme must carry out their activity in compliance with the
following principles:
A. Legality and integrity, strictly complying with current

legislation, in particular regarding the service they provide, so as
to avoid performing any illicit activity.
B. Professionalism, performing their functions with due diligence
and professional rigour, and maintaining their professional
capacity and personal training constantly up to date. they must
behave before individuals, companies, entities and clients in a
scrupulously loyal manner and regardless of any type of
limitations that may influence their own work and that of the
personnel they may be responsible for.
C. Responsibility in carrying out their professional and personal
activity, undertaking only those activities that they can
reasonably expect to complete with the necessary skills,
knowledge and competence.
D. Impartiality, acting objectively without accepting the influence
of conflicts of interest or other circumstances that could question
their professional integrity and that of the organization to which
they belong.
E. Transparency, informing all interested parties in a clear,
precise, and sufficient manner of all aspects related to their
professional activity, provided said aspects are not subject to
confidentiality, in which case they will be reserved and may not
be divulged.
F. Confidentiality, respecting and maintaining the necessary
protection and discretion regarding the information to which
they may have access because of their professional activity,
safeguarding the right to privacy and data protection of all
interested parties. Such information may not be used for
personal benefit nor revealed to inappropriate parties.
Figure 4.9 VMS of the DPO work plan from the European Data Protection
Board
4.2.6 Controller and VMS of the DPO work plan
While composing a DPO work plan, it is paramount for the DPO to gain a
clear understanding of the expectations of the controller (actually being the
highest management level, pursuant to Article 38(3) of the GDPR). In other
words, what does the highest management level of the organisation expect
from the DPO as far as his/her task performance is concerned, especially with
regard to realising the vision and mission of the DPO work plan. As per
Article 39 (1) this is supposed to be related to the way the controller,
processors and employees carry out processing activities in accordance with
their obligations pursuant to the GDPR and other Union or Member State
data protection provisions.
Important sources for the DPO in which indications can be found to get a
more in-depth picture in this regard could (in general) be for instance:
1. The applicable job profile of the DPO.
2. The applicable PTP (Personal Training Program) of the DPO.
3. Inferences that can be made from regular (confidential)
conversations with the highest management level of the
organisation.
In practice, however, it regularly happens that the highest management level
of the controller is not completely aware of what some of the elements of the
GDPR obligations entail and what in that respect is expected from the
controller, also related to the DPO work plan. In general, it is noted that the
GDPR at occasion has codified extremely vague norms on which relatively
few case law is available. Under those circumstances it is clear that the
controller, as the party to which the standard applies, in a non-negligible
number of cases has to deliver a considerable best-efforts obligation to, with
the input of (often valuable) professional expertise, to assess (or to have
others assess) to what extent there is a violation of the law and with reference
to that, whether, and in which way, he can avoid penalty payments.
Although the GDPR displays relatively many open and abstract norms and
urges for more practical detailing, the GDPR is and will remain de facto the
primary source for what is expected of both the controller and the DPO
himself. Against this background, (where a sufficient level of knowledge and
expertise is not always present at the highest management level on the one
hand and the open GDPR norms on the other hand), it should be advocated
that as far as the expectations of the controller relating to the vision and
mission of the DPO work plan is concerned, ‘appropriate measures’[130] taken
by the controller enjoy special attention. In other words, the key requirements
of appropriate measures for the controller which are entailed in Articles 24
and further of the GDPR (responsibility of the controller) in chapter IV of the
GDPR (controller and processor) Section 1 (general obligations). In light of
this situation, it is presumed that the influence of the controller on the legally
framed vision and mission of the DPO work plan is practically none,
especially in light of the fact that the tasks of the DPO – codified in Articles
38 and 39 of the GDPR – are designed (and as per consequences). The
influence of the controller on a number of legally mandatory tasks of the
DPO is not evident (since they are legally restricted). The foregoing debate
does not affect the fact that the DPO work plan should be aligned with the
controller as far as the level of DPO activities in the context of the legal tasks
are concerned which the DPO intends to undertake in a specific work plan
activity. For this purpose, various (general) arguments can be brought to the
front, among which the following.
1. Enhancing the visibility of the DPO.

2. Enhancing the degree of acceptance of the DPO activities.
3. Enhancing influence of the controller on the DPO activities.
4. Providing a frame of reference in the context of assessments
interviews with the DPO.
5. By substantiating necessary resources for performing the DPO
tasks and DPO Work plan particularly.
Figure 4.10 VMS of the DPO work plan from the controller
4.2.7 Professional DPO and VMS of the DPO work plan
The DPO as lead author of the DPO work plan establishes the framework,
structure, texts and priorities (substantive preferences) of the DPO work plan.
Obviously, within the space provided for by laws and regulations (mainly the
GDPR, other EU data protection provisions and Member State data
protection provisions). Moreover, the influence of the DPO can be shaped at
different (although also and mostly strategical) levels. At least the following
crucial factors are noted.
1. Expertise (education and training) of the DPO.
2. Personal competencies of the DPO.
3. Personal convictions of compliance and ethics of the DPO.
4. Personal premises of the DPO.
5. Personal drivers of the DPO, such as:[131]
a) Aspired professionalism.
b) Take on a leadership role.
c) Accountability.
d) Increase the degree of acceptance.
e) Apply knowledge and skills.
f) Visualize a careful balance of interests.
With regard to the influence on the mission of the DPO work plan, for the
time being there seems to be relatively little space for own interpretations of
the DPO. Since the mission of the DPO work plan is based on the ‘higher
goals of the GDPR’ as becomes apparent from the text, ratio and spirit of
Article 39 of the GDPR, namely the intended factual situation in which the
controller and/or processor and the employees that carry out processing act in
accordance with their obligations pursuant to the GDPR and other Union or
Member State data protection provisions.
The personal influence of the DPO in (strategically) establishing and
prioritising the task-oriented steps appears larger than is the case in
influencing the mission of the DPO work plan. Especially in the context of
risk management activities in fulfilling the monitoring tasks, there seems to
be more room for convictions that are connected to the person of the DPO.
The influence of the professional DPO can especially also be applied on a
tactical-strategic level where according to Article 39(2) of the GDPR the
DPO in the performance of his or her tasks has due regard to the risk
associated with processing operations, taking into account the nature, scope,
context and purposes of processing.
Figure 4.11 VMS of the DPO work plan from the DPO as professional
4.2.8 Internal stakeholders and VMS of the DPO work plan

While establishing the Vision, Mission, Strategy (VMS) of the DPO work
plan, the DPO should take into account the expectations of the most
important stakeholders concerning the performance of his/her tasks
(expectation management). One could for example think of the following
internal stakeholders.
1. Privacy office (privacy team, at least the department (or working

group) accountable for the actual implementation of GDPR
measures in compliance with Art 24 GDPR).
2. Management.
3. Compliance officers.
4. Managers.
5. Works council.
6. Council of clients (or other similar participation council).
7. Human Resource Management professionals.
8. Confidential and complaints officers.
9. Quality officers.
10. Internal auditors in the context of GDPR certified mechanisms,
GDPR seals and marks.[132]
If and provided that such stakeholders are insufficiently aware of the tasks of
the DPO (let alone knowledgeable of the vision, mission and strategy of the
DPO work plan), a grateful task is ahead of the DPO to communicate around
the table with all these stakeholders to get them all on the same page.
Expectations from stakeholders with regard to the DPO and his/her activities
will vary over time (especially if the organisation itself is changing), which
underlines the significance of good stakeholder management as a continuous
process of regular coordination. In practice, the following questions can be
identified as ‘regular agenda items’ to be maintained by the DPO during any
meeting with identified stakeholders.
1. Which subjects/activities does the said stakeholder wish to discuss

with the DPO concerning obligations of the controller in light of the
text, ratio and intended effects of the GDPR?
2. Which subjects/activities does the DPO wish to discuss with the
said stakeholder concerning obligations of the controller in light of
the text, ratio and intended effects of the GDPR?
3. Which for the DPO relevant subjects have to be prioritised in the
opinion of the said stakeholder and according to which criteria?
4. With respect to which subjects could the DPO and the said
stakeholder take a ‘mutual standpoint’?
5. How can the continuity of compliance of the controller in
accordance with the obligations pursuant to the GDPR and other
Union of Member State data protection provisions to the opinion of
the said stakeholder at best be served?
6. What are the expectations of the said stakeholder regarding the
content and frequency of the DPO reports to the identified
stakeholders?
Figure 4.13 VMS of the DPO work plan from the internal
stakeholders
5
CHAPTER 5
INVENTORY OF PROCESSING ACTIVITIES
AND DPO WORK PLAN
5.1 Introduction
5.1.1 Definition of making an inventory

In practice, DPOs often made accountable for assembling an inventory of
processing activities.
In the absence of a legal definition in the GDPR, an inventory can in essence
be described as mapping out, categorising and describing personal data
(personal data elements) that are processed within the business, organisation
or institution.[133] In itself an exercise that should be executed
‘straightforward’, although simultaneously assembling an inventory of
processing activities can give rise to the necessary questions for the DPO in
practice.
1. Why is an inventory of personal data necessary?

2. What is the practical value of an inventory of personal data?
3. Which personal data have to be inventoried?
4. Which personal data are relevant?
5. How detailed does the inventory have to be executed?
6. How to best approach the inventory of personal data
7. Who need to be involved in the inventory process?
8. What does an inventory plan look like?
9. What is the ultimate goal of the inventory of personal data?
10. What is the role of the DPO in the context of drawing up an
inventory of personal data?
5.1.2. Ratio and goal of inventory

Although business data (including personal data) is more than ever
fragmented – with a persistent annual data growth of 40-50% and the rapid
distribution of cloud storage, mobile devices, software service appliances,
and open-source innovations – any processing of personal data should at all
times be lawful and fair, according to recital 39 of the GDPR. For this, a
minimum condition is that the enterprise, organisation or institution can
exactly state which personal data is being processed, and at any rate which
personal data (elements) can be accessed by whom. In this context, the
following can also be derived from recital 39 of the GDPR:
1. It should be transparent to natural persons that personal data
concerning them are collected, used, consulted or otherwise processed
and to what extent the personal data are or will be processed.
2. The principle of transparency requires that any information and
communication relating to the processing of those personal data be
easily accessible and easy to understand, and that clear and plain
language be used. This principle concerns, in particular, information to
the data subjects on the identity of the controller and the purposes of the
processing and further information to ensure fair and transparent
processing in respect of the natural persons concerned and their right to
obtain confirmation and communication of personal data concerning
them which are being processed.
3. Natural persons should be made aware of risks, rules, safeguards and
rights in relation to the processing of personal data and how to exercise
their rights in relation to such processing.
4. In particular, the specific purposes for which personal data are
processed should be explicit and legitimate and determined at the time of
the collection of the personal data.
5. The personal data should be adequate, relevant and limited to what is
necessary for the purposes for which they are processed. This requires,
in particular, ensuring that the period for which the personal data are
stored is limited to a strict minimum.
6. Personal data should be processed only if the purpose of the processing
could not reasonably be fulfilled by other means. In order to ensure that
the personal data are not kept longer than necessary, time limits should
be established by the controller for erasure or for a periodic review.
7. Every reasonable step should be taken to ensure that personal data
which are inaccurate are rectified or deleted.
8. Personal data should be processed in a manner that ensures appropriate
security and confidentiality of the personal data, including for
preventing unauthorised access to or use of personal data and the
equipment used for the processing.
5.1.3 Personal data belong to the DNA of the organisation
The development and functioning of all known living organisms is controlled
by the genetic information of which DNA is the carrier. The existence is
governed by the cell nucleus. In some way or another, personal data plays a
similar role within organisations. From an organisational science perspective,
it is known that an organisation can be qualified as a ‘joint effort of people
and resources to achieve a certain goal.’ The mutual core values of people
contain the DNA of the organisation. In this respect, a lawful and fair
interaction with personal data deserves a solid position between the core
values and (applied) ethics of every organisation. After all, personal data are
the new gold. It is the fourth production factor after human resources, capital
and natural resources. Personal data having meaning could be related to terms
and objects from reality. Within a business context it is at least about
business processes, customers, products and suppliers.
5.1.4 Personal data and business intelligence

A solid inventory of personal data can lead to extra (qualitative) information
for many enterprises, organizations and institutions based on which reliable
and founded company decisions can be made. In practice also meta data can
be engineered to paint a good picture of the nature and scope of the available
personal data. In order to achieve optimization of the use of personal data
(usually invisibly present) in automatic systems, Business Intelligence
software (BI-applications) could provide for an IT solution.
The main goal of business intelligence is to translate present (personal) data
on an aggregated level to information on which basis the organisation can
take policy or operational decisions. Such a translation eventually results in
analyses and reports. Characteristic for a BI-system is that it retrieves data
from various sources of information within the organisation. Business
intelligence enables taking strategic decisions. For example, for collecting
data about customer groups bringing in the most money and for performing a
SWOT analysis.
A qualitatively good inventory of personal data, which means an inventory in
which data quality is strongly appreciated where diverse aggregated data
elements (by design anonymous or pseudonymised), could provide, if used
intelligently and responsibly, a ‘competitive edge’ (competitive advantage)
for the enterprise, organisation or institution because qualitatively better
policy decisions can be taken, without violating the lawful and fair use of
personal data. Without violating the general privacy duty of care of the
controller, consequently a good inventory of personal data could become an
important ‘organizational asset’.
Figure 5.1 Business intelligence in policy perspective
5.1.5 Making an Inventory of personal data in the GDPR
Making an inventory of personal data is not an obligation as such as per the
legal text of the GDPR. Nevertheless, various articles mention GDPR
activities in the context of which having a decent inventory of personal data
could be considered as a necessary precondition. In this regard, attention is
paid to the following GDPR readings.
Article 4(2) of the GDPR (definition of processing)
Processing means ‘any operation or set of operations which is performed

on personal data or on sets of personal data, whether or not by
automated means, such as collection, recording, organisation,
structuring, storage, adaptation or alteration, retrieval, consultation, use,
disclosure by transmission, dissemination or otherwise making available,
alignment or combination, restriction, erasure or destruction.’
Article 30 of the GDPR (records of processing activities)
Article 30 of the GDPR reads the following.
1. Each controller and, where applicable, the controller's

representative, shall maintain a record of processing activities
under its responsibility. That record shall contain all of the
following information:
a) the name and contact details of the controller and, where

applicable, the joint controller, the controller's representative
and the data protection officer.
b) the purposes of the processing.
c) a description of the categories of data subjects and of the
categories of personal data.
d) the categories of recipients to whom the personal data have
been or will be disclosed including recipients in third countries
or international organisations.
e) where applicable, transfers of personal data to a third country
or an international organisation, including the identification of
that third country or international organisation and, in the case
of transfers referred to in the second subparagraph of Article
49(1), the documentation of suitable safeguards.
f) where possible, the envisaged time limits for erasure of the
different categories of data.
g) where possible, a general description of the technical and
organisational security measures referred to in Article 32(1).
2. Each processor and, where applicable, the processor's

representative shall maintain a record of all categories of
processing activities carried out on behalf of a controller,
containing:
a) the name and contact details of the processor or processors and

of each controller on behalf of which the processor is acting,
and, where applicable, of the controller's or the processor's
representative, and the data protection officer.
b) the categories of processing carried out on behalf of each
controller.
c) where applicable, transfers of personal data to a third country
or an international organisation, including the identification of
that third country or international organisation and, in the case
of transfers referred to in the second subparagraph of Article
49(1), the documentation of suitable safeguards.
d) where possible, a general description of the technical and
3. The records referred to in paragraphs 1 and 2 shall be in

writing, including in electronic form.
4. The controller or the processor and, where applicable, the
controller's or the processor's representative, shall make the
record available to the supervisory authority on request.
5. The obligations referred to in paragraphs 1 and 2 shall not
apply to an enterprise or an organisation employing fewer
than 250 persons unless the processing it carries out is likely
to result in a risk to the rights and freedoms of data subjects,
the processing is not occasional, or the processing includes
special categories of data as referred to in Article 9(1) or
personal data relating to criminal convictions and offences
referred to in Article 10.
5.1.6 General GDPR privacy duty of care of the controller
A good inventory of personal data is of pivotal value for complying with the
general GDPR privacy duty of care of the controller, meaning that every
processing of personal data should be fair and lawful. In the wording of
recital 39 of the GDPR, ‘It should be transparent to natural persons that
personal data concerning them are collected, used, consulted or otherwise
processed and to what extent the personal data are or will be processed. The
principle of transparency requires that any information and communication
relating to the processing of those personal data be easily accessible and easy
to understand, and that clear and plain language be used. This principle
covers in particular information providing to the data subjects with regard to
the identity of the controller and the purposes of the processing and further
information to ensure fair and transparent processing in respect of the natural
persons concerned and their right to obtain confirmation and communication
of personal data concerning them which are being processed.’
5.1.7 Importance for the DPO of taking stock of personal data
Based on Article 39(2) jo 24 of the GDPR, the DPO – taking into account the
nature, scope, context and purposes of processing as well as the risks of
varying likelihood and severity for the rights and freedoms of natural persons
– monitor that the controller shall implement appropriate technical and
organisational measures to ensure and to be able to demonstrate that
processing is performed in accordance with the GDPR. Moreover, these
measures shall be reviewed and updated where necessary.
A professional performance of the legal DPO tasks (in compliance with

Article 39 GDPR) requires at least a solid awareness of the facts. Which
facts? The verifiable facts concerning at least history and actual use made of
personal data, in favour of or on behalf of the controller (as per internal of
external mandates).
Based on Article 30(1) of the GDPR (records of processing activities), the
controller and, where applicable, the controller's representative, shall
maintain a record of processing activities under its responsibility. That record
shall contain all of the following information:
a. The name and contact details of the controller and, where

applicable, the joint controller, the controller's representative and
the data protection officer.
b. The purposes of the processing.
c. A description of the categories of data subjects and of the
d. The categories of recipients to whom the personal data have been or
will be disclosed including recipients in third countries or
international organisations.
e. Where applicable, transfers of personal data to a third country or an
international organisation, including the identification of that third
country or international organisation and, in the case of transfers
referred to in the second subparagraph of Article 49(1), the
documentation of suitable safeguards.
f. Where possible, the envisaged time limits for erasure of the
g. where possible, a general description of the technical and
The following paragraphs of Article 30 of the GDPR are furthermore of
practical importance (have practical implications).
1. The records referred to in paragraphs 1 and 2 shall be in writing,

including in electronic form (Article 30(3) of the GDPR).
2. The controller or the processor and, where applicable, the
controller's or the processor's representative, shall make the record
available to the supervisory authority on request (Article 30(4) of
the GDPR).
3. The obligations referred to in paragraphs 1 and 2 shall not apply to
an enterprise or an organisation employing fewer than 250 persons
unless the processing it carries out is likely to result in a risk to the
rights and freedoms of data subjects, the processing is not
occasional, or the processing includes special categories of data as
referred to in Article 9(1) or personal data relating to criminal
convictions and offences referred to in Article 10 (Article 30(5) of
the GDPR).
It is beyond any doubt that it is paramount for the professional performance
of DPO tasks and duties that the DPO is actually able to have a cross-
company panoramic view of the processing of all personal data (and relevant
meta data elements) within the organisation.
5.1.8 Substantiation of data subject rights

With the aim of practically effectuating all rights of data subjects (as
mentioned in chapter III of the GDPR which have equal effect throughout the
EU), [134] the controller has to obtain and maintain a complete and if needed
specified stock of processed data of all processed personal data. This can be
inferred from various articles that explicitly mention data sources and data
elements in which various rights of data subjects are discussed.
Substantiation (effectuation) of data subject rights deals among other with the
following aspects.
1. Transparent information, communication and modalities for the

exercise of the rights of the data subject (Article 12 of the GDPR).
2. Information to be provided where personal data are collected from
the data subject (Article 13 of the GDPR).
3. Information to be provided where personal data have not been
obtained from the data subject (Article 14 of the GDPR).
4. Right of access by the data subject (Article 15 of the GDPR).
The importance of obtaining an actual and qualitatively good inventory of
personal data appears specifically in the case of Article 57(1)(f) of the GDPR.
The data subject shall have the right to obtain from the controller
confirmation as to whether or not personal data concerning him or her are
being processed, and, where that is the case, access to the personal data and
information and the right to lodge a complaint with a supervisory authority.
Based on Article 57(1)(f), the Data Protection Authority handles complaints,
lodged by a data subject, or by a body, organisation or association in
accordance with Article 80, and investigates, to the extent appropriate, the
subject matter of the complaint and informs the complainant of the progress
and the outcome of the investigation within a reasonable period, in particular
if further investigation or coordination with another supervisory authority is
necessary.
5.1.9 Implementation trap of abstract privacy concepts
As is the case with many ‘generic laws and regulations’, in the EU GDPR
some ‘open’ and even ‘vague’ legal obligations for the controller and
processor can be found. Given certain circumstances, this could lead to a so
called ‘implementation trap’, the actual effect of implementing certain
measures based on at best an ‘informed best guess.’ Possible results of this
implementation trap can be summarized as follows.
1. The controller or processor has to invest extra resources in among

others:
a. research, analysis and (external) advice.

b. support of the process (inventories, scenarios, concepts,
decisions etc.).
c. public support (vision statements, meetings, kick-offs etc.).
2. The controller or processor comes across extra high costs because

much expertise has to be employed for the performance of
(possibly unnecessary) implementation measures.
3. The controller of processor may be encountered with extra (high)
GDPR implementation costs while being exposed to high
administrative fines and penalty payments. This is even the case
despite the principle of the ‘rule of law’ which can be found in
Constitutions and in human rights treaties (such as Article 15 of
the ICCPR and Article 7 of the ECHR).
4. Uncertainty about the legal status of implemented GDPR
measures. In many debates on the EU GDPR, it has been pointed
out that the regulation entails unabated many open terms and
general abstract norms, most of which need unambiguous and
reliable explanations (in many cases) ideally rendered by court
rulings.
Figure 5.2 Implementation trap of abstract privacy concepts

Figure 5.3 Inventory action scheme
5.2 Inventory of personal data: goals and side effects
5.2.1 General goals of a GPDR Inventory

For eventually achieving the general goals of the GDPR,[135] it is important
that enterprises, organisations and institutions (controllers in the sense of
Article 4 GDPR) are at least able to answer the question which personal data
through or on behalf of them are being processed. For which specific
purposes are these personal data being processed? Against the background,
ratio and intended effect of the GDPR, the following general goals[136] can be
identified which are at least intended by the GDPR:
1. to make Europe fit for the Digital Age.[137]

2. to strengthen citizens’ fundamental rights in the Digital Age.
3. facilitate business by simplifying rules for companies in the
Digital Single Market.
4. do away with the current fragmentation and costly administrative
burdens.
5. establishing a modern and harmonised data protection framework
across the EU.
6. help fight international crime.
7. strengthen citizens’ rights.
8. adapt data protection rules to new technological developments.
9. affect social networks.
10. strengthen the internal market.
11. make international cooperation easier.
12. simplify the existing rules.
13. to take up challenges of Big Data.
Figure 5.4 General goals

5.2.1.1 Compliance (Article 30(1) of the GDPR)
The importance of a good (and value adding) inventory of personal data
emerges once more from the documentation and registration duty of the
controller based on Article 30(1) of the GDPR, which reads as follows.
Each controller and, where applicable, the controller's representative, shall
maintain the following a record of processing activities under its
responsibility. That record shall contain all of the following information:
a. the name and contact details of the controller and, where

b. the purposes of the processing.
c. a description of the categories of data subjects and of the categories
of personal data.
d. the categories of recipients to whom the personal data have been
or will be disclosed including recipients in third countries or
e. where applicable, transfers of personal data to a third country or an
referred to in the second subparagraph[138] of Article 49(1), the
f. where possible, the envisaged time limits for erasure of the
5.2.1.2 Compliance (Article 35 of the GDPR)
Another GDPR compliance obligation which clarifies the importance of a

good inventory of personal data, is the Data Protection Impact Assessment
(DPIA), which can be mandatory under circumstances and is legally
embedded in Article 35 GDPR.
1. Where a type of processing in particular using new technologies,

and taking into account the nature, scope, context and purposes of
the processing, is likely to result in a high risk to the rights and
freedoms of natural persons, the controller shall, prior to the
processing, carry out an assessment of the impact of the envisaged
processing operations on the protection of personal data. A single
assessment may address a set of similar processing operations that
present similar high risks.
2. The controller shall seek the advice of the data protection officer,
where designated, when carrying out a data protection impact
assessment.
3. A data protection impact assessment referred to in paragraph 1 shall
in particular be required in the case of:
a. Systematic and extensive evaluation of personal aspects
relating to natural persons which is based on automated
processing, including profiling, and on which decisions are
based that produce legal effects concerning the natural person
or similarly significantly affect the natural person.
b. Processing on a large scale of special categories of data
referred to in Article 9(1), or of personal data relating to
criminal convictions and offences referred to in Article 10, or
c. A systematic monitoring of a publicly accessible area on a
large scale.
4. The supervisory authority shall establish and make public[139] a list

of the kind of processing operations which are subject to the
requirement for a data protection impact assessment pursuant to
paragraph 1. The supervisory authority shall communicate those
lists to the Board referred to in Article 68.
5. The supervisory authority may also establish and make public a list
of the kind of processing operations for which no data protection
impact assessment is required. The supervisory authority shall
communicate those lists to the Board.
6. Prior to the adoption of the lists referred to in paragraphs 4 and 5,
the competent supervisory authority shall apply the consistency
mechanism referred to in Article 63 where such lists involve
processing activities which are related to the offering of goods or
services to data subjects or to the monitoring of their behaviour in
several Member-States or may substantially affect the free
movement of personal data within the Union.
7. The assessment shall contain at least:
a. a systematic description of the envisaged processing operations

and the purposes of the processing, including, where
applicable, the legitimate interest pursued by the controller.
b. an assessment of the necessity and proportionality of the
processing operations in relation to the purposes.
c. an assessment of the risks to the rights and freedoms of data
subjects referred to in paragraph 1. and
d. the measures envisaged to address the risks, including
safeguards, security measures and mechanisms to ensure the
protection of personal data and to demonstrate compliance
with this Regulation taking into account the rights and
legitimate interests of data subjects and other persons
concerned.
8. Compliance with approved codes of conduct referred to in Article

40 by the relevant controllers or processors shall be taken into due
account in assessing the impact of the processing operations
performed by such controllers or processors, in particular for the
purposes of a data protection impact assessment.
9. Where appropriate, the controller shall seek the views of data
subjects or their representatives on the intended processing, without
prejudice to the protection of commercial or public interests or the
security of processing operations.
10. Where processing pursuant to point (c) or (e) of Article 6(1) has a
legal basis in Union law or in the law of the Member State to which
the controller is subject, that law regulates the specific processing
operation or set of operations in question, and a data protection
impact assessment has already been carried out as part of a general
impact assessment in the context of the adoption of that legal basis,
paragraphs 1 to 7 shall not apply unless Member States deem it to
be necessary to carry out such an assessment prior to processing
activities.
11. Where necessary, the controller shall carry out a review to assess if
processing is performed in accordance with the data protection
impact assessment at least when there is a change of the risk
represented by processing operations.
5.2.1.3 Comply with the GDPR privacy duty to care (Article 5(1) of the
GDPR)
Next to the above-mentioned general GDPR privacy duty to care of the

controller, on various occasions in the GDPR the concept of ‘care’ that the
controller needs to consider is mentioned or can at least be inferred. It is
beyond the scope of this publication to enter into too much detail on this.[140]
For the sake of convenience, hereinafter in the form of a diagram, a number
of elements that benefit from a qualitatively good inventory of personal data
are defined in more detail.
The general GDPR privacy duty to care can be (better) fulfilled if one can
dispose of an effective and functional inventory of relevant personal data.
Figure 5.5 General GDPR privacy duty to care

5.2.1.4 Effectuation of data subject rights (chapter III of the GDPR)
Obtaining a qualitatively good inventory of personal data is in the interest of
effectuating the rights of data subjects. Not only should the controller
aggregate in a timely manner on requests (by or on behalf of) data subjects,
the provided information has to be specific, complete and right as well. These
rights of data subjects that are being discussed her, refer to the following
rights as included in chapter III.[141]
1. Right to transparent information, communication and modalities for

the exercise of the rights of the data subject (Article 12 of the
GDPR).
2. Right to information to be provided where personal data are
collected from the data subject (Article 13 of the GDPR).
3. Right to information to be provided where personal data have not
been obtained from the data subject (Article 14 of the GDPR).
4. Right of access by the data subject (Article 15 of the GDPR).
5. Right to rectification (Article 16 of the GDPR).
6. Right to erasure (‘right to be forgotten’) (Article 17 of the GDPR).
7. Right to restriction of processing (Article 18 of the GDPR).
8. Right to notification obligation regarding rectification or erasure of
personal data or restriction of processing (Article 19 of the GDPR).
9. Right to data portability (Article 20 of the GDPR).
10. Right to object (Article 21 of the GDPR).
11. Right to meaningful information about the logic involved, as well
as the significance and the envisaged consequences of such
processing for the data subject in the case of automated individual
decision-making, including profiling (Article 22 of the GDPR).
5.2.2 Side Effects of a GDPR Inventory

The side effects of a GDPR inventory are visualised in figure 5.6.
Figure 5.6 Side effects

5.2.2.1 Raising privacy awareness (Article 39(1)(b) of the GDPR)
Although it is not a main goal of the inventory of personal data (or
registration of data processing), an important side effect of this is that already
from the very start of taking preparatory measures to put together such an
inventory, extra attention is being paid to the issue within the organisation. In
particular the fulfilment of the inventory list (see hereinafter) highlights the
importance of privacy and data protection for anyone involved. According to
Article 39(1)(b) of the GDPR, the DPO must, among others, monitors the
compliance with the GDPR, with other Union or Member State data
protection provisions and with the policies of the controller or processor in
relation to the protection of personal data, including the assignment of
responsibilities, awareness-raising and training of staff involved in
processing operations, and the related audits.
5.2.2.2 Implementing appropriate and effective measures

Referring to recital 74 of the GDPR the following – for creating an inventory
of personal data processing activities – relevant remarks are made. The
responsibility and liability of the controller for any processing of personal
data carried out by the controller or on the controller's behalf should be
established. In particular, the controller should be obliged to implement
appropriate and effective measures and be able to demonstrate the
compliance of processing activities with this Regulation, including the
effectiveness of the measures. Those measures should take into account the
nature, scope, context and purposes of the processing and the risk to the
rights and freedoms of natural persons.
Although (at least prima facie) ‘appropriate and effective measures’ are not
defined in more detail in the GDPR, it seems plausible that for such measures
the personal data (personal data elements) originated from the inventory are
of interest as well. This interest emerges particularly because of the fact that
the connection with ‘responsibility’ and ‘liability’ is directly made.
According to Article 82(1) of the GDPR any person who has suffered
material or non-material damage as a result of an infringement of the GDPR
shall have the right to receive compensation from the controller or processor
for the damage suffered.
5.2.2.3 Reducing the probability of a complaint

According to Article 12(4) of the GDPR, the controller that does not take
action given a request of the data subject (in the meaning of Articles 15 to 22
of the GDPR), shall inform the latter without delay and at the latest within
one month of receipt of the request of the reasons for not taking action and on
the possibility of lodging a complaint with a supervisory authority and
seeking a judicial remedy.[142]
In the most evident case, it is clear that non-identified personal data (for
example non-identifiable and thus non-inventoried personal data) cannot be
given access to with regard to a for example an access request. If, however,
the data subject is convinced of the fact that the controller actually has
processed personal data and therefore ‘possess’ personal data, the chances of
submitting a complaint are higher than would be the case if all personal data
(from an inventory) could have been reproduced by the controller or
processor right from the start.
5.2.2.4 Limited liability (Article 82 of the GDPR)

on the controller's behalf should be established. In particular, the controller
should be obliged to implement appropriate and effective measures and be
able to demonstrate the compliance of processing activities with this
Regulation, including the effectiveness of the measures. Those measures
should take into account the nature, scope, context and purposes of the
processing and the risk to the rights and freedoms of natural persons.
Personal data that originates from the inventory have a greater chance of
getting the right attention (in the sense of appropriate and effective measures)
from the controller with the resulting final diminished effect of non-
compliance. As a logical consequence of this a reduced risk of a legal claim
for damages is the final effect. In this respect Article 82 GDPR states the
following, ‘Any person who has suffered material or non-material damage as
a result of an infringement of this Regulation shall have the right to receive
compensation from the controller or processor for the damage suffered.’ The
risk to the rights and freedoms of natural persons, of varying likelihood and
severity, may result from personal data processing which could lead to
physical, material or non-material damage, according to recital 75 of the
GDPR.
5.3 Inventory of personal data process steps
Figure 5.7 Inventory process steps
5.3.1 Step 1 | Determine the goal of the inventory

Before the inventory of personal data can be initiated, it first needs to be clear
what one aims to achieve with the inventory. In other words, what is the goal
of this inventory of personal data? Irrespective of the theoretical qualification
(general goal or side effect of the inventory), in practice, the relevance to
specifically bear in mind the intention of the current, specific inventory is
clear. A general inventory of personal data requires after all a different way
of organisation than for example an inventory of personal data as a result of a
specific access request.
Practical examples of other specific (GDPR related)[143] goals in performing
an inventory of personal data are the following.
1. Dealing with complaints within the meaning of Article 12(4) of the
GDPR.
2. Defending in an appeal procedure in front of the judge within the
meaning of Article 12(4) of the GDPR.
3. Performing a Data Protection Impact Assessment as per Article 35
of the GDPR.
4. Keeping a register of processing activities ex Article 30 of the
GDPR.
5. Notification of a personal data breach to the supervisory authority
ex Article 33 of the GDPR.
6. Preparing prior consultation ex Article 36 of the GDPR.
5.3.2 Step 2 | Determine the scope of the inventory

What is the scope of the current inventory of personal data? In other words,
how far does the scope of this inventory of processing activities reach. As a
practical guidance, roughly, the following five legal scopes[144] can be
distinguished entailing relevant norms, rights and obligations in the context
of processing personal data pursuant to the GDPR.
1. The GDPR and other EU-provisions

The central point here is inventorying personal data relating to the
compliance with obligations on account of:
1) The GDPR and/or other.
2) Union or Member State data protection provisions such as among
others mentioned in Article 22 of the GDPR.
2. National laws and regulations to implement the EU GDPR
Pursuant to Article 23 GDPR Member State law to which the data controller
or processor is subject may restrict by way of a legislative measure the scope
of the obligations and rights provided for in Articles 12 to 22 and Article 34,
as well as Article 5 GDPR.
3. Industry codes of conduct
For organisations that are operating in certain sectors, codes of conduct can
be applicable within the meaning of Article 40 of the GDPR. The compliance
with relevant norms, rights and obligations in those codes of conduct can
involve the processing of personal data that could be part of the intended
inventory(s) of personal data. An overview of codes of conduct in force can
usually be found on the website of the national Data Protection Authority
(DPA).
4. Industry security codes
From the security policy rules from the Dutch DPA (in particular the
Guidelines)[145] can be inferred that organisations are supposed to comply
with the relevant industry security standards in processing personal data. See
in this context for example also Article 24(3) of the GDPR where it is stated
that adherence to approved codes of conduct as referred to in Article 40 or
approved certification mechanisms as referred to in Article 42 may be used as
an element by which to demonstrate compliance with the obligations of the
controller.[146]
In the vision of the Dutch DPA, security standards constitute a consequence
of the ‘lessons learned’ that are acquired in the security of a specific industry
or in a specific technological environment. They represent which measures
are generally considered as ‘appropriate’ by security specialists within the
specific context, and in the case of more technical oriented standards, which
technological measures have to be applied with security. With great
regularity, new security standards and new versions of existing security
standards are published, which affiliate to new developments within the field
of expertise. Correct use of contemporary security standards enables the
controller to take appropriate measures and to come to a balanced and
effective package of technical and organisational measures.
If and provided that in the context of relevant industry security measures,
specific personal data is being processed, it is recommended (also
considering the (general) security duty of care pursuant to Article 32 of the
GDPR) to make these security measures an integral part of the relevant
inventories of personal data at hand.
5. Organisation specific (internal) regulations

For certain specific inventories of personal data, it is of importance to survey
which processes of personal data are of interest within the framework of
relevant specific (internal) regulations.
When, for example, an inventory of personal data is developed in view of the
completion of certain complaints of co-workers, it can be recommended to
also involve in the scope, the processing of (the required) personal data in the
context of the internal ‘complaints regulation for co-workers’. Naturally,
provided that this is suitable in light of the goal of the inventory.
5.3.3 Step 3 | Design and use a Data Inventory Template (DIT)

Which personal data should be in the inventory? Given the rationales and
goal (or goals) and scope of the inventory, it can be argued that at a minimum
set of personal data can be identified. However, taking stock of personal data
often has a certain ‘surprise effect’ in the sense that by doing so, one might
come across ‘redundant personal data’, data that are not strictly necessary to
have (to process).
After the goal(s) of the intended inventory and the scope of the inventory are
determined, a Data Inventory Template (DIT) can be designed to structure
discovered personal data, describe data processing data activities,
corresponding data elements and related data filing systems (datasets). By
doing so, it is advised to keep in mind that according to Article 4(6) of the
GDPR, a filing system is defined as any structured set of personal data which
are accessible according to specific criteria, whether centralised,
decentralised or dispersed on a functional or geographical basis.
As a result of the inventory of personal data, at least the following two lists
have to be reproduced.
1. A list of discovered (collected) data elements: examples of data

elements are: first name, last name, e-mail address, postal address,
phone number, mobile phone number and social security number
(SSN).
2. A list of discovered (inventoried) metadata[147]: metadata give more
detailed information on the discovered personal data and can be
subdivided in the following three categories.
a) descriptive metadata: for example, origin and background of

personal data.
b) structural metadata: for example, system sources, such as CRM-
system, or another database applications.
c) administrative metadata: for example, when and how the data is
acquired (permission), admission rights, to whom they are supplied
and retention periods.
5.3.4 Step 4 | Identify sources of personal data

Before the actual operational activities of making an inventory of personal
data (step 5) can be initiated, in step 4 a list has to be composed of sources
that could contain relevant personal data. For this, the input out of the
abovementioned Data Inventory Template (DIT) is the key. In general, the
following categories of ‘sources of personal data’ can be distinguished:
1. Desktops.
2. Laptops.
3. Mobile phones.
4. Cloud.
5. Results of search engines.
6. Servers.
7. Desks and cabinets.
8. Registration of visitors.
9. Corporate applications (corporate calendars, intranet etc.).
10. Customer relation systems (CRM-systems).
5.3.5 Step 5 | Complete the DIT

In the fifth step, the process of actually making the desired inventory of
personal data is operationalised. The identification of ‘sources of personal
data’ have to be mentioned in the DIT and completed in order to get a more
comprehensive understanding of the context of personal data (in light of the
goal of the inventory) being processed.
Keeping the prospected added value of an inventory of personal data in mind,
it is advisable to make at least the following two efficiency efforts.
1. Indicate, when completing the DIT, whether the specific data

element relates to a special category of personal data. Special
categories of personal data require, after all, extra attention,
because Article 9(1) of the GDPR in principle forbids the
processing of special personal data, unless the conditions of Article
9, paragraphs 2, 3 and 4 are met.
2. Classify, when completing the DIT, to which risk category the
specific data element relates to. Practical classification of, for
example, public information, confidential information and sensitive
information, can provide a benevolent indication for (the yet to be
accomplished) appropriate technical and organisational measures to
safeguard a security level attuned to the risk at hand.
5.3.6 Personal Data Process Flow (PDPF)

In the context of assembling an inventory of personal data within the
organisation, flowcharts turn out to be a useful (control) instrument. Flow
charts can essentially be considered as schematic demonstrations of a certain
process.
Special characteristics of a flow chart are:
1. A flow chart provides a clarifying visualization of what de facto

happens with personal data from the moment they are acquired.
2. A good flow chart consists of a handful ordinary sign symbols.
3. A flow chart maps stratification in detail. Flow charts can vary
from simple schemes that factually are no more than an action plan
to production schemes of multiple pages.
4. Good flow charts can be implemented with simple measures for
which no complex expensive packages are necessary (with pen and
paper, PowerPoint, Visio, Word or Excel).
5. The technique for constructing a flow chart is generically
applicable to various industries, enterprises, organisations or
institutions. With a PDPF, the effect (processes and data) within a
hospital, government, bank, automatically controlled lathe, an
autopilot of an airplane, as well as some IT systems can be
described, regardless of the complexity.
In general, a flow chart contains a starting point, destinations, input, output,
possible paths and the decisions that lead to possible paths. Back in 1985, the
International Organisation for Standardization Organisation (ISO) had
designed, in ISO norm 5807[148], several conventions and standard symbols
with the euphonious title, ‘Information processing – Documentation symbols
and conventions for data, program and system flowcharts, program network
charts and system resources charts.’ The most important standard symbols to
survey data process flows are, according to ISO 5807, the following.
Figure 5.8 Flowchart ISO 5807
Depending on the (complexity of) corporate processes of the organisation, it
should be recommended to create flow charts on at least the following three
levels for the performance of the DPO tasks as mentioned in Article 39 of the
GDPR.
1. Between used systems.

2. Between relevant (corporate) processes.
3. Between countries (in particular situated outside the EEA).
In this case, the following should be included in the flow charts for practical
relevant ‘transfer mechanisms’.
1. Standard Contractual Clauses (SCC’s).

2. Binding Corporate Rules (BCR’s).
3. National DPO Approval of individual transfers of data.
4. EU-US Privacy Shield (to the US).
5. National and international Cross Border Privacy Rules (to Asia).
6. Adequacy norms of derogations of this, such as approval and
compliance with contractual obligations.
5.3.7 Data quality management[149]

In the GDPR, the importance of data quality is emphasized in various places.
Especially in the context of binding corporate rules (see Article 47(2)(d) of
the GDPR). One could describe data quality (from a GDPR perspective) as
the degree in which elementary personal data (personal data elements) are
suitable for respecting the in Article 5 formulated ‘Principles relating to
processing of personal data.’ Managing (controlling) data quality (whenever
a certain level of data quality is reached) is therefore of great interest for
several GDPR related (compliance) reasons of which at least the following
are mentioned.
1. General GDPR privacy duty of care following from Article 5 of the

GDPR.
2. Recording and documentation duty ex Article 30 of the GDPR.
3. Data Protection Impact Assessments (Article 35 of the GDPR).
4. Protecting the rights of data subjects (chapter III of the GDPR).
In order to achieve a certain level of preferred data quality, in any case, it is

important that sufficient attention is being paid to the following aspects.
1. Establishing a ‘programme of requirements’ to data quality.

2. Establishing clear goals.
3. Designing processes to achieve the intended goals with data
quality.
4. Appointing process manager(s).
5. Efficient use of metadata.
5.3.8 Support by IT
Labour intensive processes like taking stock of all cross-company processed

personal data (personal data elements) are perfectly fit to be efficiently
supported by software. Therefore, it is highly recommended to consult
(internal or external) IT specialists regarding the question how IT can support
to achieve the desired (also beforehand discussed data quality) inventory
goals.
Attention in this regard can also be given to using flow charts as the above-
mentioned Personal Data Process Flows (PDPF’s), realising cost reductions,
managing data quality and using IT in assessing material privacy norms (as
for example the general GDPR duty of care to process data lawfully and
fairly).
5.4 Inventory of personal data
5.4.1 The reasoning behind an inventory plan

Making an inventory of personal data (with or without supporting software)
can be relatively complex when this is executed without a clear plan (and/or
clear scope). Without a plan, the final controller is like a ship lost at sea
without a map, compass or radio. One knows where one desires to end up
approximately, but the chances of actually arriving there are slim to nothing.
Thorough planning is an integral part of the designing process (set-up) of any
good (value adding) inventory plan. In general, a well-prepared inventory
plan offers the following advantages. A good (value adding) inventory plan:
1. Enhances the de facto accomplishment of the established (GDPR)

goals.
2. Provides an overview and control.
3. Provides the opportunity to set priorities and apply a clear focus.
4. Provides better insight in available timelines.
5. Helps to stay on track (time management).
6. Enhances the effective productivity.
7. Enhances better understanding of and emphasizes the importance
of an inventory.
8. Increases the chance that certain activities are actually
implemented.
9. Prevents that important tasks become urgent tasks (prevents
stress).
10. Increases the insight in necessary resources (IT, capital and
people).
5.4.2 Roadmap of an inventory plan[150]

Figure 5.9 Roadmap Inventory Plan (RIP)
5.4.2.1 Mandate for the inventory
The first step on the Roadmap for a Personal Data Inventory (RPDI) is to
obtain for a (legally) sufficient mandate to operationalize whatever activity is
needed to actually result in the desired inventory. A good mandate for
making a cross-company inventory of processed personal data contains at
least a clear description of the following elements.
1. Specificities of what should be part (at data element level) of the

proposed inventory.
2. The purpose(s) of the inventory assignment
3. The inventory competences of the mandate.
4. The (legal and/or management) scope of the inventory.
5.4.2.2 Inventory Team
A good inventory plan needs a good inventory team which is an essential
factor for successfully identifying personal data in order to produce a decent
inventory. After all, any involved team not being able to achieve the (upfront)
defined goals, could suffer from frustration(s) and loss of resources (invested
hours and financial means). In general, the following five aspects are
identified that are of importance for the good functioning of the inventory
team.
1. Competent chairman of the inventory team

A competent chairman of the inventory team plays pivotal role to drive the
inventory plan to a success. The professionality of the project manager
determines for the most part the success of the project. Both the internal good
functioning and the external dissemination of the importance of the inventory
plan play a role in this.
2. Composition of the inventory team

It is important that the project manager achieves a balance in the team
between the various roles. Under reference to Belbin[151], the following is of
interest for said balance:
1. Coordination and substantive work.

2. Creativity and having an eye for restrictions.
3. Exuberance and diplomacy.
4. Specialisation and overview.
Within the context of the composition of a good inventory team, the
following practical aspects can be distinguished, see figure 5.10
Figure 5.10 Practical aspects of an assessment team
3. Development of the inventory team

Once the inventory team is composed, a competent project manager steers the
team in the right direction. Tuckman[152] distinguishes in his ‘stages of team
development’ the following five phases that ought to be attended
sequentially.
1. Forming.
2. Storming.
3. Norming.
4. Performing.
5. Adjourning.
4. Soft aspects of the inventory team

As in every organisation, a team can often develop an own culture. This
entails the sphere in the team, enthusiasm, perseverance, exuberance etc. Or
exactly the lack of that. In virtually all project teams in which team members
collaborate intensively, a team spirit will come into existence, especially in
the course of a longer period. This could result in a positive stimulus for
realising the team results.
5. Hard aspects of the inventory team
In a good functioning professional inventory team, proper knowledge is
present, as well as the necessary abilities and skills that can be deployed. A
good project manager captures the desired competences, prior to the activities
of the team and appointment of the concerned team members.
5.4.2.3 Execution of the inventory project

Figure 5.11 Execution of the inventory project
5.4.2.4 Stakeholder management

Competent project managers endorse the basic assumption that for a
successful completion of the inventory project, all relevant stakeholders must
be identified and actively involved.
A stakeholder is a person or organisation that is actively involved in the
project, or whose interests can be influenced positively or negatively by the
execution or completion of the project. A stakeholder can also influence the
project and the results. Generally, regarding privacy and data protection de
following parties can be considered as stakeholders:
1. Resource managers.
2. Senior management.
3. HRM-managers.
4. Security managers.
5. Suppliers and sales.
6. Customers.
7. Supervisors.
8. Marketing divisions.
9. Public relations.
10. Supporting personnel.
Some considerations for the project manager to invest in a good relationship
with stakeholders, could be the following:
1. Prevent scope creep.

2. Enhance tolerance barriers of privacy risks.
3. Enhance the acceptance rate of results of the inventory project.
4. Reduce the risk of negative influence of the inventory project.
5.4.2.5. Review and update plan

Before any inventory project can be finished, it is advisable to plan periodical
reviews in several stages of the project based on the intended alignment with
final results. Where necessary, it should be adjusted (mitigated). The goal of
reviewing and updating is therefore to adjust activities in a timely manner
(for example completing the Data Inventory Templates) in the light of the
intended inventory goals. In contrast to the many other reviews, the review
being discussed is ‘future-oriented.’ After all, all eyes should be kept on the
factual accomplishment of the intended goals and end results of the desired
inventory.
It is recommended to plan (make arrangements) beforehand concerning the

method (approach) of ‘review and update’ to be ahead of (avoid) possible
negative sentiments. In this respect, the following practical considerations of
the project manager can be mentioned.
1. Coordinate beforehand within the project team which questions

must be discussed.
2. Choose a constructive-positive approach (allow differing views).
3. Determine the method in which at least the most important
stakeholders can be actively involved.
4. Prevent that it becomes a ‘clique’ between the principal and the
project manager. Give all (project) co-workers the opportunity to
provide relevant input.
5. Give special attention to processes and positive results of
collaboration.
5.4.2.6 Final reports (Article 5(2) of the GDPR)

The inventory project should (just like any other company project) be
concluded with a profound end report, with the primary aim of portraying
accountability.
Any processing of personal data should be lawful and fair. It should be
transparent to natural persons that personal data concerning them are
collected, used, consulted or otherwise processed and to what extent the
personal data are or will be processed. The principle of transparency requires
that any information and communication relating to the processing of those
personal data be easily accessible and easy to understand, and that clear and
plain language be used (according to recital 39 GDPR).
To a certain extent – at least in the area of processing of personal data -
Article 5(2) GDPR serves as an extra leeway for an extra (justification)
dimension to reports and to underlying ‘evidence’ of conclusions that are
based on final reports. According to the latter article, the controller shall be
responsible for compliance with Article 5(1) of the GDPR (principles relating
to processing of personal data) and be able to demonstrate compliance
(‘accountability’). In particular if the current inventory project has (also) set
as an object to comply with the general GDPR privacy duty of care of the
controller, the following provisions of Article 5(1) are especially relevant
regarding the design of the end report of the inventory project. After all,
according to Article 5(1) personal data shall be:
a. processed lawfully, fairly and in a transparent manner in relation to

the data subject (‘lawfulness, fairness and transparency’).
b. collected for specified, explicit and legitimate purposes and not
further processed in a manner that is incompatible with those
purposes. further processing for archiving purposes in the public
interest, scientific or historical research purposes or statistical
purposes shall, in accordance with Article 89(1), not be considered
to be incompatible with the initial purposes (‘purpose limitation’).
c. adequate, relevant and limited to what is necessary in relation to the
purposes for which they are processed (‘data minimisation’).
d. accurate and, where necessary, kept up to date. every reasonable
step must be taken to ensure that personal data that are inaccurate,
having regard to the purposes for which they are processed, are
erased or rectified without delay (‘accuracy’).
e. kept in a form which permits identification of data subjects for no
longer than is necessary for the purposes for which the personal
data are processed.
f. personal data may be stored for longer periods insofar as the
personal data will be processed solely for archiving purposes in the
public interest, scientific or historical research purposes or
statistical purposes in accordance with Article 89(1) subject to
implementation of the appropriate technical and organisational
measures required by this Regulation in order to safeguard the
rights and freedoms of the data subject (‘storage limitation’).
g. processed in a manner that ensures appropriate security of the
personal data, including protection against unauthorised or
unlawful processing and against accidental loss, destruction or
damage, using appropriate technical or organisational measures
(‘integrity and confidentiality’).
5.4.3 Success factors for a good inventory plan

Referring to the Standish Group Chaos Report 2014,[153] one could generally
distinguish the following factors that contribute to effectively achieving the
defined goals of the inventory project:
1. Strong involvement of team members.

2. Strong involvement of higher management.
3. Proper planning.
4. Realistic expectations.
6. Project co-workers with sufficient expertise.
8. Ownership of the principal with the project management.
9. Clearly formulated vision & corporate objectives.
10. Hard-working, result-oriented staff.
5.5. Role of the DPO and inventory of personal data

In daily practice, DPOs often design, create and maintain inventories and
hold a register of processing activities based on information provided to them
by the various departments in their organisation responsible for the
processing of personal data, according to the EDPB (formerly known as
WP29).[154] This practice has been established under many current national
laws and under the data protection rules applicable to the EU institutions and
bodies.[155]
As observed before, the DPO is supposed to perform his or her tasks in the
full range of the GDPR obligations. In the wordings used by Article 39(1)(a)
GDPR, ‘The data protection officer shall have at least the task to inform and
advise the controller or the processor and the employees who carry out
processing of their obligations pursuant to this Regulation and to other Union
or Member State data protection provisions.’
Some people take the view that keeping a register ex Article 30, is about the
only optional task that the DPO could perform next to the tasks mentioned in
Article 39. They believe that the only tasks of the controller/processor that
may be shifted to the DPO is keeping the register of processing activities
under Article 30 of GDPR, since it directly contributes to the tasks of the
DPO under the GDPR. In the context of keeping a register (pursuant to
Article 30 of the GDPR) an important role is reserved for the DPO in the
context of inventorying personal data.
Sure, it is paramount for the professional performance of any task of the DPO
that to dispose of a panoramic, holistic view of all personal data processing
activities (including) relevant data elements) within the organisation. This is
the case whether the DPO does or does not have the optional task to keep a
register ex Article 30 and whether the DPO is or is not himself (as project
manager or otherwise) involved in inventorying personal data within the
organisation.
If there is no complete and qualitatively good overview of all processing of
personal data, this can negatively influence a professional performance of
DPO tasks, especially considering the vision, mission and strategy (VMS) of
the DPO work plan as already discussed extensively.
If the DPO is involved in the inventory of personal data (for example as a
sparring partner or as a member of a steering committee, project manager or
as member of the inventory project team), the DPO should, also in light of
the practical development of the DPO work plan, pay special attention to the
vision, mission and strategy (VMS) of the own DPO work plan in the context
of the legal minimum tasks of the DPO (within the meaning of Article 39 of
the GDPR).
Hereinafter, in paragraph 5.6, a general table of reference for A DPO work
plan GDPR inventory is included which provides a general framework and
can be detailed by the DPO given the specifics of the own organization and
independent views during the inventory project within the own enterprise,
5.6 DPO Work Plan Table of Reference: GDPR inventory
With the aim of, among others, providing insights into the role of the
professional DPO as far as assembling a GDPR inventory is concerned (in
view of the vision, mission and strategy (VMS) of the DPO work plan), the
following ‘DPO work plan table of reference’ is composed which could serve
as a general framework for the DPO. Of course, this ‘Table of Reference’
should be tailored and specified to the own enterprise, institution or
organisation and by doing so the professional DPO (pursuant to Article 39(2)
GDPR) shall have due regard to the risk associated with processing
operations, taking into account the nature, scope, context and purposes of
relevant processing of personal data.
6
CHAPTER 6
DPO WORK PLAN GDPR COMPLIANCE
BASELINE AND GAP-ANALYSIS
6.1 Introduction
6.1.1 Definitions of a GDPR baseline and GDPR gap-analysis
A GDPR baseline can generally be described as a (methodologically sound)

activity with the ultimate result of a comprehensive ‘state of present affairs’
concerning compliance with GDPR obligations of the controller, processor
and employees.[156] The output of a professionally carried out GDPR baseline
results in a clear overview of all relevant GDPR obligations. Each obligation
is checked whether or not (yes/no) all compliance requirements are fulfilled.
In general, it can be assumed that the end result of a good GDPR baseline
provides a representative overview of the ‘actual state of GDPR compliance’
of the enterprise, institution or organisation at a particular (given) moment in
time (t=0).
While performing a GDPR gap-analysis each gap found as result of the
GDPR baseline exercise, that is the relevant GDPR obligation which is not
complied with, is analysed thoroughly with the specific aim of defining
clearly defined (additional) measures and actions which will ultimately result
in (if carried out correctly) a confirmed state of compliance of the relevant
GDPR obligation. Basically, a GDPR gap is the difference between the
(emerged from the GDPR baseline) current factual situation (t=0) concerning
the level (yes/no) of complying with (obligations pursuant to) the GDPR and
the in the future (t>1) intended situation concerning the (beforehand defined)
level of the compliance with (obligation pursuant to) the GDPR. This is also
defined as the GDPR compliance difference (or GDPR compliance gap,
abbreviated as GDPR gap). In essence, a good performed GDPR gap-analysis
results in a list of concrete measures and actions that have to be carried out in
order to realize the intended GDPR ambition level of compliance. These
definitions immediately give rise to the following questions:
1. What is the ratio (reason) for a GDPR baseline and a GDPR gap-
analysis?
2. What is the utility (added value) of a GDPR baseline and a GDPR
gap-analysis?
3. Which dimensions (kinds) of a GDPR baseline respectively GDPR
gap-analysis exist?
4. What exactly should be measured with a GDPR baseline
respectively GDPR gap-analysis?
5. How detailed should a GDPR baseline respectively GDPR gap-
analysis be carried out?
6. What is the goal of a GDPR baseline respectively GDPR gap-
analysis?
7. What is the practical (management) value of a GDPR baseline
respectively GDPR gap-analysis?
8. What is meant by ‘methodologically’ justified?
9. Which GDPR compliance measuring instruments are there and how
should these GDPR compliance measuring instruments (GDPR
metrics) be used?
10. What to do when the relevant GDPR obligations are not complied
with?
11. What is the role of the DPO in the context of a GDPR baseline and
GDPR gap-analysis?
12. What is the characteristic difference between the GDPR baseline on
the one hand and the GDPR gap-analysis on the other hand?
6.1.2 Rationale of a GDPR baseline and GDPR gap-

analysis
Based on the assumption that the ambition of every enterprise, institution
or organisation is to ultimately comply with all obligations pursuant to the
GDPR, performing a GDPR baseline and/or GDPR gap-analysis could add
value in several ways[157] among which the following.
1. Answering the question whether the enterprise, institution or

organisation does or does not comply with GDPR obligations.
2. Taking as a starting point the situation of non-compliance as
observed during the baseline (t=0), in the light of the ambition of
the organisation/enterprise a (step-by-step) route can be mapped
out to a situation of GDPR compliance with the particular GDPR
obligation.
3. A good performed GDPR baseline and GDPR gap-analysis can
produce important information for the board and management
(risks, planning in a timely manner, necessary budgets, etc.).
4. Providing insights to the management to be able to take
appropriate (technical and organisational) measures on the basis of
policy priorities.
5. As a first step in a methodology (of 5 steps)[158] with the aim of
reaching GDPR compliance.
6. A well performed GDPR gap-analysis strives to deliver a list of
measures and feasible concrete actions that (practically) result in
the envisioned status of GDPR compliance, after implementation.
7. Demonstrate the level of compliance with obligations pursuant to
the GPDR (‘accountability’ ex Article 5(2) of the GDPR).
8. Generating evidence in the context of GDPR assessments relating
to e.g. GDPR certification schemes such as EuroPrivacy.
Performing a GDPR Baseline can have different rationales. From business
intelligence (what is the present state of GDPR compliance), management
purposes (planning for GDPR implementation, evaluation) till reputation
management and even reducing penalty risks. For example, within the
context of non-compliance with the general GDPR privacy duty of care
(centred on the processing principles of Article 5 GDPR) could result in
substantial penalties. In the wordings of recital 39 of the GDPR, ‘It should
be transparent to natural persons that personal data concerning them are
collected, used, consulted or otherwise processed and to what extent the
personal data are or will be processed.
The principle of transparency requires that any information and
communication relating to the processing of those personal data be easily
accessible and easy to understand, and that clear and plain language be used.
That principle concerns, in particular, information to the data subjects on the
identity of the controller and the purposes of the processing and further
information to ensure fair and transparent processing in respect of the natural
persons concerned and their right to obtain confirmation and communication
of personal data concerning them which are being processed.’[159] If based on
the results of a GDPR baseline the ‘state of GDPR non-compliance’ at a
certain point in time (t=0) is concluded, a clear follow up should be there as
to how to proceed with those obligations of the GDPR that are no complied
with (yet).
The rationale of a GDPR gap-analysis is usually characterised as to provide

insight into the difference between the current (t=0) state of affairs as to non-
compliance with obligations pursuant to GDPR at one side and on the other
side what measures (actions) should be executed in order to make sure that at
a certain point in time in the near future (t=1) non-compliance can be turned
around into compliance. Performing such a GDPR gap-analysis could serve
diverse goals, among which:
1. Providing insight into the necessary measures and actions that are
needed to comply with the general and specific obligations pursuant
to the GDPR.
2. Defining levels of ambition of GDPR compliance on the basis of a
maturity mode.
3. Defining more detailed goals in the context of privacy
(implementation) projects).
4. Advancing efficiency of data processing.
5. Attracting sufficiently competent and capable personnel (internal or
external).
6. Providing important input for privacy project managers.
7. Advancing a privacy compliance ‘sense of urgency’ within the
organisation or specific departments and activities within the
organisation or enterprise.
6.1.3 Goals and side effects of baseline and gap-analysis
6.1.3.1 General goals of a GDPR baseline and GDPR gap-analysis

Every business, institution or organisation can set its own general goals for
performing a GDPR gap-analysis (of course, depending on own insights
and/or needs). From the GDPR, among others the following general goals can
be inferred.
1. Input for appropriate data protection policies (Article 24(2)).

2. Input for appropriate and effective measures (recital 74).
3. Control of purpose limitation (Article 5(1)(b)).
4. GDPR privacy duty of care compliance.
5. Duty of recording (Article 30).
6. Controlling the processes (requirements and controls).
7. Risk management and control.
8. Issue management and control.
9. Data Protection Impact Assessment (DPIA).
10. Accountability (Article 5(2)).
6.1.3.1.1 Input appropriate data protection policies (Article 24(2)

GDPR.
As a starting point for a (policy or implementation) plan, it is vital that
enterprises, organisations and institutions (controllers within the meaning of
Article 4 of the GDPR) can at least answer the question which obligations
pursuant to the GDPR are (already) complied with or not (GDPR baseline).
Provided that there is non-compliance with particular obligation(s) pursuant
to the GDPR, identifying what (within the meaning of concrete measures) has
to be done to nonetheless fulfil them (GDPR gap-analysis) is key.[160]
Policy makers should calculate what the impact of the GDPR is on current
processes, services and goods and which adaptations are necessary to comply
with the GDPR. Also, the fact that the implementation of the GDPR will
most probably require a lot of the available human resources and resources,
should be taken into account.
6.1.3.1.2 Input for appropriate and effective measures

processing and the risk to the rights and freedoms of natural persons. In
determining the measures to be taken for nonetheless fulfilling the
obligations pursuant to the GDPR, these factors can be taken into account.
Pursuant to recital 51 of the GDPR, personal data which are, by their nature,
particularly sensitive in relation to fundamental rights and freedoms merit
specific protection as the context of their processing could create significant
risks to the fundamental rights and freedoms.
6.1.3.1.3 Control of purpose limitation (Article 5(1)(b) GDPR)

The question why, with which purposes, the enterprise, institution or
organisation actually is performing processing activities involving personal
data, is a pivotal question that data protection authorities ask themselves in
performing ‘an act of supervision’. Pursuant to Article 5(1)(b) of the GDPR,
personal data have to be collected for specified, explicit and legitimate
purposes and not further processed in a manner that is incompatible with
those purposes.[161]
Why answering this question can be qualified as ‘pivotal’ – and thus should
have an important place in a GDPR baseline and GDPR gap-analysis – is
because of the fact that if the answer is not clear (specified, explicit), this
could have a negative domino effect on further processing. After all,
processes cannot be continued in a manner that is incompatible with one of
the purposes. If a conducted GDPR baseline report shows that there is non-
compliance with the principle of purpose limitation, it deserves strong
recommendation to nonetheless define concrete measures and actions in the
context of the GDPR gap-analysis in order to comply with the purpose
limitation requirement.
6.1.3.1.4 GDPR privacy duty to care compliance
The controller is, ex Article 5(2), accountable for compliance with the
principles relating to processing of personal data (mentioned in Article 5(1)
of the GDPR).[162] Practically shaping compliance with these principles in the
form of concrete measures and actions in that context is one of the general
goals of a GDPR gap-analysis.
Figure 6.2 General GDPR privacy duty of care compliance
6.1.3.1.5 Duty to maintain a record of processing (Article 30)
Based on Article 30(1) of the GDPR, each controller[163] and, where
applicable, the controller's representative[164], shall maintain a record of
processing activities under its responsibility. That record shall contain all of
the following information:

the data protection officer (DPO).
of personal data.
d. the categories of recipients to whom the personal data have been or
With regard to the compliance obligation to maintain a record of processing
activities ex Article 30 of the GDPR, it seems common practice that
implementing a good GDPR gap-analysis (as a GDPR baseline next step), the
following general goals are also mentioned.
1. Verifying the exhaustiveness of the number of processes ex Article

30 of the GDPR.
2. Verifying the data to be recorded in the register as specified ex
Article 30(1) (a-g) of the GDPR.
6.1.3.1.6 Controlling the processes (requirements and controls)
Next to producing a list of concrete measures and (related specific actions),

the following general goals of a GDPR gap-analysis can be identified.
1. concrete requirements which should be complied with in the context

of the implementation process (according to the GDPR).
2. Practical controls,[165] that are practical control measures that can be
introduced for controlling implementation processes.
It is recalled that the controller shall implement, on the basis of Article 24 of
the GDPR, appropriate technical and organisational measures to ensure and
to be able to demonstrate that processing is performed in accordance with this
Regulation (taking into account the nature, scope, context and purposes of
processing as well as the risks of varying likelihood and severity for the
rights and freedoms of natural persons).
6.1.3.1.7 Risk management and control
As previously discussed in chapter 2, the term ‘risk’ plays a central role in the
GDPR.[166] The risk to the rights and freedoms of natural persons, of varying
likelihood and severity, may result, according to recital 75 of the GDPR,
from personal data processing which could lead to physical, material or non-
material damage, in particular: where the processing may give rise to:
1. discrimination.
2. identity theft.
3. Identity fraud.
4. financial loss.
5. damage to the reputation.
6. loss of confidentiality of personal data protected by professional
secrecy.
7. unauthorised reversal of pseudonymisation.
8. or any other significant economic or social disadvantage.
a. where data subjects might be deprived of their rights and
freedoms or prevented from exercising control over their
personal data.
b. where personal data are processed which reveal racial or
ethnic origin, political opinions, religion or philosophical
beliefs, trade union membership, and the processing of
genetic data, data concerning health or data concerning
sex life or criminal convictions and offences or related
security measures.
c. where personal aspects are evaluated, in particular
analysing or predicting aspects concerning performance at
work, economic situation, health, personal preferences or
interests, reliability or behaviour, location or movements,
in order to create or use personal profiles.
d. where personal data of vulnerable natural persons, in
particular of children, are processed.
e. where processing involves a large amount of personal data
and affects a large number of data subjects.
6.1.3.1.8 Issue management

The promotion of measures to be taken in case of incidents (issue
management) is in practice to be treated as an explicit purpose of any GDPR
gap-analysis. Accordingly, in the GDPR gap-analysis, extra attention should
be given to:
1. Identifying possible incidents (issues).

2. Reviewing the risk of occurring of incidents.
In particular in the context of security issues[167], issue management plays a
key role. According to Article 32(1) of the GDPR (security of processing),
the controller and the processor shall implement appropriate technical and
organisational measures to ensure a level of security appropriate to the risk,
including inter alia as appropriate:
1. the pseudonymisation and encryption of personal data.

2. the ability to ensure the ongoing confidentiality, integrity,
availability and resilience of processing systems and services.
3. the ability to restore the availability and access to personal data in a
timely manner in the event of a physical or technical incident.
6.1.3.1.9 Data Protection Impact Assessment (DPIA)

Another general goal of a GDPR baseline and GDPR gap-analysis could be
to identify (future) processing of personal data for which pursuant to Article
35 GDPR a Data Protection Impact Assessment (DPIA) – also referred to as
Privacy Impact Assessment (PIA) – should be carried out. Consequently, ex
Article 35(3), a data protection impact assessment shall in particular be
required in the case of:
a. a systematic and extensive evaluation of personal aspects relating to

natural persons which is based on automated processing, including
profiling, and on which decisions are based that produce legal
effects concerning the natural person or similarly significantly
affect the natural person.
b. processing on a large scale of special categories of data referred to
in Article 9(1), or of personal data relating to criminal convictions
and offences referred to in Article 10.
c. a systematic monitoring of a publicly accessible area on a large
scale.
Consistent with the ‘list of required DPIAs’ of the European Data Protection
Board[168], in case of the following processing activities, a DPIA has to be
carried.
1. Clandestine enquiry
2. Blacklists
3. Prevention of fraud
4. Credit scores
5. Financial situation
6. Genetic personal data
7. Health data
8. Collaborations
9. Camera surveillance
10. Flexible camera enforcement
11. Inspection of employees
12. Location data
13. Communication data
14. Internet of things
15. Profiling
16. Observation and influencing behaviour
17. Biometrical data processing
6.1.3.1.10 Accountability (Article 5(2) GDPR)

Pursuant to Article 5(2) of the GDPR, the controller shall be responsible for,
and be able to demonstrate compliance with, Article 5 paragraph 1 GDPR
(‘accountability’). A professional GDPR baseline and GDPR gap-analysis, if
designed up to standards and well-structured, which is professionally
performed, does not only provide for important privacy management
information (intelligence), but also results in ‘evidence’ for that part of the
GDPR obligations that are already complied with. Moreover, it creates a clear
overview of measures and actions to be performed for those GDPR
obligations that are not (yet) complied with.
Considering the fact that the results of a good GDPR baseline and gap-
analysis could also provide insight for the privacy supervisory authority into
the obligations of the enterprise, organisation or institution pursuant to the
GDPR which are not complied with (yet), it deserves recommendation to
always supply such findings with (follow up) measures and actions,
preferably in terms of SMART (specific, measurable, acceptable, realistic,
time-bound).
6.1.3.2 Side effects of a GDPR baseline and gap-analysis

It is plausible that potential side effects of a GDPR baseline and gap-analysis
depend on its design and structure. In general, it could be argued that a proper
and competently performed GDPR baseline can lead to the following side
effects that could also be relevant for the DPO work plan.
1. Privacy awareness-raising (Article 39(1)(b)).

2. Promoting a better insight in the number of processing and
processing activities (Article 30).
3. Promoting insight into the importance of processing for company
critical processes (among others recital 74).
4. Promoting more effective monitoring by the DPO on the
compliance with the GDPR by the controller, processor and
employees (Article 39(2) GDPR).
5. Promoting insight into the necessary resources for both the
controller and the DPO (Article 38(2) GDPR).

6.1.3.2.1 Promoting privacy awareness (Article 39(1) (b) of the GDPR)
Although not a main objective of the GDPR baseline and gap-analysis,
awareness-raising with regard to compliance with ‘obligations pursuant to the
GDPR’ is an important side effect. This already begins when the necessary
preparation for the performance of the GDPR baseline respectively gap-
analysis is initiated. During the subsequent process steps of the GDPR
baseline (hereinafter § 6.2) and the process steps of the GDPR gap-analysis
(hereinafter § 6.3), employees are constantly inspired with ‘food for thought’.
Based on Article 39(1)(b) of the GDPR, the DPO monitors, among others,
compliance with the GDPR, with other Union or Member State data
protection provisions and with the policies of the controller or processor in
relation to the protection of personal data, including the assignment of
operations, and the related audits.
In monitoring compliance with the policies of the controller with regard to
‘awareness-raising’, the pays sufficient attention to the main criteria of a
professional Privacy Awareness Program which can be depicted as the
follows.
Figure 6.4 Privacy Awareness Programme (PAP)

6.1.3.2.2 Promoting insights into the number of processing and
processing
activities
Notwithstanding the design and structure of the GDPR baseline and gap-
analysis, an important side effect (if and provided that it was not previously
set as a main goal), is that a better (more complete and often more detailed)
fact finding can be completed concerning the number and kinds of processing
of personal data as well as the concerned processing within the meaning of
Article 4(2) of the GDPR, ‘any operation or set of operations which is
performed on personal data or on sets of personal data, whether or not by
automated means, such as collection, recording, organisation, structuring,
storage, adaptation or alteration, retrieval, consultation, use, disclosure by
transmission, dissemination or otherwise making available, alignment or
combination, restriction, erasure or destruction.’
Because of various evident (management) reasons, a good oversight of the
number and kinds of processing is of importance. A few of GDPR inferred
reasons are recalled:
1. Any processing of personal data should be lawful and fair. It should
be transparent to natural persons that personal data concerning them
are collected, used, consulted or otherwise processed and to what
extent the personal data are or will be processed. The principle of
transparency requires that any information and communication
relating to the processing of those personal data be easily accessible
and easy to understand, and that clear and plain language be used
(recital 39 of the GDPR).[169]
2. Every reasonable step should be taken to ensure that personal data
which are inaccurate are rectified or deleted. Personal data should
be processed in a manner that ensures appropriate security and
confidentiality of the personal data, including for preventing
unauthorised access to or use of personal data and the equipment
used for the processing (recital 39 of the GDPR).
3. In order to prevent creating a serious risk of circumvention, the
protection of natural persons should be technologically neutral and
should not depend on the techniques used. The protection of natural
persons should apply to the processing of personal data by
automated means, as well as to manual processing, if the personal
data are contained or are intended to be contained in a filing system
(recital 15 of the GDPR).[170]
4. The processing of personal data for purposes other than those for
which the personal data were initially collected should be allowed
only where the processing is compatible with the purposes for
which the personal data were initially collected (recital 50 of the
GDPR).
5. Personal data which are, by their nature, particularly sensitive in
relation to fundamental rights and freedoms merit specific
protection as the context of their processing could create significant
risks to the fundamental rights and freedoms (recital 51 of the
GDPR).
6. A data subject should have the right of access to personal data
which have been collected concerning him or her, and to exercise
that right easily and at reasonable intervals, in order to be aware of,
and verify, the lawfulness of the processing (recital 63 of the
GDPR).
7. The responsibility and liability of the controller for any processing
of personal data carried out by the controller or on the controller's
behalf should be established. In particular, the controller should be
obliged to implement appropriate and effective measures and be
able to demonstrate the compliance of processing activities with
this Regulation, including the effectiveness of the measures. Those
measures should take into account the nature, scope, context and
purposes of the processing and the risk to the rights and freedoms
of natural persons (recital 74 of the GDPR).
6.1.3.2.3 Promoting insight into the importance of processing for core

processes
The results of the GDPR baseline and gap-analysis could lead to a better
insight into the prominence of GDPR compliance with obligations pursuant
to the GDPR for core processes of the enterprise, institution or organisation.
Core processes indeed differentiate across enterprises, institutions or
organisations, nonetheless, generally it could be said that in every enterprise,
institution or organisation at least three kinds of core processes can be
distinguished.
1. Primary (customized) processes.

2. Supporting processes.
3. Directing processes.
An overview of core processes with relevance for the processing of personal
data can be depicted as follows.
Figure 6.5 Core processes
6.1.3.2.4 Promoting more effective monitoring by the DPO (Article

39(2)
GDPR)
The DPO could indeed also benefit from the results of a well and
professionally conducted GDPR baseline in the performance of concrete
activities that are foreseen in the DPO work plan within the framework of
Article 39 of the GDPR.
As discussed in chapter 4 within the scope of the vision of the DPO work
plan, it is intended that the DPO undertakes concrete activities in order to
realise that obligations of the controller or the processor and the employees
who carry out processing activities pursuant to the GDPR (and to other Union
or Member State data protection provisions) are ultimately complied with.
Thanks to the unambiguous results of a GDPR baseline and gap-analysis, a
DPO is able to define his/her activities within the framework of ‘monitoring
compliance’ more effectively (more efficiently) and prioritise within the
context of the following (in chapter 3) discussed added value of the DPO
work plan.
1. DPO tasks and process management[171].

2. Improve the synergy with other business units.
4. Good cooperation with the DPA.
5. Prudential administration of audit results[172].
6. Risk and incidents administration[173].
7. Prevent recovery costs of privacy non-compliance.
8. Restrict accountability of suffered damage[174].
9. Reputation management.
10. Enrich integer privacy corporate culture.
6.1.3.2.5 Promoting insight into the necessary resources for the DPO
Article 38(2) of the GDPR)
The obtained understanding (results) of the general GDPR compliance status,

derived from the GDPR baseline and gap-analysis, ideally provides a list of
concrete measures and actions. This enables a more precise estimation of
relevant costs linked to these measures and actions, resulting in a better
substantiation of financial support and provides for more insights and
supports the yet to be arranged budget requests of the DPO.
To some extent, these financial resources are detached from what ‘necessary
resources’ the DPO requires in performing his own tasks (as becomes
apparent from the DPO work plan). After all, according to Article 38(2) of
the GDPR, the controller shall support the data protection officer in
performing the tasks referred to in Article 39 by providing resources
necessary to carry out those tasks and to maintain his or her expert
knowledge.
6.1.4 Dream team for a GDPR baseline and gap-analysis

Performing a GDPR baseline is key for any compliance plan and is often
underestimated in practice, this applies even more to having a good team in
to perform (or guide) a GDPR baseline. Not only is the importance of a good
team underestimated. Unfortunately, it frequently happens that an enterprise,
institution or organisation (demanding side) itself has no clear understanding
of the importance of a good team, let alone the right composition of such a
team. In the introduction of the first draft of the GDPR (as published by the
European Commission in January 2012), the importance of a
multidisciplinary approach was emphasized (depending on the factual
activities of the enterprise, institution or organisation). General disciplines
that could come to mind are for instance Legal, IT, Security, Compliance and
Ethics (the so-called ‘Privacy table of 5’).
Also, for composing the ideal team for performing an enterprise-wide
inventory of personal data, it is also important to note that not giving
sufficient attention to a balanced composition of the GDPR baseline team
could lead to defined goals not being achieved, finally leading to frustrations
and loss of GDPR resources (invested hours and financial resources).
The following can be considered important aspects for composing a team for
successfully performing an efficient GDPR baseline and/or gap-analysis:
1. Competent GDPR project manager.

2. Composition of the GDPR project team.
3. Development of the GDPR project team.
4. Soft aspects of the GDPR project team.
5. Hard aspects of the GDPR project team.
Ad 1
Competent GDPR project manager
A competent project manager plays a crucial role in driving the performance
of a GDPR baseline or gap-analysis to a successful closure. Whereas a
professional project manager determines for the most part the success of the
project, both the internal good functioning of the project team as well as an
external dissemination of the importance of the end results of a GDPR
baseline and GDPR gap-analysis are important factors.
Ad 2
Composition of the GDPR project team
It is important that the GDPR project manager achieves a balance in the team
between the various roles, tasks and responsibilities.[175] Under reference to
Belbin[176], the following is of interest for said balance:
1. Coordination and substantive work.

2. Creativity and having an eye for restrictions.
3. Exuberance and diplomacy.
4. Specialisation and overview.
While composing the GDPR project team, the following points of interest
(and related steps) are distinguished:
development of the GDPR project team,

soft aspects of the GDPR project team and
hard aspects of the GDPR project team.
Figure 6.6 Team composition

Ad 3
Development of the GDPR project team
Once the GDPR project team is composed and fit for the performance of a
GDPR baseline or gap-analysis, a competent project manager steers the team
in the right direction. In general, Tuckman[177] distinguishes in his ‘stages of
team development’ the following five subsequent phases.
1. Forming.
2. Storming.
3. Norming.
4. Performing.
5. Adjourning.
Ad 4
Soft aspects of the GDPR project team
As in many organisations, any team develops its own culture. This entails the
sphere in the team, enthusiasm, perseverance, exuberance, etc. Or exactly the
lack of that. In virtually all project teams in which team members collaborate
intensively, a team spirit will come into existence, especially in the course of
a longer period. This could result in positive stimuli for realising the team
results and set goals.
Ad 5
Hard aspects of the GDPR project team
For any professional team accountable for the performance of a GDPR
baseline or gap-analysis, expert knowledge should be available (or at least
accessible), as well as the necessary abilities and skills that have to be
deployed. A professional project manager specifies (defines and discusses)
these aspects prior to the composition of the team and sticks with all member
profile requirements when appointing the team in practice.
6.1.5 Management value of a GDPR baseline and gap-analysis

Apart from the fact that with the results of a GDPR baseline and gap-
analysis, at least one part of the accountability ex Article 5(2) could be
complied with, the GDPR baseline also provides for some interesting
information (as you wish GDPR business management intelligence) for (line)
management.
6.1.6 Parameters of the GDPR baseline and GDPR gap-
analysis
In order to reach a clear conclusion on the basis of a GDPR baseline or gap-
analysis with regard to answering the question whether the obligations
pursuant to the GDPR ex Article 39(1)(a) are complied with, it is necessary
that relevant GDPR parameters for particular GDPR obligations are specified
as concretely as possible. As well within the framework of GDPR privacy
compliance, measurements create a leeway for expert knowledge. Rather
anticipating on the more elaborated discussion on the importance of clear
definitions of GDPR parameters (hereinafter in § 6.3), in general, the
following can be noticed with regard to the quality of GDPR parameters.
1. There are two types of GDPR obligations, namely: ‘acts’ and

‘omissions’. In general, it could be said that a GDPR act requires an
active act.
2. The result of a GDPR baseline and gap-analysis should in practice
lead to a clear answer whether (part of a) GDPR obligation is
complied with or not (dichotomous test results: yes or no).
3. The GDPR consists of a number of hard norms (hard rules, for
example the prohibition to refuse of Article 12(2) and a number of
soft norms (soft rules, such as the principles of Article 5(1) of the
GDPR).
4. The GDPR consists of a number of closed norms (obligation to act or
not to act) and a number of open norms (which are yet to be
specified, given the circumstances of a specific case).
Figure 6.7 Management value
5. The GDPR protects (pursuant to Article 2(2)) the fundamental rights
and freedoms of natural people[178] that become (partly) apparent
from norms that are not incorporated or formulated in the GDPR
(ratio and spirit of the GDPR).
6. Pursuant to Article 2(2) GDPR it does not apply to the processing of
personal data by a natural person in the course of a purely personal
or household activity.
7. The Explanatory Memorandum of the General Data Protection
Regulation Implementation Act contains an explanation stating that
the aim is policy neutral implementation of the EU Directive in
relation to standing legislation. In practice this means that both the
interpretations of the European Directive 1995/46/EG and the old
Law for the Protection of Personal Information continue to be of
importance.
8. Primary goal of the GDPR gap-analysis is to produce at a list of
concrete measures and actions as per a ‘strategically targeted
ambition-driven step for privacy compliance (STAP)’, as discussed
above. The parameters of the GDPR gap-analysis are ideally directly
inferred from the ‘strategically targeted implementation (action) for
privacy compliance (STIP)’, or sometimes even identical.
6.1.7 Differences: GDPR baseline and a GDPR gap-analysis

With regard to the purpose, necessity and approach of a GDPR baseline,
differences can be identified with a GDPR gap-analysis. Characteristic
differences can be identified at least at the following levels:
1. The primary goal: the primary goal of a GDPR baseline is

measuring (assessing) the state of GDPR compliance of the
enterprise, institution or organisation at a certain moment in time
(t=0) as regards compliance with obligations pursuant to the GDPR,
to obtain a clear view of present state GDPR ‘as is’. The primary
goal of the GDPR gap-analysis is to – on the basis of compliance
values of the GDPR baseline – conclude with at a list of concrete
measures and actions that have to be actually executed in the
implementation phase[179].
2. Growth path (maturity): in the extension of the primary goal of the
GDPR baseline, namely, to draw a factual situation of a certain
moment is composing a growth path not a goal as such. Contrary to
the GDPR gap-analysis where the composition of a growth path is
regarded as an explicitly mentioned intermediate step to arrive at
the ultimate list of measures and actions, keeping in mind the then
to be achieved GDPR compliance ambition level.
6.1.8 Taxonomy of obligations pursuant to the GDPR
In designing, building and performing a GDPR baseline respectively GDPR

gap-analysis, the relevant ‘obligations pursuant to the GDPR’ for the
enterprise, institution or organisation are identified beforehand, or at least
mapped out, where it is advisable for overview to abide by the taxonomy of
the GDPR.
Among others under reference to Article 39(1)(a) of the GDPR, the
obligations of the controller (or the processor and the employees) derived
from the GDPR can generally be divided in the following main categories.
1. Obligations pursuant to the GDPR,

2. Obligations pursuant to other Union data protection provisions.
and[180]
4. Within the framework of ‘monitoring compliance’ by the DPO, the
following can be added based on Article 39(1)(b) of the GDPR:
5. Obligations pursuant to the policy of the controller or processor as
regards to the protection of personal data.
Hereinafter, the obligations pursuant to the GDPR are the main focus of
attention. A certain categorisation (taxonomy) can be derived from the textual
layout as the basis for a layout of obligations pursuant to the GDPR. More
concretely, the following six relevant categories can be distinguished.
Figure 6.8 Taxonomy GDPR obligation
6.1.8.1 Fundamental rights and freedoms

Within the framework of measuring and complying with the obligations
pursuant to the GDPR, it should be recommended to give a moment’s thought
to the scope of Article 1(2) of the GDPR (subject-matter and objectives).
From the wordings and scope of this article follows that next to the right to
protection of personal data also the protection of ‘fundamental rights and
freedoms of natural persons’ falls within the ambit of GDPR obligations.
What does this mean for daily practices of the enterprise, institution or
organisation? Given the scope of Article 1(2) of the GDPR this does not
automatically means that every enterprise, institution or organisation now has
to consider at any time whether all fundamental rights and freedoms of
natural people are protected permanently. Nevertheless, Article 1(2) of the
GDPR is of actual importance to the extent that this paragraph provides for
contextualization of GDPR obligations and by doing so provides insights into
the ‘ratio and spirit’ of the GDPR which is of significant importance for
interpreting, among others, open and vague norms (terms) and provisions of
the GDPR.
To which ‘fundamental rights and freedoms’ does Article 1 (2) GDPR refer
to? In general, one could think (among others) of the following categories of
fundamental rights and freedoms:
1. The right to protection of personal data (fundamental right to data

protection).[181]
2. Freedoms and principles recognised in the Charter of
Fundamental Rights of the European Union, as enshrined in the
European and international treaties, in particular respect for
private and family life, home and communications, protection of
personal data, freedom of thought, conscience and religion,
freedom of expression and information, freedom to conduct a
business, the right to an effective remedy and to a fair trial, and
cultural, religious and linguistic diversity.[182]
In general, at least the following five dimensions of privacy (also named as
the ‘privacy butterfly’) can be distinguished.
Figure 6.9 Five dimensions of privacy (privacy butterfly)
Centred on inventoried personal data (data/information), various GDPR

contextual layers (as you wish ‘rings’ or ‘links’) can be distinguished that
provide information as such to which concrete categorical GDPR obligations
(A to F) can be connected. More concretely, the following GDPR contextual
layers are mentioned.
Figure 6.10 GDPR-monitor
On the basis of GDPR parameters which are inferred from layers 2 to 6,
compliance with relevant obligations pursuant to the GDPR (on the basis of
yet to be defined SMART parameters) can be measured, and additionally a
GDPR gap-analyses can be performed.
6.1.8.2 Definition of personal data

Within the framework of measuring the extent to which GDPR obligations
are complied with, it is of fundamental importance to closely pay attention to
a sound understanding of personal data.
The definition of personal data within the ambit of Article 4(1) GDPR
centralizes the term ‘information’, as was already the case in Article 2 of the
preceding European Privacy Directive[183] for that matter.
According to Article 4(1) of the GDPR, personal data means, ‘any

information relating to an identified or identifiable natural person (‘data
subject’). an identifiable natural person is one who can be identified, directly
or indirectly, in particular by reference to an identifier such as a name, an
identification number, location data, an online identifier or to one or more
factors specific to the physical, physiological, genetic, mental, economic,
cultural or social identity of that natural person’.
The difference between ‘data’ and ‘information’ is part of a larger debate.

However, one agrees that both terms indeed describe similar objects, though
the big difference between the terms is the factor ‘context’. Here, data (or
personal data elements) are often considered (words, symbols, signs,
numbers, etc.) as isolated data (concerning a natural person) and information
is considered as entailing the personal data elements and all ‘intelligence’
derived as a result of this (sometimes objectively, sometimes subjectively) is
placed in a certain contextual meaning (considering the specific
circumstances of a specific case).
While the practical implications of above-mentioned for daily company
practices seem difficult to define, the following general points of concern are
raised when measuring the compliance with ‘obligations pursuant to the
GDPR’.
1 If and provided that enterprises, institutions and organisations so far
utilized in their policy a strict ‘personal data’ approach, it is advisable to
rethink this policy from the GDPR perspective of ‘information’. More
concretely this means that solely inventorying personal data within a
limited scope, without taking into account the context is insufficient for
complying with the obligations pursuant to the GDPR. The context in
which this data should be allocated, is just as relevant. It is after all, the
combination of data and context that provides information as meant by
the definition of personal data within the meaning of Article 4(1) of the
GDPR (see also the diagram hereinafter).
2 If and provided that enterprises and organisations have taken technical
(IT) and organisational (professional) measures concerning ‘inventoried
data elements’ without including the relevant context (see diagram
hereinafter), it deserves a recommendation to review all this from the
GDPR perspective of ‘information’.
3 If and provided that a GDPR perspective of ‘information’ for
enterprises and organisations leads to an expansion of ‘obligations
pursuant to the GDPR’, these have to be taken into account within the
scope of the GDPR baseline and gap-analysis.
4 In light of Article 5(2) GDPR, special attention is to be paid to the
processing of ‘personal information’ context of personal data (for
example within the framework of applications for Business Intelligence,
predictive analytics and profiling within the meaning of Article 4(4)
GDPR.
6.1.8.3 GDPR compliance pyramid

To a certain extent, from the design, structure, ratio, and spirit of the GDPR
from the perspective of practically measuring compliance with GDPR
obligations, a pyramid of three levels can be inferred that can be graphically
portrayed as follows.
1. Generic foundation of personal data (from data elements derived

information) present in the enterprise, institution or organisation.
2. Middle layer of factual processing of personal data.
3. Top layer of corresponding (generic and specific) obligations
pursuant to the GDPR, which parameters are discussed in more
detail below.
Figure 6.11 GDPR-compliance pyramid
6.1.9 The interest of the DPO in a GDPR baseline and GDPR

gap- analysis
According to Article 39(1) GDPR in conjunction with Article 24 GDPR, the

DPO shall monitor that the controller shall - taking into account the nature,
scope, context and purposes of processing as well as the risks of varying
likelihood and severity for the rights and freedoms of natural persons –
implement appropriate technical and organisational measures to ensure and to
be able to demonstrate that processing is performed in accordance with this
Regulation. Those measures shall be reviewed and updated where necessary.
Article 39(1)(b) GDPR bestows DPOs with the duty to monitor compliance
with the GDPR (compliance and accountability duties) of:
1. The GDPR in general.

4. The policies of the controller in relation to the protection of
personal data, including the following elements:
a. Assignment of responsibilities.
b. Raising awareness amongst the staff involved in
processing.
c. Training of staff involved in processing operations.
d. Carrying out related audits concerning data protection.
Within the framework of monitoring compliance with the GDPR by the
controller or processor, it seems obvious that the results of a GDPR baseline
are not solely interesting but are also relevant in the following two aspects:
1. Monitoring obligations pursuant to the GDPR that are not complied

with, could (largely) be based on the results of a competently
performed GDPR baseline. This could indeed lead to important
signals to the DPO concerning GDPR areas of attention and points
of interest.
2. Monitoring compliance obligations pursuant to the GDPR, could
also be based on the results of a professionally performed GDPR
baseline and gap-analysis. Efficiency can be attained when final
conclusion(s) can be subjected to a GDPR quality verification
(among which correct interpretations) by the DPO. The central
question would then be, is the conclusion that the particular
obligation pursuant to the GDPR is complied with, correct?
In general, the observations to which degree the ‘independent monitoring of
compliance’ by the DPO can be based on conclusions (of the GDPR baseline
and gap-analysis) that are not inferred by the independent professional
himself, on the basis of his carefully performed research deserves close
attention.
Ideally, already at the design, layout and carrying out the GDPR baseline and
gap-analysis, the DPO should be involved in a timely manner because of the
performance of his legal DPO tasks (that is his/her tasks within the context of
monitoring, informing, advising, cooperating with the supervisory authority
and
Whereas paragraph 6.1 has given attention to a number of basic questions,

basic assumptions and points of concern (including a definition, scope and
approach to a GDPR baseline and gap-analysis), paragraph 6.2 will discuss
which subsequent steps have to be taken to carry out a good baseline being
orderly and structurally justified. In paragraph 6.3, the same question is the
focus of attention concerning the gap-analysis. In paragraph 6.4, a helicopter
view (roadmap) will be discussed that can be seen as a general ‘action plan’
(suitable for internal communication). When in paragraph 6.5 the role of the
DPO within the framework of a GDPR baseline and gap-analysis is discussed
in more detail, the substantive part of this chapter will be finished off with the
template of a Table of reference GDPR baseline and gap-analysis that can be
used (developed in more detail) by the DPO – tailored to the enterprise,
institution or organisation – within the framework of his DPO work plan.
Figure 6.12 Action scheme
6.2 GDPR baseline: process steps

Figure 6.13 GDPR baseline process steps
6.2.1 Step 1: determine the goals of a GDPR baseline
Before the GDPR baseline can be initiated. there is need for clarity as to what
the intention of this baseline is. In other words, what is the goal (or what are
the goals) of this GDPR baseline? Under reference to Article 39(1)(b),
hereinafter for the sake of convenience, it will be assumed that the goal of the
in this paragraph discussing baseline is, attaining insights in the degree to
which the enterprise, institution or organisation does or does not comply with
the obligations pursuant to the GDPR.
In general, the following categories of goals of a GDPR baseline could be
distinguished[184]:
1. Goals related to policies.

2. Operational goals.
3. GDPR compliance goals.
4. Demonstration of appropriate measures.
5. Relating to ‘guarantees’ on behalf of the controller.
6. DPIA related goals.
7. Goals related to monitoring.
8. Securing the rights of data subjects.
9. Goals related to the limitation of responsibility.
10. Defending the enterprise, institution or organisation in court.
Ad 1
Goals related to policies
From Article 24(2) can be derived that the enterprise, institution or
organisation has to possess an appropriate data protection policy (referring to
appropriate technical and organisational measures). In conformity to Article
24(1), the controller shall implement, taking into account the nature, scope,
context and purposes of processing as well as the risks of varying likelihood
and severity for the rights and freedoms of natural persons, appropriate
technical and organisational measures to ensure and to be able to demonstrate
that processing is performed in accordance with this Regulation. Those
measures shall be reviewed and updated where necessary (GDPR review and
update). Conform Article 24(2), the measures referred to in paragraph 1 of
the same article shall include – where proportionate in relation to processing
activities – the implementation of appropriate data protection policies by the
controller.
Ad 2
Operational goals
From Article 24(2) it can be derived that having appropriate data protection
policies at one’s disposal are not enough, but this also needs to be factually
(operationally) carried out. For defining operational actions and goals, a
GDPR baseline can form a good basis, because more concrete information
can be obtained for discussing the different processing and operation and
composing a (draft) action plan, including the estimated pastime, distribution
of tasks and costs.
Ad 3
GDPR compliance goals
GDPR baseline and gap-analysis could easily be sharpened to results with the
goal to use this for accomplishing more specific compliance (GDPR
compliance) goals. An appealing example is the compliance goal to maintain
a record in consonance to Article 30 of the GDPR.
Ad 4
Demonstrate appropriate measures
A GDPR baseline can provide important information for answering the
question whether the controller has de-facto taken sufficiently appropriate
measures within the meaning of the GDPR and the in the GDPR mentioned
(self-regulating) mechanisms. In this manner, it can be derived from recital
77 that guidance on the implementation of appropriate measures could be
provided in particular by means of approved codes of conduct, approved
certifications, guidelines provided by the Board or indications provided by a
data protection officer.[185] It should also be noted that the Board may also
issue guidelines on processing operations that are considered to be unlikely to
result in a high risk to the rights and freedoms of natural persons and indicate
what measures may be sufficient in such cases to address such risks.
Ad 5
Relating to ‘guarantees’ on behalf of the controller
To ensure compliance with the requirements of the GDPR in respect of the
processing to be carried out by the processor on behalf of the controller,
when entrusting a processor with processing activities, the controller should
use only processors providing sufficient guarantees, in particular in terms of
expert knowledge, reliability and resources, to implement technical and
organisational measures which will meet the requirements of the GDPR,
including for the security of processing. The adherence of the processor to an
approved code of conduct or an approved certification mechanism[186] may be
used as an element to demonstrate compliance with the obligations of the
controller. This can be derived among others from recital 81.
Ad 6
DPIA related goals
On 4 April 2017, the EDPB (WP29) (predecessor of the European Board) has
passed the ‘Guidelines on Data Protection Impact Assessment (DPIA) and
determining whether processing is ‘likely to result in a high risk’ for the
purposes of Regulation 2016/679’ – Guidelines WP248 rev.01[187] where (in
as far relevant) the following is noted, ‘A DPIA is a process designed to
describe the processing, assess the necessity and proportionality of a
processing and to help manage the risks to the rights and freedoms of natural
persons resulting from the processing of personal data (by assessing them and
determining the measures to address them). DPIAs are important tools for
accountability, as they help controllers not only to comply with requirements
of the GDPR, but also to demonstrate that appropriate measures have been
taken to ensure compliance with the Regulation.’ A GDPR baseline can
significantly contribute to describing processing within the framework of a
DPIA.
Ad 7
Goals related to monitoring
Within the framework of monitoring or monitoring-related goals, the result of
a GDPR baseline can also be employed purposefully, for example in the
following situations.
1. At the explicit request of the DPA.

2. Relating to demonstrating compliance (to the supervisory authority)
as per Article 5(2) of the GDPR.
3. At the request of the DPO.
4. Relating to the prior consultation as per Article 36.
5. Relating to the notification of a personal data breach to the
supervisory authority ex Article 33.
Ad 8
Securing the rights of data subjects
If the controller does not take action on the request of the data subject under
Articles 15 – 22,[188] the controller shall inform the data subject without delay
and at the latest within one month of receipt of the request of the reasons for
not taking action and on the possibility of lodging a complaint with a
supervisory authority and seeking a judicial remedy, according to 12(4) of the
GDPR. In answering the question to which degree, the enterprise, institution
or organisation guarantees the rights of the data subjects sufficiently, a good
and competently performed GDPR baseline can be worthwhile.
Ad 9
Goals related to the limitation of responsibility
Any person who has suffered material or non-material damage as a result of
an infringement of the GDPR shall have the right to receive compensation
from the controller or processor for the damage suffered, according to Article
82(1) of the GDPR. Naturally, the proverb ‘prevention is better than cure’
applies here as well. It goes without saying that taking measures in a timely
manner in consequence of the results of a GDPR baseline, can successfully
reduce the chance of liability for damage of the enterprise, institution or
organisation.
Ad 10
Defending the enterprise, institution or organisation in court
When the enterprise, institution or organisation in the capacity of controller
gets involved in legal proceedings, the results of a good and competently
performed GDPR baseline can provide important indications for the GDPR
compliance status of (certain) obligations pursuant to the GDPR (for instance
in case of the above-mentioned situation under Article 12(4) of the GDPR).
6.2.2 Step 2: Determine the scope of the GDPR baseline
What is the scope of current GDPR baseline of personal data? In other words,
how far does the scope (visual field) of this baseline of obligations pursuant
to the GDPR reach. Roughly the following scopes can be distinguished in
practice within the framework of the GDPR:
1. The GDPR and other Union provisions.

2. GDPR and national data protection laws and regulations.
3. GDPR industry codes of conduct.
4. Industry security codes.
5. General (security) norms: ISO/CIE/CEN/CENELEC and
6. Organisation specific (internal) regulations.
Ad 1
The GDPR and other Union provisions
The centre of attention here is the GDPR baseline relating to the compliance
with obligations pursuant to:
1. The GDPR in general and/or

2. Other Union of Member State data protection provisions as
mentioned among other in Article 22 of the GDPR.
Ad 2
GDPR and national data protection laws and regulations
Determine whether besides the GDPR, other personal data relevant to the
General Data Protection Regulation, additional national data protection laws
and regulations are to be implemented. If this is the case, of course this
should be part (in scope) of the aspired GDPR baseline.
Ad 3
Industry codes of conduct
For organisations that are operating in certain sectors, industry codes of
conduct within the meaning of Article 40 GDPR can be applicable. The
relevant norms, rights and obligations incorporated in such industry codes of
conduct can entail the processing of personal data which could be part of the
intended GDPR baselines. An overview of valid industry codes of conduct
can usually be found on the website of the national DPA.[189]
Ad 4
Industry security codes
Pursuant to Article 32 (1) GDPR, taking into account the state of the art, the
costs of implementation and the nature, scope, context and purposes of
processing as well as the risk of varying likelihood and severity for the rights
and freedoms of natural persons, the controller and the processor shall
implement appropriate technical and organisational measures to ensure a
level of security appropriate to the risk,
As stated in Article 32 (3) GDPR, adherence to an approved code of conduct
as referred to in Article 40 or an approved certification mechanism as referred
to in Article 42 may be used as an element by which to demonstrate
compliance with the requirements set out in paragraph 1 of this Article.
On a regular basis, new security standards and new versions of existing
security standards are published, which complements the newest
developments within the field. Correct use of updated security standards
allows the controller to take appropriate measures and to come to a balanced
and effective unit of technical and organisational measures.
If and provided that specific personal data are being processed within the
framework of relevant security measures, it deserves recommendation to
consider these integrally within the scope of the GDPR baseline, moreover in
light of the (general) security duty under Article 32 of the GDPR.
Ad 5
General (security) norms
From the point of view of efficiency and effectiveness, it deserves a
recommendation to, within the scope of the GDPR baseline, if and provided
that it is relevant for the enterprise, institution or organisation, to include the
relevant general (security) norms (for instance ISO, CEN/CENELEC and
ENISA). Within this framework, ISO/IEC 29100:2011 provides for an
interesting framework, because of
1. A common privacy terminology.

2. Definitions of actors and their role in processing Personally
Identifying Information (PII).
3. Descriptions of privacy guarantees and considerations and
4. References to well-known privacy starting points for information
technology.
ISO/IEC 29100:2011 is applicable to natural people and organisations that
are involved in specifying, to be acquired architectures, designing,
developing, testing, maintaining, managing and the exploitation of
information and communication technology systems or services where
privacy (GDPR) controls are necessary for processing PII (personal data).
Ad 6
Organisation specific (internal) regulations
For particular (more specific, detailed level) GDPR baselines, it is of utmost
importance to avail of a full panorama of applicable and relevant (internal)
policies, regulations, codes and norms.
If, for example, a GDPR baseline is executed relating to the settlement of
certain complaints of co-workers, it could be recommended to involve within
the scope the processing of (required) personal data within the framework of
the internal ‘complaints regulation for co-workers.’
6.2.3 Step 3: Identify the components of the particular GDPR

obligation(s)
Relating to a practically executable GDPR baseline, generally the following

components of a GDPR obligation can be distinguished:[190]
1. Instruction.
2. Conditions.
3. Recitals.
4. Accountability.
Ad 1
Instruction
From this part of the particular ‘obligation pursuant to the GDPR’, one can
infer which action should be executed, if at all. The instruction must be clear.
The GBC-model (GDPR obligation Board of Compliance), described below,
could for example be used for this.
Figure 6.14 Components of a GDPR obligation

In this diagram, the instruction to the controller in Article 24(1) of the GDPR
reads as follows, ‘implement appropriate technical and organisational
measures’.
Ad 2
Conditions
From this part of the particular GDPR obligation, (instruction) conditions for
acting and neglecting can be derived.
A clear example of a conditions can be found within the framework of
carrying out a DPIA. Ex Article 35(1) of the GDPR, carrying out a DPIA is
required if the condition is fulfilled that there is a ‘likely high risk to the
rights and freedoms of natural persons.
Ad 3
Recitals
In this part of the particular GDPR obligation, (specific) circumstances are
mentioned/described that have to be taken into account (considered) in
carrying out the instruction as meant before.
In this regard, Article 24(1) mentions that in implementing appropriate
technical and organisational measures, the nature, scope, context and
purposes of processing as well as the risks of varying likelihood and severity
for the rights and freedoms of natural persons have to be taken into account.
Ad 4
Accountability
The part of the GDPR obligation is related to the parameters that can
contribute to ‘demonstrate’ compliance with the ‘the principles relating to
processing of personal data’ within the meaning of Article 5(1) of the GDPR,
to which Article 5(2) of the GDPR (accountability) refers.
Some articles in the GDPR explicitly mention the importance of

demonstrating. In this regard, Article 24(1) can be read as implementing
appropriate technical and organisational measures to ensure and demonstrate
that the processing is in compliance with this regulation. All this can be
graphically visualised as follows.
6.2.4 Step 4: determine the relevant parameters per

component
In the fourth step of the GDPR baseline, it is important to define and
determine the relevant (measurable) parameters as per (in step 3) identified
component of the particular GDPR obligation.
A GDPR parameter could be described best as a concrete activity/action that

corresponds with or is derived from the component of the particular GDPR
obligation. The connection between the parameter and component is as such
that the component is defined in concrete activities/actions. Consequently, a
parameter is formulated that determines dichotomously) whether this
concrete activity/action is or is not carried out. The method that could be used
for this is making a so-called Matrix of GDPR obligations Parameters (MGP)
as per relevant GDPR obligation. An example of a general MGP could look
like the following (see hereinafter also the GBC-model). Per component of
the particular GDPR obligation a number of identifiable parameters follows,
also called ‘parameter series.
Figure 6.15 Matrix of GDPR obligations
6.2.5 Step 5: determine whether the action is or is not carried

out per parameter
In the fifth step, it is established as per (identified and dichotomously

formulated) parameter, or action (components) whether this is carried out or
not.
The main advantage of a good parameter is situated in the relatively easy
(demonstrability) determination whether the particular activity/action is
factually completed. The norm of a parameter series (associated with one of
the four mentioned components of the GDPR obligation) is a total value of
100% (totals of ‘yes’ and ‘no’ in the example of step 4), regardless of the
number of parameters in the parameter series. Naturally, the percentual rate
of ‘yes’ and ‘no’ (in other words, compliance value) can variate per
parameter series.
6.2.6 Step 6: Total compliance values and compliance status

In the sixth step, it is determined whether and if so, to what extent, the
particular GDPR obligation is complied with. This conclusion can be drawn
by calculating the total compliance value of this ‘obligation pursuant to the
GDPR’.
The compliance value of the measured GDPR obligation is calculated by
adding the relative aggregated values of ‘yes’ and ‘no’ of the found values
from the parameter series. With reference to the example, this can be
illustrated as follows.
Figure 6.16 Compliance value GDPR obligations

6.2.7 Record all steps in a well-structured accountability
model
Connecting to the traceability and reproducibility of the followed design,

structure, method and logic, it is recommended to record the analysis and
findings with regards to the measured compliance with the particular GDPR
obligation well conformed model that works for the enterprise, institution or
organisation.
An example of said model is the ‘GDPR Board of Compliance’, in other
words the GBC model that could look like the following.
6.2.8 Use the knowledge and (IT) expertise present at the

organisation
Supervisors (both project managers, team managers and subject matter
experts) could benefit from efficiency and effectiveness by ‘organising the
necessary knowledge’. Concretely, one could think of involving (among
others) the following disciplines that for example could be of added value for
designing a GBC model of a particular GDPR obligation with the goal of
calculating the compliance value and determining the compliance status of
the particular GDPR obligation.
Within the framework of (at times, complex) technical and organisational
measures especially the IT department could be an interesting sparring
partner. Processing like the GDPR baseline (on the level of personal data
elements) perfectly lends itself as a support of software. Generally, it is
recommended to consult with IT specialists (internally or externally) as
regards to the question to which degree IT could support reaching the
previously defined and desired (as well as beforehand discussed with data
quality) goals of the GDPR baseline. Support could come up for discussion
for example in the following situations:
1. To strengthen the right to be forgotten in the online environment,

the right to erasure should also be extended in such a way that a
controller who has made the personal data public should be obliged
to inform the controllers which are processing such personal data to
erase any links to, or copies or replications of those personal data.
In doing so, that controller should take reasonable steps, taking into
account available technology and the means available to the
controller, including technical measures, to inform the controllers
which are processing the personal data of the data subject's request
(recital 66 of the GDPR).
2. Methods by which to restrict the processing of personal data could
include, inter alia, temporarily moving the selected data to another
processing system, making the selected personal data unavailable to
users, or temporarily removing published data from a website. In
automated filing systems, the restriction of processing should in
principle be ensured by technical means in such a manner that the
personal data are not subject to further processing operations and
cannot be changed. The fact that the processing of personal data is
restricted should be clearly indicated in the system (recital 67 of the
GDPR).
3. To further strengthen the control over his or her own data, where
the processing of personal data is carried out by automated means,
the data subject should also be allowed to receive personal data
concerning him or her which he or she has provided to a controller
in a structured, commonly used, machine-readable and
interoperable format, and to transmit it to another controller. Data
controllers should be encouraged to develop interoperable formats
that enable data portability (recital 68 of the GDPR).
4. In the consultation with IT, it could be discussed in further detail
how during the inventory (see chapter 5) found datasets (including
the discussed lists of data elements and metadata) could be
organised (placed) in an efficient and effective way within the
framework of the GDPR baseline.
Figure 6.17 ABC-

scheme of a GDPR obligation
6.2.9 Issues of quality
The GDPR emphasizes in various ways the importance of data quality (with
good reason).[191] Generally, one could define data quality as the degree to
which elementary personal data (personal data elements) are appropriate for
the goal for which they are processed.
With regard to the GDPR baseline, it could be argued that the quality of the
GDPR baseline could be described as the degree to which the chosen
measuring method is appropriate for the goal of the GDPR baseline, in other
words, whether and if so, to what extent the particular obligation pursuant to
the GDPR is or is not complied with. During the carrying out of the GDPR
baseline, it is paramount to shape the quality control permanently. In other
words, in carrying out every step according to the action plan, the quality of
the above-mentioned GDPR activity has to be constantly examined. This to
prevent that eventually no or insufficient or undeserved conclusion(s) of the
compliance value(s) of parameters are obtained.
6.2.10 GDPR baseline in perspective

While designing, setting-up and structuring the GDPR baseline models and
calculating respective compliance outcomes, some things should be put into
perspective. Although results displayed with numbers could give the
impression of ‘hard values’, the following perspectives deserve further
consideration within the framework of every GDPR baseline.
1. In essence, every model contains a simplification of reality.

2. Does measuring always lead to knowing the results?
3. Do we always know for sure that we are measuring the right thing?
4. Analysis paralysis could perhaps be prevented by thinking in terms
of maturity planning (multi-year period perspective on reaching the
desired compliance values).
5. All knowledge is relative, thus the necessity to organise knowledge
and expertise in an intelligent and prudent way is great.
6. The interests of the one(s) involved should be central, not the
‘colour or the premise of the method’.
6.3 GDPR gap-analysis: process steps
6.3.1 Logical process steps of a GDPR gap-analysis

For maximising the added value of a GDPR gap-analysis and realising the
defined goals, it is important to interpret (as you wish, delineate) the scope of
said GDPR gap-analysis as clearly as possible. In other words, to which
degree does the scope of ‘obligations pursuant to the GDPR’ reach? As well
as in practice (under reference to Article 39 of the GDPR), roughly the
following scopes of the GDPR gap-analysis could be distinguished:
1. Data protection provisions of the GDPR (Article 39(1) GDPR).

2. Other Union data protection provisions (Article 39(2) GDPR).
3. Member State data protection provisions (Article 39(1) GDPR).
4. The policies of the controller (Article 39(2) GDPR).
5. Codes of conduct (Article 40 GDPR).
6. Requirements relating to GDPR certifications (Article 42 GDPR).
[192]
Of course, the scope of the GDPR gap-analysis as discussed here can be

broadened as per the convenience of management or GDPR auditor.[193] A
concrete example of this are the following dimensions[194] within the context
of data management:[195]
1. Data governance.
2. Data architecture management (data protection by design).
3. Data development.
4. Database operations management.
5. Data security management.
6. Reference and master data management.
7. Data warehousing and business intelligence management.
8. Document and content management.
9. Meta data management.
10. Data quality management.
Taking as a starting point the non-compliant parameters of the specific GDPR
obligations as mentioned in the GBC-model, next steps have to be taken that
lead to answering the question, which measures have to be implemented and
which concrete actions have to be carried out to be able to comply with the
said component of the analysed GDPR obligation? The answer to this
question could be shaped by following these three logical steps in the GDPR
gap-analysis:
1. Determine the scope of the GDPR gap-analysis. Logically, the

scope is parallel to the scope of the preceding GDPR baseline.
However, this could be extended, dependent on the goal of the
GDPR gap-analysis (see previous paragraph). Hereinafter, for sake
of convenience, we assume that the scope of the GDPR gap-
analysis is the same as that of the GDPR baseline.
2. Determine the strategically compliance ambition level of the
particular GDPR obligation (scope related). The strategically
GDPR compliance ambition level is usually derived from a well
formulated GDPR vision, GDPR mission, GDPR policy and GDPR
compliance strategies of the enterprise, institution or organisation.
The GDPR ambition level as mentioned here, is referred to as
STAP, an acronym for ‘Strategically targeted ambition-driven step
for privacy compliance’.
3. Formulate – in light of the strategic compliance ambition level –
implementation measures and associate actions, that are so concrete
that they can be implemented relatively easy, in other words,
carried out by internal and/or external experts. A concrete GDPR
implementation measure (ideally defined on action level) is defined
as STIP, an acronym for ‘Strategically targeted implementation
measure (action) for privacy compliance.’
6.3.1.1 Determine the GDPR compliance ambition level (STAP)
For identifying concrete actions in light of the ‘Strategically targeted

ambition-based step for privacy compliance’ (shortened as ‘STAP’) –
basically setting the ambition for compliance maturity with regard to a
particular GDPR obligation – it is necessary to determine a clear growth path
(maturity), given the present state of compliance as became apparent from the
preceding GDPR compliance baseline.
Setting a clear and robust GDPR ambition level for the organisation that
explicitly considers privacy protection is of significance. However, is should
be noted that determining a ‘compliance ambition level’ is to take into
account the findings of a preceding thorough data protection risk-analysis.
It is also to be noted that scaling privacy compliance ambitions to compliance

with obligations pursuant to the GDPR per se is not prescribed by the GDPR
itself. However, setting scaling ambitions seems to be implicit in the
following sense.
1. Pursuant to Article 24 (1) GDPR technical and organisation

measure should be ‘appropriate’ provide a leeway to consider
specific circumstances.
2. All appropriate technical and organisational measures should be
evaluated and actualised as per the PDCA (plan-do-check-act)
cycle (of maturity growth).
The scale of ambition (growth steps on the growth path) for complying with
the GDPR obligations is an internal affair of the particular enterprise,
institution or organisation itself. There are (for the time being) no obligatory
prescribed standards or models for this. However, from a number of leading
publications[196] some inspiration can be derived for the growth path (maturity
model) of the enterprise, institution or organisation. Applied to the GDPR
gap-analysis of complying with obligations pursuant to the GDPR, a growth
path (maturity model) could for example look like the following.[197]
Figure 6.18 Maturity steps of a GDPR obligation
6.3.1.2 Concrete actions identified as per step (STIP)

Considering the fact that the practical final objective of a GDPR gap-analysis
is to put together (assemble) a specific list of measures and related more
specific actions in order to comply with a (by the enterprise, institution or
organisation) beforehand defined ambition (maturity level of the particular
GDPR obligation, implementing these measures (annex actions) seem to be
the next step once the ambition (maturity) level is set. These actions are
usually executed as part of a more overarching GDPR (generic) privacy
compliance (policy) plan.[198]
6.3.1.3 STIP GDPR compliance monitor

Whereas the strategic implementation measures and more specific actions are
determined (and approved by the board/management), it is in line with the
tasks of the DPO to independently monitor compliance with specific
obligations pursuant to the GDPR in accordance with Article 39 of the
GDPR. For performing independent GDPR monitoring activities, GDPR
compliance dashboards as well as other (otherwise IT facilitated) tools could
be used, such as a GDPR compliance monitor as per the following diagram.
Figure 6.19 GDPR-monitor STIP
Figure 6.20 Process steps GAP-analysis
6.3.3 Step 1: determine the goal(s) of the gap-analysis
Before any GDPR gap-analysis can be performed, the goals of the gap-
analysis need to be clearly defined and approved by the competent party. In
other words, what is the goal (or what are the goals) of this specific GDPR
gap-analysis? Referring to Article 39(1)(b) GDPR, for the sake of
convenience, it is assumed that the primary goal of the discussed GDPR gap-
analysis is to implement appropriate technical and organisational measures
within the meaning of Article 24(1) of the GDPR. For a discussion of the
general goals (and side effects) of a GDPR gap-analysis, see inter alia § 6.1.3.
6.3.4 Step 2: determine the scope of the GDPR gap-analysis
What is the scope of a specific GDPR gap-analysis? In other words, what is

the extent of the GDPR obligations to which a gap-analysis is performed? As
was the case with the GDPR baseline, in practice, roughly the following
scopes could be distinguished within the context of GDPR obligations:
1. The GDPR and other EU provisions.

2. National laws and regulations to enforce and maintain GDPR and
related obligations.
3. GDPR industry codes of conduct.
4. Industry security codes.
5. General (security) norms such as ISO 27001 and ISO 27701 and
Ad 1
The GDPR and other EU provisions
It is advisable to decide as specific as possible with respect to the extent to
which specific obligations mentioned in the GDPR and other GDPR related
EU laws and regulations are to be part of the GDPR gap-analysis. For this at
least at the following two levels relevant obligations should be pre-defined.
1. Data protection provisions as mentioned in the official texts of the

GDPR.
2. Union of Member State data protection provisions as mentioned
among others in Article 22 of the GDPR.
Ad 2
National laws and regulations to enforce and maintain GDPR and GDPR
related obligations
Determine whether next to the GDPR related processing of personal data,
relevant personal data are also processed in the sense of additional national
laws and regulations which are put in place in order to enforce and maintain
relevant processing obligations. It should be clear from the outset whether or
not these additional obligations are part of any GDPR gap-analysis.
Ad 3
Industry codes of conduct
For organisations that are operating in specific sectors, national or
international industry codes of conduct within the meaning of Article 40
GDPR could be applicable. The relevant norms, rights and obligations
incorporated in such industry codes of conduct could entail relevant
obligations for processing personal data which could be part of the envisaged
GDPR gap-analysis. In general, an overview of valid industry codes of
conduct can be found on the websites of data protection authorities.
Ad 4
Industry security codes
Organisations are expected and supposed to comply with the relevant
industry security standards while processing personal data. [199]
In general security standards also include lessons learned from the security
system of a specific industry or technological environment. They represent
which measures are generally seen as ‘appropriate’ by security experts within
a particular context and, in the case of more technical focused standards,
which technological resources are applied in a specific security system.
Ad 5
General (security) norms
From a ‘efficiency and effectivity’ point of view, it is recommended to
include the relevant general (security) norms (of for instance ISO 27701),[200]
which were part of the scope of the GDPR baseline, if and provided that it is
relevant for the enterprise, institution or organisation.
Ad 6
Organisation specific (internal) regulations
For particular (more scope specific) GDPR gap-analyses, it is of the utmost
importance to create an overview mapping out whether or not certain acts of
processing of personal data are of interest within the framework of relevant
(internal) regulations.
If, for example, a GDPR gap-analysis is performed concerning the processing
of personal data within the context ‘sign off procedures for employees’, it
deserves recommendation to also analyse all relevant internal rules of
procedure next to GDPR specific obligations. Of course, this
recommendation is based on the assumption that this would fit the (primary)
goals(s) of the intended GDPR gap-analysis.
6.3.5 Step 3: compose the Gap Analysis Template (GAT)
Once the goal of the GDPR gap-analysis (for example implementation of

appropriate organisational measures) and the scope of the GDPR gap-analysis
(for example the GDPR obligations in the context of internal policies only)
are determined, the following aspects have to be determined and mapped.
1. The ambition level of the particular GDPR obligation.

2. To be implemented measures to achieve the GDPR ambition level.
3. Concrete actions for operationalizing foreseeable yet to be
implemented measures.
In the third step, a so-called Gap Analysis Template (GAT) is composed for
the purposes of traceability, reproductivity, clarity, manageability and
verifiability of above-mentioned mapping. Essentially, this results in a step-
by-step overview of the GDPR gap-analysis at hand. By way of example,
such a template could look like the following.
6.3.6 Step 4: fill out the GDPR ambition level in the GAT
During the fourth step, the ambition level of a particular GDPR obligation
parameter (which is or is not (yet completely) complied with, is defined in the
GAT. While doing so, it deserves recommendation to closely pay attention to
the Risk Management Framework (RMF) or (if available) Information
Security Management System (ISMS) of the enterprise, institution or
organisation, or (upon availability) other supporting documentation/decision-
making concerning the risk appetite of the enterprise, institution or
organisation.
6.3.7 Step 5: specify the measures in the GAT
During the fifth step, the yet to be implemented measures in realising the
aimed GDPR ambition level of compliance are specified in the GAT for the
specific parameter (which is not complied with yet).
As was the case with step 4, in step 5 it deserves recommendation while

specifying, to join the Risk Management Framework (RMF) or Information
Security Management System (ISMS) of the enterprise, institution or
organisation (if present), as well as (upon availability) other
documentation/decision-making concerning the internal AO/IC
(Administrative Organisation/Internal Control) status of the enterprise,
6.3.8 Step 6: fill out the actions (to be carried out) in the GAT
During the sixth and last step of the GDPR gap-analysis, the yet to be
implemented concrete actions are defined in the GAT of the specific
parameter (which is not yet (completely) complied with. While defining the
yet to be implemented actions, it is recommended to pay close attention to
current and future projects, in particular to projects with aspects of (data)
quality management.
6.3.9 A clear GDPR implementation plan
Depending on a certain compliance status, as can be inferred from the GDPR

obligations gap-analysis of the GDPR, on the one hand and the (ambition-
driven) list of actions as can be inferred from the GAT, it is strongly
recommended to compose a solid GDPR implementation plan (GIP), keeping
in mind among others the clarity, manageability and (cost) efficiency and
effectiveness. Composing such a GIP will be discussed briefly[201] in chapter
seven.
6.3.10 GDPR gap-analysis and data governance
Within the framework of a GDPR gap-analysis, it is important to designate

clear tasks, roles and responsibilities per process step to members of the
GDPR team and all involved stakeholders:
1. Prior to executing a GDPR gap-analysis, it is recommended to pay

close attention to the following internal governance aspects:
a. All tasks and responsibilities of the team manager must be

clear and covered.
b. All tasks and responsibilities of individual team members
must be clear and covered.
2. After completing the GDPR gap-analysis, it should be
clear as to who is going to execute which tasks and
roles and/or take responsibilities for actually
implementing the resultant list of measures and related
actions. All this is usually covered in the GDPR
Implementation Plan (GIP) which is the first logical
step after completing the GDPR gap-analysis (see
below chapter 7).
Supervisors (both project managers, team leaders and internal of external

GDPR experts) could profit from the already present ‘in house expertise’ to
fill out the GAT which adds to efficiency and effectivity.
More specifically, one could think of involving all internal experts being
actually able to add value in defining relevant measures and actions in order
to comply with one or more specific GDPR obligation(s). Organised
‘knowledge and expertise’ add to practical means of making sure GDPR
requirements are met.
6.3.12 Ratio and intended effect of GDPR measures and

actions
Within the context of analysing GDPR obligation gaps (measures to be
implemented and corresponding actions to be executed) in complying with
the GDPR obligations, it is recommended to pay special attention to the
scope of Article 1(2) of the GDPR (subject-matter and objectives of the
GDPR) and its intended effects.
From the wordings this article it is clearly stated that, next to the right to
protection of personal data, the ‘fundamental rights and freedoms of natural
people’ are protected as well. What does this mean for daily practice of an
enterprise, institution or organisation? From a practical point of view the
scope and wordings of Article 1(2) of the GDPR does imply that attention
should be paid to fundamental rights and freedoms of natural persons, even
this is not explicitly required. In essence, Article 1(2) provides an important
‘insight’ into the ‘letter and the spirit’ of the GDPR in general and the
‘GDPR obligations’ in particular. This could especially be helpful while
interpreting open and vague GDPR provisions and norms.
6.4 GDPR baseline and GDPR gap-analysis:

roadmap
6.4.1 Why a roadmap for the GDPR baseline and GDPR gap-
analysis?
Performing a GDPR baseline and GDPR gap-analysis (with or without

supporting software) could result in both organisational and substantive
challenges for the controller and/or processor. A well-structured roadmap
could offer at least some relief by rationalizing and clearly visualizing the
main steps, keeping in mind pre-defined goals of the GDPR baseline and
GDPR gap-analysis. Planning should be an integral part of the design process
of (setting-up) a professional GDPR baseline and GDPR gap-analysis. In
general, a well-structured roadmap-based planning provides among others the
following advantages.
1. Good roadmap planning increases the chance of actually reaching

the set (GDPR) goals.
2. Good roadmap planning provides the basis for a methodical
overview.
3. Good roadmap planning provides the opportunity to set priorities
and apply the necessary focus.
4. Good roadmap planning provides better insight into the necessary
time behaviour.
5. Good roadmap planning increases the insight into the necessary
resources (IT, capital, people).
6. Good roadmap planning could enhance the effective productivity
(that is necessary for realising deliverables).
7. Good roadmap planning could provide better understanding,
interest and larger added value of organisation-wide GDPR
baseline and GDPR gap-analysis.
8. Good roadmap planning raises the odds that certain GDPR
measures and actions are actually being carried out.
9. Good road-map planning helps to stay on track (time management).
10. Good road-map planning prevents important tasks from becoming
urgent tasks (prevents stress).
6.4.2 Roadmap of a GDPR baseline and GDPR gap-

analysis[202]
Figure 6.21 Roadmap
6.4.2.1 Mandate for the GDPR baseline and gap-analysis
The first step on the roadmap for a GDPR baseline respectively GDPR gap-
analysis is obtaining sufficient mandate (administrative clearance) for
performing the desired GDPR baseline respectively GDPR gap-analysis. A
well-defined mandate for these activities includes at least a clear definition
of:
1. The name(s) of persons responsible for performing the GDPR

baseline and/or GDPR gap-analysis.
2. The goals of the to be performed GDPR baseline and GDPR gap-
analysis.
3. The supporting resources (budget, facilities et cetera) for the GDPR
team.
4. The (subject matter) scope of the GDPR baseline and GDPR gap-
analysis.
5. The aspired GDPR ambition level (of categories of GDPR
obligations).
In general, the act of defining a specific mandate for performing a GDPR

gap-analysis, requires management to make ‘hard choices’ about compliance
ambition levels of specific GDPR obligations.
6.4.2.2 Composing a team for performing the GDPR baseline and gap-
analysis
The importance of a good GDPR team for performing (or guiding) the GDPR
baseline and GDPR gap-analysis is in practice often underestimated. The
interest of a good team is not only regularly underestimated by ‘less
professional’ external GDPR consultants, it also known that some enterprises,
institutions or organisations themselves have no adequate understanding of
the importance of a good (professional) GDPR team, let alone the correct
composition (tasks, roles, responsibilities and relevant competences).
It is up to the chairman of the GDPR team to keep guard of a proper balance

between different roles, tasks and responsibilities involved with performing a
professional GDPR base and/or GDPR gap-analysis.
6.4.2.3 Performing a GDPR baseline and gap-analysis
In general, GDPR practice, the following (already discussed) six process

steps can be distinguished while performing a GDPR baseline and/or gap-
analysis:
1. Determine the goals of the GDPR baseline and GDPR gap-analysis.

2. Determine the scope of the GDPR baseline and gap-analysis.
3. Define the constituent components of the GDPR obligation
conform the discussed GBC-model.
4. Establish and confirm per specific GDPR obligation component, all
relevant parameters.
5. Assess whether the specific parameter is or is not implemented or
complied with.
6. Calculate the compliance value of the GDPR obligation and where
needed determine which updates (actualisations) necessary to
successfully implement the actions corresponding with the
parameters to remove (resolve) identified GDPR gaps.
As discussed in chapter 3 above, the term ‘risk’ plays a central role in the
GDPR.[203] In light of this it is strongly advised to preserve this central role in
any GDPR gap-analysis. The risks to the rights and freedoms of natural
persons, of varying likelihood and severity, may result from personal data
processing which could, according to recital 75, lead to:
1. Physical, material or non-material damage, in particular where the
processing
may give rise to:
Discrimination.
Identity theft.
Identity fraud.
Financial loss.
Damage to compliance reputation.
2. Loss of confidentiality of personal data protected by professional

secrecy.
3. Unauthorised reversal of pseudonymisation.
4. Any other significant economic or social disadvantage:
a. Where data subjects might be deprived of their rights and

freedoms or prevented from exercising control over their
personal data.
b. Where personal data are processed which reveal racial or
ethnic origin, political opinions, religion or philosophical
beliefs, trade union membership, and the processing of genetic
data, data concerning health or data concerning sex life or
criminal convictions and offences or related security measures.
c. Where personal aspects are evaluated, in particular analysing
or predicting aspects concerning performance at work,
economic situation, health, personal preferences or interests,
reliability or behaviour, location or movements, in order to
create or use personal profiles.
d. Where personal data of vulnerable natural persons, in particular
of children, are processed.
e. Where processing involves a large amount of personal data and
affects a large number of data subjects.
Given this strongly risk-oriented approach of a GDPR gap-analysis, at least

the following two aspects deserve closer attention:
1. Practical phases of risk-identification.

2. Risk prioritization on the basis of GDPR risk mapping.
Ad 1
Practical phases of risk identification
Although many models of risk management are published (mostly from a
business perspective and audit perspective),[204] the approach of GDPR
obligations as behavioural norms (decency norms, as you wish integrity
norms), is an approach that is worthy of more detailed research. In this sense,
one could by analogy follow the Identification of Risk (IRA) method
resulting in a systematic management of ‘risks of dishonest behaviours’,
whereby the four phases can be distinguished. Visualized in diagram this
looks like the following.
Ad 2
Risk prioritization based on GDPR risk mapping
Prior to, within a framework of a GDPR gap-analysis, finalizing a step-by-
step plan of action for implementing GDPR measures and carrying out
relevant actions, all identified GDOR risks need to be plotted and
prioritised. An often-used method is composing a so-called ‘GDPR risk
map’.[205] The probability (likelihood) that an identified GDPR risks will
become reality is usually depicted on the x-axis of such a map and the impact
of such GDPR risks are drawn on the y-axis. As per the risk methodology of
the French Data Protection Authority – Commission Nationale de
l’Informatique et des Libertés (CNIL) – such a GDPR risk map looks like the
following.[206]
In general, it is recommended to make a GDPR risk map, tailored to the
enterprise, institution or organisation, to enhance the added value of the
GDPR gap-analysis for among others risk management purposes or in the
context of a Data Protection Impact Assessment (DPIA) pursuant to Article
35 GDPR.
Figure 6.22 DNB Systemic Risk Identification

6.4.2.4 Stakeholders management
Most professional project managers will support the basic assumption that –
in any GDPR project - all GDPR stakeholders have to be identified and
involved for successfully completing a GDPR gap-analysis. A stakeholder
can be seen as a person or organisation that is actively involved in the project,
or whose interests can be influenced positively or negatively by the findings
and results of the project. A stakeholder could also influence the project and
results. Generally, the following parties could be qualified as stakeholder (of
any GDPR project):
2. Senior management
3. HRM-managers.
5. Providers and sales.
6. Customers.
7. Supervisors.
8. Marketing departments.
10. Co-workers in supporting functions.
Figure 6.23 CNIL Risk Map
In general, the following considerations for the project manager can be
distinguished to underline the importance of good relationships with all
GDPR stakeholders.
1. Prevention of a GDPR scope creep (resulting in moving GDPR

targets).
2. Increase (or reduce) of GDPR risk-tolerance.
3. Increase of outcome acceptance of the GDPR gap-analysis.
4. Reduction of attempts to influence GDPR gap-analysis results.
6.4.2.5 Review and update plan (RUP)

Before the GDPR gap-analysis can be finalized as a project, it is advisable to
review in the meantime, keeping in mind the end result that is to be achieved
(concrete list of actions to achieve the GDPR ambition level of the non-
compliant parameters). Where necessary, one could redirect (update). The
goal of reviewing and updating is to be able to adjust current activities in a
timely manner (such as filling out the GAT model) in particular the involved
formulation of concrete actions to be carried out in light of the intended gap-
analysis goals.
Contrary to many other reviews, current review is future oriented. After all,
all eyes are focused on actually reaching the beforehand defined GDPR
ambition levels of concrete measures and corresponding actions.
It is recommended to make a plan (or, arrangement) beforehand on the
method (approach) of reviewing and updating (RUP) to anticipate possible
negative sentiments. Within that framework, a number of practical
considerations for the GDPR project manager could be the following.
1. Prior alignment of questions (within the team) which should be

involved and which accountability method is used.
2. Choose a constructive-positive approach (allow different views).
3. Also involve the most important stakeholders.
4. Prevent the situation of a ‘get-together’ between the principal and
project manager. Give all project co-workers the opportunity to
provide input.
5. Give attention to (afterwards verifiable) processes and the results of
a good cooperation.
6.4.2.6 GDPR final reports and GDPR accountability (Article 5(2)
GDPR)
The GDPR gap-analysis is concluded (just like every other corporate project)
with a sound final report, with the primary goal of accounting for the way in
which the GDPR is complied with and the efforts that were taken in that
regard by the controller and processor.
In a sense, Article 5(2) gives an extra (accountability) dimension in the area
of processing personal data to reporting and the importance of underlying
‘evidence’ of analyses and conclusions that form the basis of reports.
According to latter article, a controller is responsible for the compliance with
Article 5(1) of the GDPR (principles relating to processing of personal data)
and can demonstrate this (‘accountability’). See here also the usefulness and
necessity of giving sufficient attention to ‘accountability and reporting’.
If and provided that the goal of the GDPR gap-analysis is measuring if and if
yes, to which degree Article 5(1) is complied with, it is, in light of the
relatively open character of operated terms, even more important that good
parameters are found to demonstrate (account for) that the principles of
Article 5(1) are de facto (in fact) complied with.
6.5 Success factors for a GDPR baseline and GDPR gap-

analysis
The final success of a good GDPR baseline and GDPR gap-analysis is of

course dependent on the many factors, taking into account the specific
circumstances of the particular enterprise, institution or organisation.
Generally, one could distinguish the following factors (with reference to the
Standish Group Chaos Report 2011)[207] that contribute to reaching the
intended goals and results of the GDPR baseline and GDPR gap-analysis:[208]
1. Strong GDPR involvement of colleagues.

2. Strong involvement of the higher management level.
3. Proper (SMART) planning.
4. Realistic expectations of people and processes.
6. Project co-workers with sufficient expertise of the GDPR.
8. Ownership of the principal with project management.
9. Clearly formulated GDPR vision, mission, strategy and goals
(GDPR deliverables).
10. A devoted, hardworking and result-oriented project team.
6.6 Role of the DPO in a GDPR baseline and gap-analysis
As identified before, the DPO is expected to execute his/her tasks in the full
scope of the GDPR obligations. According to Article 39(1)(a) of the GDPR,
‘The data protection officer shall have at least the task to inform and advise
the controller or the processor and the employees who carry out processing of
State data protection provisions.’
Against this background, the results (reports) of the GDPR baseline and
GDPR gap-analysis deserve the DPO’s special attention in light of the
performance of his/her legal tasks within the meaning of Article 39 of the
GDPR and the acting as a contact point for data subjects within the meaning
of Article 38(4) of the GDPR.
In answering the question which role the DPO can or may have in performing
an organisation-wide GDPR baseline and GDPR gap-analysis (besides within
the framework of the performance of the legal tasks of the DPO) the
following considerations should at least be taken into account:
1. The performance of a GDPR baseline and GDPR gap-analysis as

‘other task’ is in principle allowed, however, the controller shall
ensure that this ‘other task’ does not result in a conflict of interests
(with the tasks mentioned in Article 39 of the GDPR).
2. It is not up for discussion that having an eye on the compliance
with obligations pursuant to the GDPR is of great interest for the
good performance of legal tasks by the DPO. Within the framework
of ‘independent’ functioning of the DPO (see among other Article
38(3) of the GDPR) the question can also be raised whether it is
wise to assign the DPO a executing role that is too important.
Would it not fit better within the position profile of the DPO (see in
particular chapter 1) to reserve a more important role for the DPO
in informing, advising and monitoring compliance pursuant to the
GDPR completely independent? The DPO guards the mission,
vision and strategy (VMS) of the own DPO work plan within the
context of performing legal tasks.
In case there is no complete and qualitatively clear picture of all

personal data processing, this could negatively influence the good
independent task performance by the DPO, especially in light of the
vision, mission and strategy (VMS) of the DPO work plan as discussed
elaborately in chapter 3. Does an intensive role of the DPP fit within the
framework of performing a GDPR baseline and GDPR gap-analysis? If
the DPO is involved in the GDPR baseline and GDPR gap-analysis of
personal data (for example as member of a feedback body, steering
committee, project manager or as member of a GDPR project team), the
DPO should keep giving constructive attention to the vision, mission and
strategy (VMS) of the own DPO work plan, keeping in mind the
practical development of the DPO work plan, in light of the tasks of the
DPO (within the context of the legal tasks of Article 39 of the GDPR
that the DPO should at least carry out).
3. Pursuant to Article 35(2) of the GDPR, the controller shall seek the
advice of the data protection officer, when carrying out a data
protection impact assessment (DPIA). Advising in this case with
regard to the DPIA and monitoring the performance in accordance
with Article 35 of the GDPR, belongs (per Article 39(1)(c)) to the
legal tasks of the DPO. Is it possible that a too intensive role by the
DPO in the context of execution (of in the case of GDPR baseline
or GDPR gap-analysis) could come in conflict with the independent
‘monitoring compliance’ within the context of a DPIA? The EDPB
(WP29) notes the following on the role of the DPO within the
framework of a DPIA, ’The controller must also seek the advice of
the Data Protection Officer, where designated (Article 35(2)) and
this advice, and the decisions taken, should be documented within
the DPIA. The DPO should also monitor the performance of the
DPIA (Article 39 (1)(c) GDPR).’[209]
4. In order to professionally ‘inform’ and ‘advise’ as per Article 39(1)
of the GDPR, it is recommended that the DPO contributions take
full guard of opinions and approaches of the data protection
authorities, especially their views on ‘appropriate measures and
actions,’ in particular the risk approach of these data protection
supervisory authorities and their recommended methodologies (see
among others the methodology of the CNIL).
CHAPTER 7
GDPR IMPLEMENTATION AND DPO WORK
PLAN
7.1 Introduction GDPR implementation plan
7.1.1 What is a GDPR implementation plan (GIP)?
A GDPR implementation plan (GIP) is a plan for preparing, performing,

testing (reviewing) and recording (demonstrating) appropriate technical and
organisational measures and concrete actions within the GDPR framework.
The primary goal of a GIP would be guaranteeing and being able to
demonstrate that processing personal data is planned as per GDPR
requirements. Referring to Article 24(1) of the GDPR, a GIP[210] could by
itself be seen as a separate ‘appropriate measure’.
Basically, a GIP is a list of appropriate measures that have to be implemented
and (corresponding) concrete actions that have to be executed in order to be
able to (de facto) release the a priori (prior) determined, intended GDPR
maturity level[211] for compliance with obligations pursuant to the GDPR.
In light of this description of a GIP, among others the following questions
could be raised:
1. What is the rationale (reasoning behind) a GIP?

2. What is the meaning (added value) of a GIP?
3. What is the goal of a GIP?
4. In what detail should a GIP be performed?
5. What is the practical (management) value of a GIP?
6. What is the role of the DPO within the framework of a GIP?
Hereinafter, formulating a practical answer for among others above-
mentioned questions are the centre of attention.
7.1.2 Rationale of a GIP

Whereas an image is created of the measures to be taken in order to comply
with the GDPR, on the basis of a GDPR gap-analysis, this compliance could
de-facto (in fact) be realised by actually performing relevant actions within
the framework.
In the extension of the GDPR ambitions of the enterprise, institution or
organisation to comply with all the obligations derived from the GDPR, a
GIP is performed for various reasons[212], of which the following are
mentioned:
1. The starting point is the situation of non-compliance resulting from

the GDPR gap-analysis and the more detailed concrete actions
within this framework, it is necessary to unfold – in light of the
GDPR ambition of the enterprise, institution and organisation –
these actions in the form of a plan or project within the
organisation.
2. A good performed GIP provides important information for the
board, management and co-workers concerning GDPR residual
risks that could possibly still exist regardless of the carrying out of
concrete actions.
3. In answering the question to which extent, the residual risks
deserve further attention in the vision of the DPO (in monitoring
compliance with GDPR obligations), the DPO, under Article 39(2),
shall have due regard to the risk associated with processing
7.1.3 Goals of a GIP

The main objective of a GIP could be described as truly effectively
implementing appropriate measures and executing concrete actions as
identified in the GDPR gap-analysis. Besides this main objective, among
others, the following goals can be distinguished:
1. Providing insight into the costs that are attended with the
implementation of the intended GDPR measures.
2. Concretely filling out a GDPR maturity model (growth path).
3. Promoting efficiency of data processing.
4. Recruit sufficiently competent and capable personnel (internal or
external).
5. Providing important input for GDPR project managers.
6. Promoting (in as far necessary) a GDPR compliance ‘sense of
urgency’ within the enterprise, institution or organisation or one or
more specific departments or activities.
7.1.4 Scope of a GIP

In maximising the benefit of a GIP and for realising the defined goals, it is
important to interpret (as you wish, delineate) the scope of current GIP as
clear as possible. In other words, to which degree does the scope reach of the
appropriate GDPR measures and concrete actions are to be taken. As well as
for the GDPR baseline and GDPR gap-analysis, roughly the following (partly
overlapping) scopes can be distinguished (under reference to Article 39 of the
GDPR) within the context of a GIP:
1. The data protection provisions as included (processed) within the

GDPR itself (Article 39(1) GDPR).
4. Member State national GDPR implementation laws.
5. Policies of the controller (Article 39(2) GDPR).
6. Industry codes of conduct (Article 40 GDPR).
7. Industry security codes
8. General (security) norms: ISO/CEN/CENELEC/ENISA.
10. Requirements relating to GDPR certification mechanisms (Article
42).[213]
A GIP as discussed here, in principle lends itself well to expansion of the
scope with additional scopes, like additional data compliance dimensions
(that can be directly or indirectly related to the GDPR). A concrete example
of this is the following dimensions within the framework of DAMA Body of
Knowledge model.[214]
Above-mentioned additional data compliance dimensions will be left out of
account hereinafter (unless explicitly mentioned otherwise).
Figure 7.1 DAMA Body of Knowledge model

7.1.5 Logical process steps of the GIP
Taking the ‘list of concrete measures and the thereto connected actions’
resulting from the GDPR gap-analysis as a starting point, actually taking
measures and executing concrete actions is the core of the GIP. The logical
steps that are connected to that, could be described as follows:[215]
1. Determine what has to be implemented (which action).

2. Define what has to be implemented.
3. Design what has to be implemented.
4. Determine who has to execute what (governance, tasks and
responsibilities).
5. Determine when the measures have to be realised (deadline).
6. Test the measures on proper functioning and effectiveness (GDPR
review and update plan (RUP)).
7. Report on the measures that were taken.
7.1.6 Ideal team for a GIP

As well as in composing an ideal team for performing an organisation-wide
GDPR baseline and GDPR gap-analysis, if no sufficient attention is given to
the composition of the team that will perform the GIP, that could also result
in ultimately not reaching the defined goals or perhaps the GDPR measures
and actions are not performed as expected which could lead among others to
frustrations and loss of resources (invested hours and financial resources).
For composing the ideal team for performing the GDPR gap-analysis, the
following aspects[216] are of interest for composing a team for successfully
performing a GIP:
1. Competent GDPR project manager: a competent project manager

plays a cardinal role in making the performance of a GDPR
implementation plan into a success.
2. Balanced composition of the GDPR team: the project manager must
reach a balance in the team between the various roles, tasks and
responsibilities. In composing a project team, the following
practical steps can be distinguished.
Figure 7.2 GDPR implementation team
3. Development of the GDPR team: once the team for the performance
of a GDPR implementation plan is composed, a competent GDPR
project manager takes the team in the right direction.
4. Soft aspects of the GDPR team: in nearly all project teams where
colleagues are supposed to work together quite intensively, a team
spirit will arise, especially over a longer period. The positive
energy of ‘team results’ in general provides for extra impulses to
‘get the job done.’
5. Hard aspects of the GDPR team: in a properly functioning
professional team that performs a GDPR implementation plan, the
correct knowledge is present as well as the necessary abilities and
skills that can be used for successfully performing the GDPR
implementation measures. A good GDPR project manager
identifies these aspects prior to the team composition and respects
these in actually appointing the team members and composing the
GDPR team.
7.1.7 Management value of a GIP

In implementing appropriate technical and organisational measures, the
controller is responsible for complying with the principles relating to
processing of personal data as mentioned in Article 5(1) of the GDPR and
can demonstrate compliance with these principles, according to Article 5(2).
Apart from the fact that the results of a GIP can lead to partly compliance
with the duty of accountability under Article 5(2), the GIP provides (as well
as was the case with the GDPR baseline and GDPR gap-analysis) interesting
information (as you wish business intelligence) for the (responsible)
management.
Figure 7.3 Management value GDPR implementation plan
7.1.8 The importance of a good GIP for the DPO

On the basis of Article 39(1) jo 24 of the GDPR, the DPO monitors whether
the controller - taking into account the nature, scope, context and purposes of
rights and freedoms of natural persons – implements appropriate technical
and organisational measures to ensure and to be able to demonstrate that
processing is performed in accordance with the GDPR. Moreover, those
measures shall be reviewed and updated where necessary.
Under Article 39(1)(b), the DPO shall have the task to monitor compliance
with the following data protection provisions:
1. Data protection provisions as become apparent from the text of the

GDPR.
4. The policies of the controller in relation to the protection of
personal data, including the following.
A. Assignment of responsibilities
B. Raising awareness amongst the staff involved in processing
operations.
C. Training of staff involved in processing operations.
D. The audits related to data protection.
It seems aforehand plausible that for effectively monitoring compliance with

the GDPR obligations by the controller, setting-up and designing a GIP is not
only interesting, but also relevant. After all, the DPO could form an
independent picture of the answer to the question to which the degree the
controller, processor(s) and employees de-facto comply with their obligations
pursuant to the GDPR (pursuant to Article 39(1)(b) GDPR), partly due to the
measures annex concrete actions mentioned by the GIP.
Just as with the GDPR baseline and GDPR gap-analysis, the comment to
which degree the ‘independent monitoring’ by the DPO can be based on
conclusion of the GDPR implementation plan that the measures as concrete
actions that were taken are effective (and de facto work), deserves attention.
It is important here as well to emphasize that a professional DPO is capable
to do research independently on the basis of which the DPO as an expert
professional can come to conclusions on his own.
For the time being, the most practical line to be chosen seems to be the one
where the DPO is involved in a timely manner, in the set-up, design and
performance of the GIP on the way in which the DPO desires to execute
his/her legal tasks, (monitor, inform, advise, cooperate with the supervisory
authority and act as a contact point for the supervisory authority).[217]
7.1.9 Action scheme
With reference to a number of introductory comments relating to the ratio and

goals of the GIP in § 7.1, the main focus of § 7.2 is a number of general goals
and side effects of a good GIP (from the perspective of the DPO). The steps
that can be taken in sequence to perform a GIP in an orderly and structurally
reliable manner, will be discussed afterwards in § 7.3. In § 7.4, a helicopter
view (roadmap) of a GDPR implementation plan will be discussed (from the
perspective of the DPO) that could generally be seen as an ‘action plan’.
Whereas in § 7.5 the role of the DPO within the framework of a GIP is
discussed in further detail, the substantive part of this chapter will be finished
off in § 7.6 with a Table of reference GDPR implementation plan for the
DPO that could perhaps be used as a compass within the context of a DPO
work plan to stay on track along the lines of the legal tasks of Article 39(1).
7.2 GIP: goals and side effects

7.2.1 General goals of a GIP
Every enterprise, institution or organisation could explicitly intend to achieve
a number of general goals with the performance of a GIP (depending on own
insights, preferences and needs). Generally, one could among others derive
the following general goals from the GDPR.
1. Implement appropriate data protection policies (Article 24(2)).
2. Take appropriate and effective measures (recital 74).
3. Specify and comply with GDPR principles (Article 5).
4. Guard the lawful foundation (Article 6).
5. Maintain a record/register of the processing activities (Article 30).
6. Implement GDPR requirements and GDPR controls.
7. Realise GDPR risk-management and control.
8. Realise GDPR issue management and control.
9. Comply with Data Protection Impact Assessment (DPIA) duty
(Article 35).
10. Comply with GDPR compliance and accountability duty (Article
5(2)).
7.2.1.1 Implement appropriate data protection policies (Article 24(2))
As a starting point for a GIP, it is important that the enterprises, institutions

and organisations (controller within the meaning of Article 24 jo Article 4 of
the GDPR) can at least answer the question which obligations pursuant to the
GDPR are (already) complied with or not (GDPR baseline), and as far the
particular obligations pursuant to the GDPR is not complied with, which
concrete (additional) actions have to be implemented to comply nonetheless
(GIP).[218]
Policy makers have to at least be able to estimate well what the impact of the
GDPR is on the current processes, products and services and which
adjustments (concrete actions) are necessary to comply with the GDPR.
According to the Dutch privacy supervisory authority, the fact that
implementation of the GDPR can require a lot from the available human
resources and resources has to be taken into account.[219] Which concrete
measures and actions have to be implemented, has to be developed in the
GIP.[220]
7.2.1.2 Take appropriate and effective measures (recital 74)

able to demonstrate the compliance of processing activities with the GDPR,
to the rights and freedoms of natural persons.[221]
7.2.1.3 Specify and comply with GDPR principles

Appropriate measures and concrete actions are entailed in the GIP for
specification and compliance with the principles relating to processing of
personal data under Article 5(1) (as well defined as general GDPR privacy
duty of care of the controller).[222] According to this article, the following
principles concerning processing personal data have to be considered:
a. Personal data shall be processed lawfully, fairly and in a transparent

manner in relation to the data subject (‘lawfulness, fairness and
transparency’).
b. Personal data shall be collected for specified, explicit and
legitimate purposes and not further processed in a manner that is
incompatible with those purposes. further processing for archiving
purposes in the public interest, scientific or historical research
purposes or statistical purposes shall, in accordance with Article
89(1), not be considered to be incompatible with the initial
purposes (‘purpose limitation’).
c. Personal data shall be adequate, relevant and limited to what is
necessary in relation to the purposes for which they are processed
(‘data minimisation’)
d. Personal data shall be accurate and, where necessary, kept up to
date. every reasonable step must be taken to ensure that personal
data that are inaccurate, having regard to the purposes for which
they are processed, are erased or rectified without delay
(‘accuracy’).
e. Personal data shall be kept in a form which permits identification of
data subjects for no longer than is necessary for the purposes for
which the personal data are processed. personal data may be stored
for longer periods insofar as the personal data will be processed
solely for archiving purposes in the public interest, scientific or
historical research purposes or statistical purposes in accordance
with Article 89(1) subject to implementation of the appropriate
technical and organisational measures required by this Regulation
in order to safeguard the rights and freedoms of the data subject
(‘storage limitation’).
f. Personal data shall be processed in a manner that ensures
appropriate security of the personal data, including protection
against unauthorised or unlawful processing and against accidental
loss, destruction or damage, using appropriate technical or
organisational measures (‘integrity and confidentiality’).
7.2.1.4 Guard the lawful foundation (Article 6)
The controller can only process personal data lawfully under Article 6(1) if
and to the extent that at least one of the following conditions (foundations)
applies.
a. The data subject has given consent to the processing of his or her
personal data for one or more specific purposes.
b. Processing is necessary for the performance of a contract to which
the data subject is party or in order to take steps at the request of the
data subject prior to entering into a contract.
c. Processing is necessary for compliance with a legal obligation to
which the controller is subject.
d. Processing is necessary in order to protect the vital interests of the
data subject or of another natural person.
e. Processing is necessary for the performance of a task carried out in
the public interest or in the exercise of official authority vested in
the controller.
f. Processing is necessary for the purposes of the legitimate interests
pursued by the controller or by a third party, except where such
interests are overridden by the interests or fundamental rights and
freedoms of the data subject which require protection of personal
data, in particular where the data subject is a child.[223]
7.2.1.5 Keeping a register of the processing activities

Pursuant to Article 30(1), each controller[224] and, where applicable, the
controller's representative, shall maintain a record of processing activities
under its responsibility. That record shall contain all of the following
information:
a. The name and contact details of the controller and, where

b. The purposes of the processing.
c. A description of the categories of data subjects and of the
d. The categories of recipients to whom the personal data have been or
e. Where applicable, transfers of personal data to a third country or an
f. Where possible, the envisaged time limits for erasure of the
g. Where possible, a general description of the technical and
h. While executing a professional GDPR implementation plan, due
attention also to be paid to the following:
Actual control of the exhaustiveness of the number of

processes under Article 30 of the GDPR.
Actual control of the data to be contained in the register as per
process (components a to g) of Article 30(1) GDPR.
7.2.1.6 Implement GDPR requirements and GDPR controls

A general goal of every good GIP is translating GDPR requirements (that
derive from obligations pursuant to the GDPR) into concrete actions and (as
far as possible) actually taking control measures (GDPR controls), where
sufficient attention is given to the following.
1. Concrete GDPR requirements that are concrete requisites to be

fulfilled within the framework of implementation processes
(according to the GDPR). One could think for example of the
GDPR requirement of Article 13(1) pursuant to which the
following specific information has to be provided to the data
subject when personal data is collected (as processing process):
a. The identity and the contact details of the controller and, where
applicable, of the controller's representative.
b. The contact details of the data protection officer, where
applicable.
c. The purposes of the processing for which the personal data are
intended as well as the legal basis for the processing.
d. Where the processing is based on point (f) of Article 6(1), the
legitimate interests pursued by the controller or by a third
party.
e. The recipients or categories of recipients of the personal data,
if any. Where applicable, the fact that the controller intends to
transfer personal data to a third country or international
organisation and the existence or absence of an adequacy
decision by the Commission, or in the case of transfers referred
to in Article 46 or 47, or the second subparagraph of Article
49(1), reference to the appropriate or suitable safeguards and
the means by which to obtain a copy of them or where they
have been made available.
2. Practical GDPR controls that are practical control measures that

can be used for controlling the implementing processes. In case of
the information duty of Article 13, by way of example of a GDPR
control, one could think of a checking moment embedded in the
process (for example in the form of a communication checklist)
where first of all, the specific information texts will be formulated
and checked for requirements of Article 13(1) before personal data
are collected at the data subject.
It should be noted that good GDPR controls could be qualified as appropriate
technical and organisational measures within the meaning of Article 24(1)
and could serve as well to demonstrate that processing personal data is in
accordance with the GDPR (taking into account the nature, scope, context
and purposes of processing as well as the risks of varying likelihood and
severity for the rights and freedoms of natural persons).
7.2.1.7 Realise GDPR risk-management and control
Ideally it becomes apparent from the GDPR implementation plan which

appropriate measures are realised significantly to control privacy risks as well
which concrete actions are implemented within that context. In the GDPR,
the term ‘risk’ plays a central role after all.[225]
and severity, may according to recital 75, result from personal data
processing which could lead to severe or less severe consequences and
damage for data subjects. In short, referral to what was already observed in
chapter 6.
7.2.1.8 Realise GDPR issue management and control
The promotion of taking measures in case of incidents (issue management), is
often mentioned in practice as explicit goal of a GDPR implementation plan
(GIP). In that case, the GIP will in any case give appropriate attention to at
least the following.
1. Identifying possible incidents (issues).

2. Assessing the risk of the occurrence of incidents.
In particular within the framework of security issues[226], issue management
plays a role. Consequently, as per Article 32(1) (security of processing), the
controller and the processor shall implement appropriate technical and
organisational measures to ensure a level of security appropriate to the risk,
including inter alia as appropriate:
1. The pseudonymisation and encryption of personal data.

2. The ability to ensure the ongoing confidentiality, integrity,
3. The ability to restore the availability and access to personal data in
a timely manner in the event of a physical or technical incident.
7.2.1.9 Comply with Data Protection Impact Assessment (DPIA)

obligation
Complying with the obligation to carry out a DPIA pursuant to Article 35
GDPR – sometimes referred to as Privacy Impact Assessment (PIA) – could
be considered to be a part of the GIP.
Pursuant to Article 35(3) GDPR a Data Protection Impact Assessment
(DPIA) shall in particular be required in the case of:
a. A systematic and extensive evaluation of personal aspects relating

to natural persons which is based on automated processing,
including profiling, and on which decisions are based that produce
legal effects concerning the natural person or significantly affect
the natural person.
b. Processing on a large scale of special categories of data referred to
c. Systematic[227] monitoring of a publicly accessible area on a large
scale.
d. Types of processing that are specified in a list provided by the
European Data Protection Board (EDPB).[228]
An element of the GDPR implementation plan is usually the development of
concrete DPIA models which have to be (mandatorily) used by the company
or enterprise for actually performing the DPIA obligation.
7.2.1.10 Comply with GDPR compliance and accountability duties
On the basis of Article 5(2), the controller shall be responsible for, and be
able to demonstrate compliance with, paragraph 1 (‘accountability’). A
GDPR implementation plan where set-up and structure are designed well and
performed competently, does not only provide important management
information for compliance with the GDPR, but can also produce (generate)
necessary ‘evidence’. It is, therefore, strongly recommended to report (as
well on behalf of the privacy supervisory authority) on the complete GDPR
implementation track extensively (based on underlying records of evidence).
7.2.2 Side effects of a GIP
Dependent on the design, structure and layout of the specific GIP, it does not
seem implausible that certain side effects could occur as a consequence of the
actual performance of the GIP. Generally, it could be argued that a good and
competently performed GIP could lead to the following side effects that (as
was the case for the GDPR baseline and GDPR gap-analysis) could be taken
into account within the framework of the DPO work plan:
1. Promote insight in the necessary resources for both the controller

and the DPO (Article 38(2) GDPR).
2. Raise GDPR awareness (Article 39(1) (b) GDPR).
3. Promote better insight in a number the processing activities (Article
30 GDPR).
4. Promote insight in the importance of processing for critical
processes (among others recital 74 GDPR).
5. Promote more effective monitoring by the DPO on the compliance
with the GDPR by the controller, processor or co-workers (Article
39(2) GDPR).
As these side effects correspond mutatis mutandis (broadly) with the side
effects of a GDPR baseline and GDPR gap-analysis, reference is made to
§ 6.1.3.2 where these effects already have been discussed.
Generally, it could be argued that as the defined goals in the GIP become
more concrete, the degree to which side effects could occur (and thus also the
impact) can be estimated better, which in itself could be interesting within the
framework of the business case[229] of the DPO work plan as discussed in
chapter 3.
7.3 GIP: process steps
Figure 7.7 Process steps implementation plan

7.3.1 Step 1: compose a GDPR implementation team
Given the specifics of the relevant GDPR mandate by the controller – which
is in principle not granted to the DPO[230] – during the first step of the GIP,
preparations are made for composing the GDPR team that will execute the
further implementation of appropriate GDPR measures and corresponding
actions. Ideally, the team will consist of people with diverse backgrounds,
relevant for the GIP (for example, legal, IT, Security, Compliance, Ethics,
HR, Marketing and Quality and Control).
First thing after the GDPR ideal implementation team has been composed,
due attention is to be paid to the following.
1. Which subsequent steps have to be taken for performing

appropriate technical and organisational measures and
corresponding concrete actions that are usually (also) based on the
‘list of appropriate GDPR measures and concrete actions’ as results
of the GDPR gap-analysis.
2. Who has which tasks, fulfils which roles and carries which
responsibilities within the GDPR implementation team.
3. Clear timelines within which the hereinafter mentioned steps of the
GIP are completed.
7.3.2 Step 2: determine what has to be implemented

Before the GIP can be initiated, it first has to be clear which appropriate
technical and organisational measures and corresponding (already mentioned
in the GDPR gap-analysis) concrete actions have to be implemented. Under
reference to Article 39(1)(b) GDPR, hereinafter for the sake of convenience it
is presumed that the primary goal of the GIP is taking appropriate technical
and organisational measures and concrete actions in the sense of Article 24(1)
GDPR. For a discussion of the general goals (and side effects) of a GIP, see
previous § 7.2.
Relating to the question of which sources could be used for appropriate

technical and organisational GDPR measures, the following are usually
mentioned.[231]
1. Measures as mentioned in the GDPR itself.

2. Measures as mentioned in other Union data protection legislation
and regulation.
3. Measures as can be inferred from national data protection laws and
regulations.
4. Industry codes of conduct under Article 40 GDPR.
5. General (security) norms such as ISO/CEI/ENISA.
It general it can be noted that in order to successfully implement GDPR
measures, it is important that these GDPR measures are defined and
determined as specifically as possible (according to SMART). This is in
particular of importance for the independent monitoring of compliance with
the GDPR by the DPO within the meaning of Article 39(1)(b) GDPR.
7.3.3. Step 3: define what has to be implemented

Once it is determined what has to be implemented (for example writing
information texts for the fulfilment of and compliance with the information
duty ex Article 14),[232] the next step of the GIP is that the following questions
with regard to the specific concrete actions are answered as clearly and
specifically as possible.
1. What does the concrete action intend to achieve (what is the goal of
the concrete action)?
2. What does the concrete action have to at least entail (substantially)?
3. Which possible conditions[233] for performing concrete actions have
to be taken into account?
4. Which specific circumstances[234] have to be taken into account in
designing and performing the concrete action?
7.3.4 Step 4: design what has to be implemented

Whereas in the third step is defined as precise as possible (in other words,
clear and specific) what is expected of the performed GDPR measures (and
the corresponding concrete actions), on this basis, a concept (draft) is made
as per corresponding action, for example actually writing a draft text (such as
an informative text for a website) for complying with the information
obligation pursuant to Article 14 GDPR. With reference to this, it could be
determined (if configured methodically) as an additional control measure
(GDPR control)[235] that before texts are published on the website of the
enterprise, institution or organisation, a GDPR editorial control takes place
beforehand by a (ideally appointed) GDPR expert.
Generally, it should be noted that – with analogy to Article 39(2) – in
designing concrete actions, due regard shall be given to the risk associated
with processing operations, taking into account the nature, scope, context and
7.3.5 Step 5: check the proper functioning and effectiveness of

the measures
The following two – empirically well verifiable – practical questions are the
core of the penultimate step of the GIP.
1. Do the appropriate measures and concrete actions that have to be

taken have a (un)desired influence or undesired effect on each other
or compared to each other? In other words, are the diverse GDPR
measures and concrete actions adjusted well to each other relating
to the necessary GDPR implementation coherence? Is there a
matter any form of ‘conflict’ in light of the effect of the one GDPR
measure (action) compared to the other GDPR measure (action)?
2. Are the intended goals of the performed concrete actions actually
achieved, in other words, are the performed actions sufficiently
effective?
If it is established that the effect of certain measures (actions) is not optimal,
or that the effectiveness leaves to be desired, it is evident that subsequently
the question is asked how all this could be improved, in order for the GDPR
measures that were taken to be sufficiently effective, respectively the
concrete actions within that context. Shortly after, the derived additional
revised actions (updates) have to be carried out.
7.3.6 Step 6: proof reports of the implemented GDPR

measures
On the basis of Article 5(2) of the GDPR, the controller shall be fully
responsible for, and be able to demonstrate compliance with, paragraph 1
(‘accountability’). Against this background, it is inevitably recommended to
base the report on a foundation, ideally on the basis of reproducible evidence.
If and provided that the GIP also has the goal of measuring if, and if yes, to
which degree Article 5(1) is complied with,[236] it is even more important that
the following aspects receive sufficient attention, in light of the relatively
open character of these ‘principles relating to processing of personal data’.
1. Already during the GDPR gap-analysis, good (SMART defined, to

be answered dichotomously)[237] parameters have to be used to
demonstrate (account for) compliance under Article 5(2) with the
principles mentioned in Article 5(1).
2. In the GIP, all measures that were taken and concrete actions that
were carried out are tested (measured) against the beforehand
defined (and SMART formulated) goals and the GDPR ambition
level.
7.3.7 A clear GIP

Having a clear, logically subsequent GIP for implementing (carrying out,
actually take) appropriate technical and organisational measures within the
meaning of Article 24(1) provides various advantages, among which the
following.
1. A clear GIP could be regarded as evidence for a crucial step

towards GDPR compliance and accountability within the meaning
of Article 5(1) GDPR, in particular towards both internal and
external stakeholders.
2. Clear GIP could be regarded as evidence for a crucial step towards
taking appropriate technical and organisational measures within the
meaning of Article 24(1) GDPR.
3. Clear GDPR implementation plan provides a clear framework for
the design, layout and execution of the subsequent implementation
steps.
4. Following above-mentioned steps (for example a GDPR roadmap)
[238]
could help in this. Another layout of GDPR implementation
steps is of course conceivable.
Both GDPR management (GDPR project managers, managers of GDPR

teams) and GDPR experts (in as far the specific GDPR project managers and
team managers cannot also be qualified as experts) could improve efficiency
and effectiveness by taking appropriate GDPR measures by ‘organising
necessary knowledge’ in a prudent manner in designing, laying out and
carrying out the appropriate measures mentioned in the GIP. One could in
concrete sense think of at least involving those disciplines (departments) that
could be of added value in actually carrying out appropriate technical and
organisational measures and concrete actions to (nonetheless) comply with
the specific obligations pursuant to the GDPR.
In practice, the combined involvement of HR, IT, Marketing, Communication
and Security leads for example to surprising, constructive input for the GDPR
implementation team, whereby both the proper functioning and effectiveness
of appropriate measures and concrete actions could be enhanced eventually.
7.4 GIP: Roadmap
7.4.1 Why a roadmap for the GIP?
Designing, laying out and competently carrying out a GIP (with or without
external support) can be a challenge for the controller both organisationally
and substantially.
A roadmap of a GIP delineated in clear steps could at least lead to some
organisational relief, because the main steps become subsequent and clear
(visualised) keeping in mind the methodical realisation of the beforehand
defined (SMART formulated) goals of the GIP.
Professional planning should therefore be an integral component of the
design, lay out and execution of a good GIP. In general, the following
advantages of a prudently designed roadmap of a GIP can be distinguished.

overview.
time behaviour.
(that is necessary for realising of beforehand discussed and
SMART formulated deliverables).
interest and larger added value of organisation-wide GIP.
8. Good roadmap planning raises the odds that certain appropriate
GDPR measures and concrete actions are actually carried out.
9. Good roadmap planning helps to stay on track (time management).
10. Good roadmap planning prevents important GDPR implementation
tasks from becoming urgent tasks (prevents stress).
7.4.2 Roadmap of a GIP
Figure 7.8 Roadmap GIP
7.4.2.1. Mandate and steering information for the GIP

A professional GIP starts with defining and establishing the assignment,
mode of operation and competencies of the GDPR team in the GIP where the
received mandate and their steering information entailed therein is the
starting point. A good mandate for carrying out appropriate technical and
organisational measures contains at least a clear description of the following
elements.
1. The assignment for implementing the GDPR.

2. The goals of the intended GDPR implementation.
3. The competences of the individual members of the GDPR
implementation team.
4. The scope of the GIP.
5. A clear description of the intended GDPR ambition level, ideally
formulated in terms of GDPR requirements and GDPR controls
against the background of a GDPR maturity model[239] – that is also
based on a sound analysis of GDPR risks – which is so concrete
that goals (KPIs) can be connected to his that at least comply with
the principle of SMART (Specific, Measurable, Agreed, Realistic,
Time-restricted).
7.4.2.2 Operationalising the GIP

The execution of a GIP can have a substantial impact on the limited (and
costly) internal and external resources. The importance of a prudent and
reliable GDPR implementation should in this regard not taste defeat. The
importance of a well-supported GDPR implementation team, as well in
operational respect, should not be underestimated. In a concrete sense, one
could think for example of operational support within the context of
sufficient qualifications, financial resources, office facilities, implementation
software, etc.
Unfortunately, in practice it is often noticed that both the (often less

professional) external service providers (providing side) and the enterprise,
institution or organisation (demanding side) do not have an adequate picture
of the importance of a good GDPR team, let alone that there is a sufficient
representative picture with regard to the importance of an operationally
balanced composed GDPR implementation team.
It is not only important that the GDPR project manager (or comparable
function or role) can achieve an appropriate balance in the GDPR
implementation team between the various roles, tasks, required expertise
areas, (joint) responsibilities and advices on behalf of the controller (principal
of the GDPR implementation plan). It is equally important that the GDPR
project manager (or comparable function or role) keeps guarding the design
in operational aspect of a good GDPR implementation plan.
7.4.2.3 Managing the expectations of stakeholders

Expert GDPR project managers generally subscribe to the basic assumption
that all stakeholders[240] have to be identified, for successfully completing any
GDPR implementation plan and be given the opportunity to name the
respective expectations within the framework of taking appropriate measures
in order to comply with the obligations pursuant to the GDPR. After all, a
GDPR stakeholder could also influence the GDPR project and the ultimate
results.
As well as was the case for the GDPR baseline and GDPR gap-analysis,
generally, the following parties could be qualified as stakeholder(s):
2. Senior management.
3. HR(M) managers.
5. Suppliers and sales.
6. Customers.
7. Supervisors.
8. Marketing departments.
10. Co-workers in supporting functions.
Some considerations for the leader of the GDPR implementation project to

actively invest in a good relationship with stakeholders, can be summarised
as follows.
11. Prevent GDPR scope to creep (because of which expectations keep

shifting).
12. Enhance (or reduce) tolerance of GDPR risks.
13. Enhance the acceptance rate of results of the intended final results
of the GIP.
14. Reduce the risk of negative influence during the performance of the
GIP.
7.4.2.4 Perform concrete actions

Under reference to for example Article 35 (DPIA duty), the term ‘risk for
rights and freedoms’ plays a central role in the GDPR[241], which preferably
has to be given the necessary attention in the GIP. The risk to the rights and
freedoms of natural persons (of varying likelihood and severity) may result,
according to recital 75, from personal data processing which could among
others lead to a number of specified consequences and damages.[242]
As well in the light of the fact that any person who has suffered material or
non-material damage as a result of an infringement of the GDPR shall have
the right to receive compensation from the controller or processor for the
damage suffered (according to the intention of Article 82), it is generally
recommended to also base the GIP on a GDPR risk map[243] tailored to the
enterprise, institution or organisation, in which regard the added value of the
GIP can also be increased.
7.4.2.5 Review and update plan (RUP)

Before the implementation of the GIP can be completed as a project, it is
advisable to review this in the interim, keeping in mind the already achieved
and possibly still intended (not yet achieved) final results, which in its own
could generate important input for GDPR management (and/or the GDPR
project manager).
Where necessary (in light of the proper functioning and effectiveness of the
measures that were taken), it should be adjusted (mitigated). The goal of the
reviewing and updating is therefore to adjust activities in a timely manner, in
particular to adjust the formulation of the concrete actions to be carried out,
in light of the previously defined (ideally SMART defined) goals of GDPR
implementation.
It is recommended to make a plan (or, arrangement) beforehand on the
manner (approach) of review and update (RUP) to anticipate on possible
negative emotions and for the sake of managing realistic expectations (of
stakeholders). Within that framework, some practical considerations for the
GDPR project manager, senior GDPR manager or manager of the GDPR
implementation team could be the following.
1. Align beforehand within the project team what questions should be

involved and which accountability method is used for
accountability in respect of the implemented activities of the GDPR
implementation team.
2. Choose a constructive-positive approach (to allow different views).
3. Also involve (at least the most important) stakeholders in the
review and update process.
4. Prevent that review and update becomes a ‘get-together’ between
the controller and the GDPR project manager. Give all project co-
workers the opportunity to provide input.
5. Give sufficient attention to processes and the results of a good
cooperation within the GDPR team and between the GDPR team
and the remaining co-workers of the enterprise, institution or
organisation.
7.4.2.6 Executing reports of the GIP (Article 5(2) GDPR)

The GIP is (just as usually every other project) completed with a sound end
report with the primary goal of a reliably substantiated justification.
In a sense, Article 5(2) adds an extra (accountability) dimension, in the area
of processing personal data, to reports and to the importance of gaining and
documenting the underlying evidence from accountability reports that are the
basis of the conclusions. According to latter article, the controller shall be
responsible for, and be able to demonstrate (‘accountability’) compliance
with Article 5(1) (principles relating to processing of personal data). In this,
the importance (and the ‘purpose and necessity’) to include ‘accountability
and reporting’ in the GDPR implementation plan as permanent component is
subscribed.
Whereas the preceding five steps of the GIP are completed successfully and
in accordance with Article 24(1), the appropriate technical and organisational
measures are taken in order to ensure that the processing of personal data is
implemented in accordance with the GDPR, it is recommended to record the
results (including the historical state of affairs that was needed) in the form of
an (internal/external) GDPR implementation report.
7.4.3 Success factors for a GIP

Just as was the case for a GDPR baseline and GDPR gap-analysis, one could
generally distinguish, referring to the Standish Group Chaos Report 2011,[244]
a number of (already mentioned in chapter 6) factors that contribute to
successfully reaching the intended (and ideally SMART defined) goals that
were initially envisioned with the GIP.
Additionally, it is noted that for a good, competently composed and
professionally performed GIP, in practice, enterprises, institutions and
organisations usually benefit from a sufficient level of (preferably
measurable) GDPR awareness where in particular attention is given to the
KRAEP-criteria as mentioned above.[245]
7.5 GIP: Role of the DPO

As concluded before within the framework of the GDPR baseline and GDPR
gap-analysis, the DPO is expected to perform his/her tasks across the full
width of the ‘obligations pursuant to the GDPR’. In the wording of Article
39(1)(a), ‘The data protection officer shall have at least the task to inform and
advise the controller or the processor and the employees who carry out
processing of their obligations pursuant to this Regulation and to other Union
or Member State data protection provisions.’
While answering the question which role the DPO is allowed to or may have
in performing a GIP, it is recommended to at least take the following
considerations into account:
1. Performing a GIP as ‘other task’ is in principle allowed, given that

the controller shall ensure that this ‘other task’ does not result in a
conflict of interests (with the tasks mentioned in Article 39). This
reasoning where it is asserted that a too important operational
involvement of the DPO in actually taking measures and carrying
out concrete actions is not as compatible with the task of
‘monitoring compliance’ ex Article 39(2) should be endorsed. After
all, a butcher should not certify its own meat.
2. For the good performance of legal tasks by the DPO, it is of utmost
importance that there is good sight on the compliance with
obligations pursuant to the GDPR. In strict sense, this entails that
for all GDPR obligations relevant for the specific controller
(enterprise, institution or organisation) the content has to be defined
by the controller as clearly as possible in the GDPR implementation
plan. Within the framework of ‘independent’ functioning of the
DPO (see among others Article 38(3)) the question can be asked
whether it is wise to assign the DPO a large executing role within
the context of the GDPR implementation plan. Would it not fit
better in the professional profile of the DPO (see in particular
chapter 2) to reserve a larger role for the DPO to inform and advise
within the context of the GDPR implementation plan within the
framework of the independent performance of legal tasks? After all,
in the performance of his/her legal tasks, they should also ‘guard’
the vision, mission and strategy (VMS) of the DPO work plan.
Does an intensive role of the DPO fit within the framework of de
facto taking appropriate measures and perform concrete actions as
part of the GIP? If the DPO is involved in the performance of the
GIP of personal data (for example as member of a feedback body,
steering committee, project manager or as member of the inventory
project team), it appears the DPO should give constructive attention
to the vision, mission and strategy (VMS) of the own DPO work
plan, keeping in mind the practical development of the DPO work
plan, in light of the legally enshrined tasks of the DPO (within the
meaning of Article 39(1) GDPR).
3. In accordance with Article 35(2) of the GDPR, the controller shall
seek the advice of the DPO, when carrying out a data protection
impact assessment (DPIA). Providing advice as regards this DPIA
and monitor its performance pursuant to Article 35 belongs to
(under Article 39(1)(c)) the legal tasks of the DPO. Is it possible
that a too intensive role of the DPO within the context of
performing a GIP could come in conflict with the performance of
the task to independently monitor the duty the perform a DPIA
within the meaning of Article 35 of the GDPR? The EDPB (WP29)
notes the following on the role of the DPO within the framework of
a DPIA, ’The controller must also seek the advice of the Data
Protection Officer (DPO), where designated (Article 35(2)) and this
advice, and the decisions taken, should be documented within the
DPIA. The DPO should also monitor the performance of the DPIA
(Article 39(1)(c) GDPR).’[246]
4. In behalf of constructively ‘informing’ and ‘advising’ under
Article 39(1) of the GDPR, it is recommended that the DPO, among
others on the basis of his professional vision, contributes to increase
the insight of the controller in the way in which the privacy
supervisory authorities assess ‘appropriate measures and actions’,
in particular in light of the risk approach of these privacy
supervisory authorities and the by them recommended
methodologies (see among others the GDPR risk map (and the
methodology which served as a basis) of the French privacy
supervisory authority (the CNIL)).[247]
Within the framework of the ability of the DPO to adequately perform his/her
tasks, the European Data Protection Board (formerly EDPB (WP29))[248]
notes the following, ‘Ability to fulfil the tasks incumbent on the DPO should
be interpreted as both referring to their personal qualities and knowledge, but
also to their position within the organisation. Personal qualities should
include for instance integrity and high professional ethics. the DPO’s primary
concern should be enabling compliance with the GDPR. The DPO plays a
key role in fostering a data protection culture within the organisation and
helps to implement essential elements of the GDPR, such as the principles of
data processing, data subjects’ rights, data protection by design and by
default, records of processing activities, security of processing, and
notification and communication of data breaches.’ The paraphrase ‘helps to
implement’ is primary placed within the context of the performance of legal
tasks as formulated in the articles 37 to 39 of the GDPR.
8
CHAPTER 8
REVIEW AND UPDATE OF A DPO WORK
PLAN
8.1 Introduction GDPR review and update plan

8.1.1 What is a GDPR review and update plan (RUP)?
The methodical (which means structured and systematic) collection of data
with the goal to assess whether the previously defined desired result
(connected to the equally beforehand determined GDPR ambition level)[249] is
or is not achieved, could be regarded as a general characterisation of a GDPR
review plan (GRP). The taking of additional structured and systematic
(possible, necessary) further measures and performance of the thereto
corresponding concrete (additional or revised) actions, keeping in mind the
improvement of the ‘proper functioning and effectiveness of measures and
actions’ is regarded as a GDPR update plan (GUP).[250] Hereinafter, for the
sake of convenience, the situation will be presumed where both the GDPR
review and the GDPR update are formulated in a GDPR review and update
plan (RUP).
In essence, the GUP is a combination of acts where the controller performs
(or it is performed) the following activities in a structured systematic and
methodological manner. Reviewing or the collection of data and information
with the goal of assessing whether the desired result (on the basis of
previously defined GDPR ambitions) is achieved where in particular attention
is given to the proper functioning and effectiveness of the appropriate
technical and organisational GDPR measures that were taken and the thereto
corresponding concrete actions.
Update or the accomplishment of additional acts, in light of the results of the
performed GDPR review[251], relating to the appropriate technical and
organisational measures that were taken with the goal of optimisation of the
intended good proper functioning and effectiveness. Here is central role is cut
out for risk update or the accomplishment – on the basis of the review results
– of (additional) acts with the primary goal of reducing the GDPR risks
relating to the measures that were taken and the performed actions that did
not work well or were insufficiently effective.
Considering the above-mentioned characterisation of a GUP, the following
questions, among others, can be asked:
1. What is the ratio (reasoning) of a RUP?

2. What is the purpose of a RUP?
3. What is the goal of a RUP?
4. In which detail does a RUP has to be performed?
5. What is the practical (management) value of a RUP?
6. What is the role of the DPO within the framework of a RUP?
7. How could a RUP be performed divided into phases (steps)?
Finding practical answers to among others above-mentioned questions is at
the centre of discussions below.
8.1.2 Ratio of a RUP

In the extension of the intentions of the enterprise, institution or organisation
to comply with all derived obligations pursuant to the GDPR in an effective
manner, the RUP is performed because of various reasons[252] of which at
least the following can be mentioned.
1. On the basis of the performed concrete actions within the

framework of the GDPR implementation plan (GIP), it is necessary
for the actual compliance with the GDPR obligations – in light of
the GDPR ambition of the enterprise, institution or organisation –
to check for proper functioning and effectiveness of these concrete
actions in a structured and systematic manner (or methodical).
2. The findings of the professionally performed RUP can provide
important information (GDPR intelligence) for the board,
management and involved co-workers with regard to residual risks
or GDPR risks that apparently still exist despite the performance of
concrete actions.
3. In answering the question to which degree, the residual risks
deserve further attention in the vision of the DPO, the DPO shall
have due regard, under Article 39(2) GDPR to the risk associated
with processing operations, taking into account the nature, scope,
context and purposes of processing.
8.1.3 Goals of a RUP

The main objective of a RUP could (somewhat simplified) be identified as
the actual control of the ‘proper functioning and effectiveness’ of the
appropriate measures and concrete actions derived from the GDPR
implementation in that regard. Next to this main objective, among others, the
following objectives could be distinguished:
1. Providing insight into the ‘supporting resources’ that are necessary

for the intended adjustments for optimising of the proper
functioning and effectiveness of concrete GDPR compliance
actions.
2. The concrete (SMART) filling out of the chosen GDPR maturity
model (growth path).
3. Promoting efficiency of data processing.
4. Attracting sufficiently competent and expert personnel (internal or
external).
5. Providing important input for GDPR project managers and GDPR
teams.
6. Promoting (in as far necessary) a GDPR compliance ‘sense of
urgency’ within the enterprise, institution or organisation or
specific departments or activities within the particular enterprise,
8.1.4 Scope of a RUP
For maximisation of the utility value of a RUP and for realising the set
GDPR goals, it is important to determine (as you wish, delineate) the scope
of the current RUP as clearly as possible. In other words, to which degree
does the scope of the proper functioning and effectiveness to be tested and
assessed of the performed concrete actions reach in complying with the
obligations pursuant to the GDPR. Just as for the GDPR baseline, GDPR
gap-analysis and GDPR implementation, in practice (under reference to
Article 39(1)) the following scopes can be distinguished within the
framework of a RUP:
1. The data protection provisions that are entailed (incorporated) in

the GDPR itself (Article 39(1)).
2. Other Union data protection provisions (Article 39(1)).[253]
3. Member State data protection provisions (Article 39(1)).
4. Policies of the controller (Article 39(2)).
5. Industry codes of conduct (Article 40).
6. Requirements relating to GDPR certification mechanisms (Article
42).[254]
A RUP as discussed here, in principle lends itself to extension of the scope to

additional scopes, like additional data compliance dimensions (that can be
directly or indirectly related to the GDPR). A concrete example of this are the
proper functioning and effectiveness of the performed concrete actions in
light of the DAMA data management model,[255] where the following subject
areas are named, 1) data governance, 2) data architecture management (data
protection by design), 3) data development, 4) database operations
management, 5) data security management, 6) reference and master data
management, 7) data warehousing and business intelligence management, 8)
document and content management, 8) meta data management and 9) data
quality management. Above-mentioned additional data compliance
dimensions are hereinafter left out of account (unless explicitly stated
otherwise).
8.1.5 Logical process phases RUP

With the starting point of the performed ‘list of concrete measures and thereto
connected actions’ within the framework of the GDPR implementation plan
(GIP), the main focus in the RUP is testing and assessing the proper
functioning and effectiveness of concrete measures. The logical steps that are
connected, can be described as follows:
1. Compose a GDPR team for review and update (GDPR review and
update team).
2. Determine what has to be reviewed, mitigated and updated (which
actions).
3. Determine the review and update criteria.
4. Determine who was to perform what (governance, roles, tasks and
responsibilities).
5. Carry out the actual review and update (within beforehand
determined deadlines).
6. Report on the additionally taken measures and/or performed
actions.
Below – in paragraph 8.3 – these steps will be clarified.
8.1.6 The ideal team for GDPR review and update
Just as for composing an ideal team for performing an organisation-wide

GDPR inventory, GDPR baseline, GDPR gap-analysis and GDPR
implementation plan (GIP), it could be argued that not giving sufficient
attention to a good composition of the team that will carry out the GDPR
review and update plan (RUP) could lead to a situation where eventually the
defined goals (GDPR ambitions) are not achieved or perhaps the measures
and actions are not carried out in conformity with the intention, leading to
frustrations and loss of resources (invested hours and financial resources).
Just as for composing the ideal team for performing a GDPR gap-analysis, a
number of aspects are important for the composition of a GDPR team for
successfully performing a RUP. In this context, the following aspects are
mentioned (under reference to what is noted about this before in § 7.1.6), 1)
the important of a competent GDPR project manager, 2) good composition of
the GDPR team, 3) good development of the GDPR team in the right GDPR
ambition direction, 4) hard (result-oriented) aspects of the GDPR team and 5)
soft (skills) aspects of the GDPR team.
8.1.7 Management value of a RUP
Apart from the fact that the results of a professionally carried out RUP could
lead to compliance with an important part of the accountability duty under
Article 5(2), the RUP (as was the base for the GDPR baseline and AIP) could
generate interesting information (as you wish business strategic intelligence)
for the (line)management.
Within the framework of management issues, special attention should go to
the question why a specific measure or concrete action does or does not work
sufficiently and within the framework inquire into the possible causal
relationship (or direct/indirect causes).
8.1.8 Importance of the DPO for a good RUP

On the basis of Article 39(1) jo Article 24 of the GDPR, the DPO monitors
whether the controller – taking into account the nature, scope, context and
for the rights and freedoms of natural persons – implements appropriate
that processing is performed in accordance with the GDPR. Moreover, those
measures shall be reviewed and updated where necessary. Pursuant to Article
39(1)(b), the DPO has the task to monitor compliance with the following data
protection provisions.

GDPR.
4. Policies of the controller in relation to the protection of personal
data, including the:
a. Assignment of responsibilities.
b. Awareness-raising of staff involved in processing operations.
d. Audits related to data protection.
It could be argued with good reason, that being able to monitor compliance
with the GDPR by the controller, the set-up, design and performance of a
RUP is not only interesting, but equally relevant. After all, the DPO can form
an image of the question to which degree the controller and co-workers de
facto comply with their obligations pursuant to the GDPR (under Article
39(1)(b) GDPR), also due to the accurate additional concrete actions
mentioned in the RUP, or at any rate (intentionally) wish to comply (GDPR
compliance ambitions). In particular interesting in this regard is the answer to
the question why a specific beforehand expressed GDPR ambition level is not
achieved.
As was the case for the GDPR baseline, GDPR gap-analysis and AIP, it
should in general be considered to which degree ‘independent monitoring’ by
the DPO can be based on conclusions of the GDPR review and update team
whether the measures and concrete actions that were taken are effective
(really work). It is important here as well that the DPO keeps being able to
examine this independently (professionally and competently). Here as well,
the most practical line that can be chose seems to be that already in the set-
up, design and performance of the RUP, the DPO is involved in a timely
manner within the framework of the performance of his/her legal DPO tasks
(monitor compliance with the obligations pursuant to the GDPR), inform,
advise, cooperate with the supervisory authorities and act as a contact point
for the supervisory authorities and data subjects.[256]
8.1.9 Action scheme

Whereas in § 8.1 a number of introductory comments are made regarding a
RUP – among which the ratio and goals of a RUP – in § 8.2 a number of
general goals and side effects of a good RUP are discussed. Which steps have
to be taken subsequently to perform a RUP in a structurally reliable way, that
is the main focus of §§ 8.3 and 8.4 where respectively a number of process
steps are central within the framework of GDPR review (§ 8.3) and GDPR
update (§ 8.4). In § 8.5 a helicopter view (roadmap) is discussed which could
be viewed as general ‘plan of action’ (and is among others suitable for
internal communication). Whereas in § 8.6 the role of the DPO within the
framework of the RUP is discussed in more detail, the substantive part of this
chapter is finished is § 8.7 with a Table of reference for the DPO within the
framework of a RUP from the general VMS (vision, mission, strategy)
perspective of the DPO work plan, which could be used (elaborated further)
by the DPO – tailored to the own enterprise, institution or organisation –
within the framework of his/her own GDPR work plan.
8.2 RUP: Goals and side effects

8.2.1 General goals of a RUP
Every enterprise, institution or organisation can explicitly (depending on the
own insights and/or needs) intend to realise a number of general goals with
the performance of a GDPR review and update plan (RUP). In general,
among others the following general goals can be derived from the GDPR:
1. Effectuate an appropriate and effective GDPR data protection

policy (Article 24(1) and (2)).
2. Effectuate appropriate and effective GDPR measures (recital 74).
3. Further effectuation and compliance with general GDPR duty of
care (Article 5(1)).
4. Further effectuation of lawfulness (Article 6).
5. Effectuate an updated record of processing activities under Article
30.
6. Updated control of GDPR processes (GDPR requirements and
GDPR controls).
7. Effectuation of effective GDPR risk management and control.
8. Effectuation of effective GDPR issue management.
9. Effective compliance with the Data Protection Impact Assessment
(DPIA) obligation.
10. Effectuation of effective compliance with the GDPR and
accountability obligations (Article 5(2)).
8.2.1.1 Realising appropriate and effective data protection policies

(Article 24(1) and (2) GDPR)
According to recital 74 of the GDPR, the controller should be obliged to
implement appropriate and effective measures and be able to demonstrate the
compliance with these measures. Setting-up and performing a RUP is an
excellent way to satisfy these requirements. As dealt with before, a RUP
ensures that the risk management measures are always up to date, which
guarantees the effectiveness. Moreover, if the RUP is followed precisely and
no step is skipped, demonstration of the effectiveness is also accomplished. It
therefore contributes to a further fulfilment of the accountability duty of
Article 5(2) of the GDPR.
It is important for a RUP that enterprises, institutions and organisations
(controllers within the meaning of Article 4 of the GDPR) can at least answer
the question which obligations pursuant the GDPR are (already) complied
with or not (GDPR baseline), and whereas the particular obligations pursuant
the GDPR is not complied with, what has to be concretely done to fulfil
nonetheless (GDPR gap-analysis annex GDPR implementation plan (GIP).
[257]
After the review and update of the measure taken annex performed
concrete actions within the framework of GDPR implementation, additional
measures ought to be taken and/or additional actions to be carried out if
necessary on the basis testing the proper functioning and effectiveness.
The impact of the GDPR on current business processes, services and goods
and which adjustments (concrete actions) are necessary to comply with the
GDPR, require the necessary ability to estimate by policymakers. According
to the privacy supervisory authority, the fact that the implantation of the
GDPR could ask a lot of the available human resources and resources has to
be taken into account.[258] Which concrete measures and actions have to
performed, is elaborated on in the GIP[259] and subsequently tested for proper
functioning and effectiveness in the RUP.
8.2.1.2 Realising appropriate and effective measures

processing and the risk to the rights and freedoms of natural persons. In
realising these appropriate and effective measures, these factors can
especially be taken into account,[260] as well in the framework of GDPR
reviews and updates.
8.2.1.3 Further instantiation and compliance with the GDPR privacy

duty of care (Article 5(1))
Measures and concrete actions are included in the RUP for further
instantiation and for improvement of the compliance, relating to the testing
and assessing. In particular, the GDPR principles relating to processing of
personal data under Article 5(1) (also referred to as the general GDPR duty of
care of the controller) deserve attention in the RUP. After all, according to
latter article personal data shall be:

data are processed. personal data may be stored for longer periods
insofar as the personal data will be processed solely for archiving
purposes or statistical purposes in accordance with Article 89(1)
subject to implementation of the appropriate technical and
organisational measures required by this Regulation in order to
safeguard the rights and freedoms of the data subject (‘storage
limitation’).
f. processed in a manner that ensures appropriate security of the
8.2.1.4 Further instantiation of lawfulness (Article 6)

Measures and concrete actions are included in the RUP to assess whether the
monitoring relating to the processing of personal data is actually based on a
lawful foundation under Article 6 is done is a timely manner. Processing by
the controller shall be ex Article 6(1) lawful only if and to the extent that at
least one of the following applies:
a. the data subject has given consent to the processing of his or her
b. processing is necessary for the performance of a contract to which
c. processing is necessary for compliance with a legal obligation to
d. processing is necessary in order to protect the vital interests of the
e. processing is necessary for the performance of a task carried out in
the controller.
f. processing is necessary for the purposes of the legitimate interests
8.2.1.5 Realising updated records of processing activities under Article

30
On the basis of Article 30(1), each controller[262] and, where applicable, the
information:
of personal data.
g. g. where possible, a general description of the technical and
organisational security measures referred to in Article 32(1) GDPR.
Relating to the compliance with the duty to record under Article 30, it occurs
often in the practice of the performance of a good RUP that attention is
devoted to the following.
1. Actual control and assessment of the exhaustiveness of the number

of processing under Article 30.
2. Actual control and assessment of the data included in the records as
per processing (components A – G) of Article 30(1) GDPR.
8.2.1.6 Updated control of processes (GDPR requirements and GDPR

controls)
A general goal of every RUP is transforming GDPR requirements (that are

derived from the obligations pursuant to the GDPR) into concrete actions and
(if up for discussion) actually taking additional control measures (GDPR
controls) within the context of proper functioning and effectiveness. It
concerns:
1. Concrete GDPR requirements that have to be complied with in the

framework of GDPR obligations and the thereto corresponding
executing processes (according to the GDPR).
2. Practical GDPR controls,[263] or practical control measures that can
be used for actual control of the executing processes.
It is recalled to memory that the controller, on the basis of Article 24(1), shall
8.2.1.7 Realising effective GDPR risk management and control

In a certain sense, a RUP can be described as a systematic and structured
approach to control GDPR risks[264] by testing and assessing the proper
functioning and effectiveness of risk control measures (GDPR risk
management and control). By approaching the RUP as a control process,
risks can be brought to and kept at a lower level, anyhow a level that is
acceptable for the organisation. A RUP is unique for every organisation in
that sense. What one organisation accepts as an acceptable risk level, the
other does not necessary accept.
and severity, may result from personal data processing which could lead to
severe and less severe consequences and damages for data subjects,
according to recital 75 of the GDPR. In short, that what was noted in chapter
6 is referred to.
8.2.1.8 Realising effective issue management
If the RUP shows that risk management measures that were taken to comply
with the obligations pursuant to the GDPR (on the basis of the GDPR
implementation plan (GIP) have no or too little effect, additional risk
mitigating measures have to be taken. This can take place by adjusting the
measures that were taken or to take completely new measures. Thus, the aim
is to reduce the risks to a level that fits within acceptable parameters, fixed by
the enterprise, institution or organisation (that often relate to the specific ‘risk
appetite’).
Whereas the new or adjusted risk management measures are applied, they
have to be reviewed again and updated if necessary. If applicable, this also
applies to current measures that were sufficient before but are not anymore
because of changing circumstances (for example by a change in the
processing of personal data). Every time, it has to be established whether the
measures that were taken actually reduce the risks to a lower level. In this
way, risk management measures stay up to date.[265]
The promotion of the taking of effective measures in case of GDPR incidents
(GDPR issue management) deserves special attention within the framework
of review and update and is in practice often mentioned as explicit goal of a
RUP. In that case, extra attention is devoted to among others the following
two aspects.
1. Effectively identifying possible GDPR incidents (GDPR issues).

2. Estimate the risk of the occurrence of GDPR incidents, in particular
within the framework of security issues.[266]
8.2.1.9 Effective Data Protection Impact Assessment (DPIA)

compliance
The obligation to perform a Data Protection Impact Assessment (DPIA)

under Article 35, also deserves a place in the review and update plan (RUP).
On the basis of Article 35(7)(d), among others effective safeguards and
mechanisms have to be assessed to address the risks, including safeguards,
security measures and mechanisms to ensure the protection of personal data
and to demonstrate compliance with this Regulation taking into account the
rights and legitimate interests of data subjects and other persons concerned.
As general goal of a RUP could be named concrete filling out of the duty
under Article 35 to perform a DPIA – sometimes referred to as Privacy
Impact Assessment (PIA). In accordance with Article 35(3), a Data
Protection Impact Assessment (DPIA) is required in the following cases:
a. A systematic and extensive review of personal aspects relating to

natural persons which is based on automated processing, including
profiling, and on which decisions are based that produce legal
effects concerning the natural person or similarly significantly
c. A systematic[267] monitoring of a publicly accessible area on a large
scale.
d. The European Data Protection Board has published a list of types of
processes for which a DPIA is required.[268]
Part of the GDPR implementation plan (GIP) is usually the development of
concrete DPIA models that have to be used by the company or organisation
(mandatorily) for actually performing a DPIA.
8.2.1.10 Effective GDPR compliance and complying with

accountability duties (Article 5(2) GDPR)
On the basis of Article 5(2) GDPR, the controller shall be responsible for,
and be able to demonstrate compliance with Article 5(1) (‘accountability’). A
RUP that is designed well in terms of set-up and structure and performed
competently, does not only provide important privacy management
information, but also results in additional ‘evidence’. It is strongly
recommended to write a full report of the complete path of the RUP (also for
purposes of the privacy supervisory authority).
8.2.2 Side effects of a RUP

It is plausible that the side effects of a GDPR review and update plan (RUP)
depend on its quality, set-up and structure. In general, it could be argued that
a good and competently performed RUP could lead to the following side
effects that (as was the case for a GDPR baseline and GDPR gap-analysis)
could be included within the framework of the DPO work plan.
1. Promote insight into the necessary resources for both the controller
and the DPO (Article 38(2) GDPR).
2. Raise GDPR awareness (Article 39(1)(b)).
3. Promote better insight into processing activities (Article 30).
4. Promote insight into the importance of processing for company
5. Promote a more effective performance of legal DPO tasks.
6. Since these side effects mutatis mutandis (roughly) correspond with
the side effects of a GDPR baseline, GDPR gap-analysis and GDPR
implementation, in short is referred to the discussion on this in
§ 6.1.3.2.
8.3 GDPR review plan (GRP): Process steps

Figure 8.4 Process steps review plan
8.3.1 Step 1: compose a GDPR review team
Whereas the mandate is received to draft and perform a RUP (the mandate
will usually not be provided to the DPO, but to someone else – for example a
Privacy Officer, GDPR co-worker or GDPR project manager – that is
explicitly burdened with review), first a GDPR review team has to composed.
Ideally, this team consists of people with diverse backgrounds (for example
legal, IT, Security, Compliance, Ethics, Quality and Control). When the
GDPR review team is composed, this team establishes at least the following:
1. Which subsequent steps have to be taken for review of the proper

functioning and effectiveness of concrete measures and actions as
become apparent from the ‘list of measures and actions’ as
mentioned in the GIP.
2. Who has which tasks, fulfils which tasks and accounts for what
within the GDPR team.
3. Clear timelines wherein the hereinafter mentioned steps have to be
completed.
8.3.2 Step 2: establish which GDPR components have to be

reviewed
Before the GDPR review and update plan (RUP) can be initiated, it first
needs to be clear which measures and corresponding concrete actions have to
be reviewed. Under reference to Article 39(1)(b), hereinafter for sake of
convenience it is assumed that the goal of the RUP that is discussed in this
chapter,[269] is testing the proper functioning and effectiveness of measures
and concrete actions within that framework within the meaning of Article
24(1).
Relating to the question which GDPR sources could be used for appropriate
technical and organisation GDPR measures, usually the following are
mentioned.[270]
1. The measures as mentioned in the GDPR itself.

2. The measures as mentioned in other Union data protection
legislation and regulation.
3. National data protection laws and regulations.
5. General (security) norms, such as ISO/CIE/CE/CENELEC/ENISA.
8.3.3 Step 3: define what has to be reviewed

When it is determined what has to be reviewed (for example writing
information texts for completing the information duty under Article 14) the
subsequent step is to answer as clearly and specifically as possible the
following questions relating to the specific concrete actions.
1. What does the concrete action intend to achieve (what is the goal of
the concrete action)?
2. What does the concrete action have to (substantially) entail at least?
3. Which possible conditions[271] for performing concrete actions have
to be taken into account?
4. Which specific circumstances[272] have to be taken into account in
designing and performing the concrete action?
8.3.4 Step 4: Establish the GDPR review criteria
After having defined the actions to be reviewed in step 3, in step 4 the review
criteria are to be established. In general, the following review criteria can be
mentioned.
1. Review criteria for the good effect of GDPR measures/actions:

a. Does the GDPR measure/action function as was expected,
as was designed beforehand?
b. Are all conditions that were (possibly) set for the GDPR
measure/action fulfilled?
c. Does the GDPR measure/action have such an effect that the
relevant (specific) circumstances are taken into account?
d. Is there possibly a case of ‘conflict’ in light of the effect of
one GDPR measure (action) compared to another GDPR
measure (action)?
2. Review criteria for the effectiveness of measures/actions:
a. Is the goal that was set with the GDPR measure/action achieved
de facto?
b. Are the problems that are based on the GDPR measures/actions
solved?
c. Is there a possible question of (undesired) side effects of the
GDPR measure/action?
In general, it could be argued that, in light of the text, ratio and spirit of
Article 39(2), in establishing the review criteria due regard shall be given to
the risk associated with processing operations, taking into account the nature,
scope, context and purposes of processing.
8.3.5 Step 5: Perform the actual GDPR review

In the penultimate step, the main focus of the GDPR review and update
(RUP) is actually performing the review, or the collection of data and
information with the objective to assess whether the desired, beforehand
defined result (for proper functioning and effectiveness) is achieved. In this
assessment the beforehand mentioned set GDPR review criteria are central.
If and provided that it can be established that the effect of particular GDPR
measures (actions) is not optimal or the effectiveness leaves to be desired, it
is evident that subsequently the question is asked how all this can be
improved (updated). The additional corrections that derive from here ought to
be performed shortly after.
8.3.6 Step 6: Report on the actually performed GDPR review

When steps 1 to 5 are completed and appropriate technical and organisational
measures are taken under Article 24(1) in order to ensure that processing is
performed in accordance with the GDPR – and the relevant measures/actions
under Article 24(1) last sentence are reviewed – it is recommended to record
the results in the form of a (internal and/or external) GDPR review report.
On the basis of Article 5(2) of the GDPR, the controller shall be responsible
for, and be able to demonstrate compliance with the obligations pursuant to
the GDPR (‘accountability’).
8.3.7. A clear GDPR review plan (GRP)
To have at one’s disposal a clear, logical sequential plan for reviewing
appropriate technical and organisational measures – and thereto
corresponding concrete actions – provides diverse advantages, among others
the following:
1. Recording the evidence towards internal and external stakeholders.

2. Providing a clear framework for the design of the review process.
Following above-mentioned steps could help in this. Another
design of steps in the GRP is obviously conceivable.
8.3.8 Organise knowledge and expertise around review

Managers (including both project managers, team managers and experts)
could gain efficiency and effectiveness by ‘organising the necessary
knowledge’ in performing the GRP. One could concretely think of involving
at least those disciplines that could for example be of added value in actually
performing concrete measures and actions to (nonetheless) comply with the
specific obligations pursuant to the GDPR. In practice, the involvement of for
example HR, IT, Audit and Security could sometimes lead to surprising input
because of which the proper functioning and effectiveness of GDPR
measures and concrete actions can be enhanced eventually.
8.4 GDPR Update plan (GUP): Process steps

Figure 8.5 GDPR update plan
8.4.1 Step 1: Compose a GDPR update team
Whereas the mandate is received to draft and perform an GUP (the mandate
will usually not be provided to the DPO, as was the case with the GDPR
review, but to someone else – for example a Privacy Officer, GDPR co-
worker or GDPR project manager – that is explicitly burdened with review),
first a GDPR review team has to composed.
For the reason that within the framework of a GUP a central role is cut out for
risk update regarding the restriction of GDPR risks of measures that were
taken and actions that were performed that have no effect or are insufficiently
effective, it is recommended to have a representation within this team as
broad as possible, representing the operative disciplines within the enterprise,
institution or organisation where at least Risk is present (for example, legal,
IT, Security, Risk, Compliance, Ethics, Quality and Control). Whereas the
update team is composed, this team establishes at least the following.
1. Which subsequent steps have to be taken for performing concrete

GDPR measures and actions?
2. Which subsequent steps have to be taken for updating (adjustment,
improvement) the proper functioning and effectiveness of concrete
measures and actions as become apparent from the ‘list of measures
and actions’ as mentioned in the GIP.
within the GDPR- team.
completed.
8.4.2 Step 2: determine which GDPR measures/actions have

to be updated
Before the GUP can be initiated, it first needs to be clear which measures and
corresponding concrete actions (already mentioned in the GIP) have to be
reviewed. Under reference to Article 39(1)(b), hereinafter for sake of
convenience it is assumed that the goal of the GUP that is discussed in here,
is taking updated appropriate technical and organisational measures and
concrete actions within that framework within the meaning of Article 24(1).
8.4.3 Step 3: Define what has to be updated

When it is determined which GDPR measures/actions have to updated (for
example security measures in consequence of ‘a personal data breach’ within
the meaning of Article 33(1) of the GDPR), the next step is to define as
precise (clear) as possible what the specific action:
1. Intends to achieve (the objective of the concrete action).

2. Should at least entail (substantially).
3. Consider complying with possible conditions.
4. What has to be taken into account in designing and performing the
update (specific circumstances of the case).
8.4.4 Step 4: Determine the GDPR update requirements

Whereas it is defined as clearly as possible in step 3 what has to be updated,
in step 4 the GDPR update requirements are determined. In general, the
following considerations are relevant for determining the update
requirements.
a. Updates requirements relating to the good effect of GDPR

measures/actions:
1. Does the intended update improve the functioning of the

GDPR measure/action in light of the originally said effect?
2. Are all conditions that were (possibly) set for the GDPR
measure/action fulfilled with the intended update?
3. Does the intended update have such an effect that sufficient
attention is given to the relevant (special) circumstances?
4. Does the intended update prevent some form of ‘conflict’ in
light of the effect of the one GDPR measure (action) compared
to the other GDPR measures (action)?
b. Update requirements relating to the effectiveness of GDPR

measures/actions:
1. Is the intended effect accomplished de facto with the intended

update of the GDPR measure/action?
2. Are the problems that are the basis of the GDPR
measures/actions solved (in light of the relevant current events)
with the intended update?
3. Are the possible (undesired) side effects of the GDPR
measure/action prevented with the intended update?
In general, it could be argued that – in light of the text, ratio and spirit of
Article 39(2) – in establishing the GDPR update criteria due regard shall be
given to the risk associated with processing operations, taking into account
the nature, scope, context and purposes of processing.
8.4.5 Step 5: perform the actual GDPR update
In the penultimate step of the GDPR update plan (GUP), the actual
performance of the update of the main focus, or the – in light of the current
knowledge surrounding the proper functioning and effectiveness of the
particular GDPR measures/actions – accomplishment of (additional) acts
because of which the beforehand defined result can be realised. In the
performance, the above-mentioned beforehand defined update conditions are
the centre of attention.
8.4.6 Step 6: Report on the actually performed GDPR update
When steps 1 to 5 are completed and the appropriate technical and
organisational measures under Article 24(1) are updated (on proper
functioning and effectiveness) in order to ensure that processing is performed
in accordance with the GDPR, it is recommended to record the results in the
form of an (internal and/or external) report. On the basis of Article 5(2) of the
GDPR, the controller shall be responsible for, and be able to demonstrate
compliance with, the obligations pursuant to the GDPR (‘accountability’).
8.4.7 A clear GUP
To have at one’s disposal a clear, logical sequential plan for updating
appropriate technical and organisational measures – and thereto
corresponding concrete actions – provides various advantages, among others
the following:
1. Evidence towards internal and external stakeholders.

2. A clear framework for the further design of the update process.
Following above-mentioned steps could help in this. Another design of steps
in the GUP is obviously conceivable.
8.4.8 Organise knowledge and expertise around the GDPR
update
Managers (both project managers, team managers and experts) could gain
efficiency and effectiveness by ‘organising the necessary knowledge’ in
performing the GUP. One could concretely think of involving at least those
disciplines that could for example be of added value in actually performing
concrete measures and actions to (subject to the most recent developments)
comply with the specific obligations pursuant to the GDPR. In practice, the
involvement of for example Communication, Marketing, HR, IT, Audit and
Security could sometimes lead to surprising input because of which the
proper functioning and effectiveness of GDPR measures and concrete actions
can be enhanced eventually.
8.5 GDPR review and update plan (RUP):

roadmap
8.5.1 Why a roadmap for the RUP?
Setting up, designing and performing a RUP competently, with or without
external support, could both on organisational and substantial level form a
challenge for the controller.
A roadmap of a RUP that is delineated in clear steps could at least lead to
some organisational relief, because the main steps become subsequent and
clear (visualized) taking into account the methodical realisation of the
beforehand defined (SMART formulated) objectives of the RUP.
Professional planning should be an integral component of setting-up,
designing and performing a good RUP.
In general, the following advantages of a prudentially set-up roadmap of a
RUP can be distinguished:

overview.
time behaviour.
(that is necessary for realising beforehand defined and SMART
formulated deliverables).
interest and larger added value of organisation-wide RUP.
8. Good roadmap planning raises the odds that certain GDPR
measures and actions are actually being reviewed and updated if
necessary.
9. Good roadmap planning helps to stay on track (time management).
10. Good roadmap planning prevents important tasks from becoming
urgent tasks (prevents stress).
Figure 8.6 Roadmap

8.5.2.1 Mandate and steering information for the GDPR review and
update team
The first step on the roadmap of the RUP is obtaining sufficient mandate for
carrying out all activities that are necessary for the performance of the RUP.
[273]
8.5.2.2 Composing a team for performing the RUP

It is of importance that the GDPR review and update project manager can
reach a balance in the GDPR review and update team between the various
roles, tasks, required expertise areas and responsibilities.[274]
8.5.2.3 Embedding stakeholder management
Competent GDPR project managers endorse the fundamental idea for
successful completion of a RUP, all stakeholders have to be identified and
involved in reviewing and updating measures for compliance with the
obligations pursuant to the GDPR.[275]
8.5.2.4 Determine the risk orientation in the RUP

and severity, may result from personal data processing which, according to
recital 75 of the GDPR, could lead to serious physical, material or non-
material damage.[276]
8.5.2.5 Interim report

It is advisable to have an interim report regularly keeping in mind the already
achieved and still to achieve (intended) end results of review and update
(including possible update of risks).[277]
8.5.2.6 Compose RUP final reports (Article 5(2) of the GDPR)
The RUP is completed (just like every other GDPR project) with a sound end
report where the primary goal is accountability.[278]
8.5.3 Success factors for the good performance of a RUP

Under reference to the previously discussed Standish Group Chaos Report
2011[279], one could generally distinguish a number of factors that contribute
to achieve the objectives intended with the RUP. In particular, the following
strike the eye, the importance of:
1. Project co-workers with sufficient (relevant) expertise in the area of

review and relevant updates and
2. Clearly formulated vision and corporate purposes (SMART
deliverables).
8.6 GDPR review and update plan (RUP): role of

the DPO
The DPO is expected to perform his/her tasks across the full width of the
‘obligations pursuant to the GDPR’. In the wording of Article 39(1)(a), ‘The
data protection officer shall have at least the task to inform and advise the
controller or the processor and the employees who carry out processing of
In answering the question which role the DPO can or may have in the
performance of a RUP, the following considerations need to at least be taken
into account.
The performance of a RUP as ‘other task’, side activity, is in principle
allowed, given that the controller shall ensure that this ‘other task’ under
Article 38(6) does not result in a conflict of interests (with the tasks codified
in Article 39). The reasoning where it is argued that a too large involvement
of the DPO in carrying out concrete actions within the framework of the RUP
does not go well with the independent monitoring of the compliance with the
GDPR, should be endorsed. Under Article 39(1)(b) of the GDPR, after all,
the DPO monitors compliance with the GDPR. Read coherently with Article
24(1) (last sentence), the DPO also monitors (independently) the review and
if necessary, the bringing up to date of appropriate technical and
organisational measures to ensure and demonstrate that processing is
performed in compliance with the GDPR.
According to the European Data Protection Board (formerly EDPB (WP29)),
as part of these duties to monitor compliance, DPOs may, in particular:
1. Collect information to identify processing activities.

2. Analyse and check the compliance of processing activities.
3. Inform, advise and issue recommendations to the controller or the
processor.
It is not up for debate that it is of utmost importance that there is good sight
on the complete and correct (or rectified) compliance with obligations
pursuant to the GDPR for the good performance of legal tasks by the DPO.
Within the framework of ‘independent’ functioning of the DPO (see among
others Article 38(3)) the question can be asked whether it is wise to assign
the DPO a large executing role within the context of the RUP. Would it not
fit better in the professional profile of the DPO (see in particular chapter 2) to
reserve a larger role for the DPO to inform and advise within the context of
the RUP within the framework of the independent information, advise and
monitoring compliance with the GDPR? This line fits after all also better
within the framework of the vision, mission and strategy (VMS) of the DPO
work plan that is tailored to the text, ratio and spirit of Articles 37 – 39 of the
GDPR. Does an intensive role of the DPO fit within the framework of taking
measures and performing concrete actions as part of the RUP? If the DPO is
involved in the performance of the RUP of personal data (for example as
member of a feedback body, steering committee, technical project manager or
as member of the GDPR review and update team), it appears the DPO should
give constructive attention to the vision, mission and strategy (VMS) of the
own DPO work plan, keeping in mind the practical development of the DPO
work plan, in light of the legally enshrined tasks of the DPO (within the
meaning of Article 39). The controversy over performance vs monitoring
compliance deserves special attention.
In accordance with Article 35(2) of the GDPR, the controller shall seek the
advice of the DPO, when carrying out a data protection impact assessment
(DPIA). Providing advice as regards this DPIA and monitoring its
performance pursuant to Article 35 belongs to (pursuant to Article 39(1)(c))
the legal tasks of the DPO. Is it possible that a too intensive role of the DPO
within the context of performing a RUP could come in conflict with the
performance of the task to ‘independently monitor compliance’ in the context
of a DPIA, in light of the ratio and scope of Article 39(1)(c) of the GDPR?
The EDPB (WP29)[280] notes the following about the role of the DPO relating
to the DPIA (within the framework of which under circumstances
independent causes could be found to review and update). According to
Article 35(1), it is the task of the controller, not of the DPO, to carry out,
when necessary, a data protection impact assessment (‘DPIA’). However, the
DPO can play a very important and useful role in assisting the controller.
Following the principle of data protection by design, Article 35(2)
specifically requires that the controller ‘shall seek advice’ of the DPO when
carrying out a DPIA. Article 39(1)(c), in turn, tasks the DPO with the duty to
‘provide advice where requested as regards the [DPIA] and monitor its
performance pursuant to Article 35’.
The EDPB (WP29) (predecessor of the European Data Protection Board)
recommends that the controller should seek the advice of the DPO, on the
following issues, amongst others:[281]
1. Whether or not to carry out a DPIA.[282]

2. What methodology to follow when carrying out a DPIA.
3. Whether to carry out the DPIA in-house or whether to outsource
it.
4. What safeguards (including technical and organisational
measures) to apply to mitigate any risks to the rights and interests
of the data subjects.
5. Whether or not the data protection impact assessment has been
correctly carried out and whether its conclusions (whether or not
to go ahead with the processing and what safeguards to apply) are
in compliance with the GDPR.
If the controller disagrees with the advice provided by the DPO, the DPIA
documentation should specifically justify in writing why the advice has not
been taken into account. The EDPB (WP29) further recommends that the
controller clearly outline, for example in the DPO’s contract, but also in
information provided to employees, management (and other stakeholders,
where relevant), the precise tasks of the DPO and their scope, in particular
with respect to carrying out the DPIA.
In behalf of constructively ‘informing’ and ‘advising’ under Article 39(1) of
the GDPR, it is recommended that the DPO, among others on the basis of his
professional vision, contributes to increase the insight of the controller in the
way in which the privacy supervisory authorities assess appropriate measures
and actions, in particular in light of the risk approach of these privacy
supervisory authorities and the by them recommended methodologies (see
among others the GDPR risk map (and the methodology which served as a
basis) of the French privacy supervisory authority (the CNIL)).[283]
Within the framework of ‘the ability to perform his/her tasks’, the European
Data Protection Board (formerly EDPB (WP29))[284] observes that, ‘The
ability to fulfil the tasks incumbent on the DPO should be interpreted as both
referring to their personal qualities and knowledge, but also to their position
within the organisation. Personal qualities should include for instance
integrity and high professional ethics. the DPO’s primary concern should be
enabling compliance with the GDPR. The DPO plays a key role in fostering a
data protection culture within the organisation and helps to implement
essential elements of the GDPR, such as the principles of data processing,
data subjects’ rights, data protection by design and by default, records of
processing activities, security of processing, and notification and
communication of data breaches.’
CHAPTER 9
GDPR ASSURANCE AND GDPR AUDIT IN THE
DPO WORK PLAN
9.1 Introduction GDPR assurance and GDPR

audit
9.1.1 What is GDPR assurance and GDPR audit
In this chapter, the following two GDPR compliance mechanisms – or
techniques that promote the actual compliance with the obligations pursuant
to the GDPR – are the main focus:
1. GDPR assurance.
2. GDPR audit.
Ad 1
GDPR assurance (providing sufficient guarantees for ensuring compliance
with GDPR obligations)
Providing sufficient guarantees and ‘ensuring compliance’ are terms that are
used in the GDPR as compliance mechanisms. According to Article 28(1) of
the GDPR, where processing is to be carried out on behalf of a controller, the
controller shall use only processors providing sufficient guarantees to
implement appropriate technical and organisational measures in such a
manner that processing will meet the requirements of this Regulation and
ensure the protection of the rights of the data subject. Hereinafter, ‘GDPR
assurance’ entails all activities within the framework of realising (enforcing)
‘sufficient guarantees to ensure the compliance with appropriate technical
and organisational obligations pursuant to the GDPR’.
Ad 2
GDPR audit (professionally monitoring the actual compliance with the
GDPR)[285]
The main focus here is a structured, methodical way of monitoring and

verifying (according to a GDPR audit plan), with the objective to enquire
whether the enterprise, institution or organisation complies with the – either
set themselves or not – requirements to technical or organisational
measures[286] for ensuring compliance with the GDPR. GDPR audits are
among others important for the following situations.
A. GDPR audits within the framework of the relation between the

controller and processor.
B. GDPR audits within the framework of monitoring compliance with
the GDPR by the DPO.
C. GDPR audits relating to the use of ‘binding corporate rules’ within
the framework of personal data transfer to third countries of
Ad A
GDPR audits within the framework of the relationship between the
controller and processor
Under Article 28(3) of the GDPR, processing by a processor shall be
governed by a contract or other legal act under Union or Member State law,
that is binding on the processor with regard to the controller and that sets out
the subject-matter and duration of the processing, the nature and purpose of
the processing, the type of personal data and categories of data subjects and
the obligations and rights of the controller. That contract or other legal act
shall stipulate, in particular, that the processor (under Article 28(3)(h)) makes
available to the controller all information necessary to demonstrate
compliance with the obligations laid down in this Article and allow for and
contribute to audits, including inspections, conducted by the controller or
another auditor mandated by the controller.
Ad B
GDPR audits within the framework of monitoring compliance with the
GDPR by the DPO
Relating to the so-called GDPR audits, Article 39(1)(b) of the GDPR
determines the following, ‘to monitor compliance with this Regulation, with
other Union or Member State data protection provisions and with the policies
of the controller or processor in relation to the protection of personal data,
including the assignment of responsibilities, awareness-raising and training of
staff involved in processing operations, and the related audits.’ For the sake
of completeness, it is observed that although the GDPR audits that are
mentioned here are primarily related to appointing GDPR audits in the policy
of the controller, it is argued that the instrument of GDPR audits can also be
used in the context of performing GDPR audits by the DPO within the
framework of performing tasks within the meaning of Articles 37 – 39 (so-
called GDPR audits).
Ad C
GDPR audits relating to the use of ‘binding corporate rules’ within the
framework of personal data transfer to third countries or international
organisations
Under Article 47(1), the competent supervisory authority shall approve[287]
binding corporate rules in accordance with various further mentioned
conditions relating to which Article 47(2)(j) explicitly declares that said
binding corporate rules should at least be recorded within the group of
undertakings – or group of enterprises engaged in a joint economic activity –
for ensuring the verification of compliance with the binding corporate rules.
Such mechanisms shall include data protection audits and methods for
ensuring corrective actions to protect the rights of the data subject. Results of
such verification should be communicated to the person or entity referred to
in Article 47(2)(h) (or the DPO or an internal supervisory organ)[288] and to
the board of the controlling undertaking of a group of undertakings, or of the
group of enterprises engaged in a joint economic activity and should be
available upon request to the competent supervisory authority.
Considering above-mentioned interpretation of GDPR assurance and GDPR
audit, among others the following questions can be asked.
1. What is the ratio (reasoning) of GDPR assurance and GDPR audit?

2. What is the purpose (added value) of GDPR assurance and GDPR
audit?
3. What is the objective of GDPR assurance and GDPR audit?
4. How detailed should the GDPR assurance and GDPR audit be
performed?
5. What is the practical (management) value of GDPR assurance and
GDPR audit?
6. What is the role of the DPO within the framework of GDPR
assurance and GDPR audit?
Below, finding answers to these questions are at the centre of attention.
9.1.2 Ratio of GDPR assurance and GDPR audit

Based on the assumption that the enterprise, institution or organisation wants
to comply with all obligations pursuant to the GDPR, GDPR assurance and
audits are of interests as compliance techniques for various reasons[289] of
which the following can be explicitly mentioned:
1. With the performed concrete actions with the framework of the
GDPR implementation plan (GIP) as a starting point, it is necessary
for the actual compliance with GDPR obligations – in light of the
GDPR ambition of the organisation/enterprise – to test for actual
compliance.
2. GDPR assurance and GDPR audits provide in essence compliance
reports that can contain important information (business
intelligence) for the board and management concerning for example
the necessity to scrutinize residual risks[290] of specific technical and
organisational measures, to be considered for further decision-
making.
While answering the question to which extent the compliance reports of
GDPR assurance and GDPR audits deserve attention in the vision of the
DPO, the DPO shall have due regard, pursuant to Article 39(2) GDPR, to the
risk associated with processing operations, taking into account the nature,
scope, context and purposes of processing.
9.1.3 Objectives of GDPR assurance and GDPR audit

Taking into account the nature, scope, context and purposes of processing as
well as the risks of varying likelihood and severity for the rights and
freedoms of natural persons, the controller shall implement appropriate
that processing is performed in accordance with this Regulation, according to
Article 24(1). The main objective of GDPR assurance and GDPR audits
could in essence be characterised as compliance mechanisms that could
demonstrate that the de facto appropriate measures that were taken are
actually ensured. Besides this main objective, among others the following
objectives can be distinguished:
1. Providing insight in the costs that are involved with the measures
that were taken for optimizing the proper functioning and
effectiveness of concrete GDPR compliance actions.
2. Concretely filling out GDPR maturity models (growth path).
3. Promoting the efficiency of processing processes.
4. Attracting sufficiently competent and expert personnel (internal or
external).
5. Providing important input for the board, management, GDPR
project managers and GDPR teams.
6. Promote a ‘GDPR sense of urgency’ within the organisation or
specific departments or activities within the enterprise, institution
or organisation.
9.1.4 Scope of GDPR assurance and GDPR audit

It is important to clarify (as you wish, delineate) the scope of GDPR
assurance and GDPR audit as clearly as possible for maximizing the purpose
of GDPR assurance and GDPR audit as compliance mechanisms and for
realising beforehand defined objectives. In other words, to which degree does
the scope reach of the GDPR compliance obligations that have to be
monitored, or the concrete actions for compliance with the obligations
pursuant to the GDPR. As well for practice (under reference to Article 39)
roughly the following scopes can be distinguished within the framework of
GDPR assurance and GDPR audit:
1. The data protection provisions that are entailed (incorporated) in

the GDPR itself (Article 39(1) GDPR).
4. Policies of the controller (Article 39(2) GDPR).
5. Industry codes of conduct (Article 40 GDPR).
6. Requirements regarding to GDPR certification mechanisms (Article
42 GDPR).[291]
GDPR assurance and GDPR audits as discussed here, lend itself in principle
for extension of the scope to additional scopes, as additional GDPR
compliance controls[292] and additional data compliance dimensions (that are
directly or indirectly related to the GDPR).
A concrete example of this are the proper functioning and effectiveness of the
performed concrete actions in light of the DAMA (data management model),
[293]
where the following expertise areas are mentioned, 1) data governance, 2)
data architecture management (privacy by design), 3) data development, 4)
database operations management, 5) data security management, 6) reference
and master data management, 7) data warehousing and business intelligence
management, 8) document and content management, 8) meta data
management and 9) data quality management. Above-mentioned additional
data compliance dimensions are hereinafter left out of account (unless
explicitly mentioned otherwise).
9.1.5 Logical process phases of GDPR assurance and GDPR

audit
With the performed ‘list of concrete measures and thereto corresponding
actions’ within the framework of the GDPR implementation plan (GIP) and
the findings within the framework of the performed review and update plan
(RUP) as a starting point, the main focus in GDPR assurance and GDPR
audit is monitoring compliance with the appropriate and organisational
measures that were taken – and the compliance with agreements in that
regard. A number of logical steps that are part of that, could be specified as
follows:
1. Determine as specifically as possible which GDPR obligations have

to be monitored for compliance (which actions).
2. Determine which resources are used to monitor compliance with
relevant measures (within the framework of the specific GDPR
obligations).
3. Determine by means of which compliance (verification) criteria the
compliance with GDPR obligations has to be examined.
4. Determine who has to execute what (audit testing).
5. Determine when the to be examined compliance with
measures/actions has to be completed (deadline).
6. Report on the audit testing and the results in that context to those
that deal with the case (GDPR report).
9.1.6 Ideal teams for GDPR assurance and GDPR audits

As well as for composing the ideal team for performing an organisation-wide
inventory of personal data, GDPR gap-analysis, GDPR implementation plan
(GIP) and GDPR review and update plan (RUP), it applies that not giving
sufficient attention to a good composition of the team that will perform
GDPR assurance and GDPR audit, could lead to a situation where the
determined objectives are not achieved or perhaps the GDPR control
measures and actions are not performed in accordance with the intention,
leading to frustrations and loss of resources (invested hours and financial
resources) and generate sub-optimal GDPR intelligence.
In composing the ideal team for performing GDPR assurance and GDPR
audits, a number of aspects is of importance. Within this framework the
following aspects are mentioned (under reference to what is observed on this
in chapter 7, recital 1.6), 1) the importance of a competent GDPR project
manager, 2) good composition of the GDPR team, 3) good development of
the GDPR team in the right GDPR ambition direction, 4) hard (result-
oriented) aspects of the GDPR team and 5) soft (skills) aspects of the GDPR
team.
9.1.7 Management value of GDPR assurance and GDPR

audits
Apart from the fact that with the GDPR compliance results (reports) of
GDPR assurance and GDPR audit, an important component of the
accountability duty under Article 5(2) is complied with, GDPR assurance and
GDPR audit (as was the case for the GDPR baseline and the GIP) provides
important information (as you wish business management intelligence) for
(line)management on the basis of which important subsequent actions can be
defined and laid out.[294]
9.1.8 Importance of the DPO in GDPR assurance and GDPR

audits
On the basis of Article 39(1) jo Article 24 of the GDPR, the DPO monitors
that the controller – taking into account the nature, scope, context and
for the rights and freedoms of natural persons – shall implement appropriate
that processing is performed in accordance with the GDPR.
Under Article 39(1)(b), the DPO has the task to monitor compliance with the
following data protection provisions.

GDPR.
4. Policies of the controller in relation to the protection of personal
data, including
a. The assignment of responsibilities.

b. Awareness-raising of staff involved in processing operations.
d. The specific GDPR audits related to data protection.
It goes without saying that within the framework of ‘good monitoring

compliance with the GDPR by the controller’, setting-up and designing
GDPR assurance and GDPR audits is not only interesting, but could also be
of added value. After all, the DPO can form an independent image, also
because of the within the framework of GDPR assurance and GDPR audits
produced compliance reports, of the question to which degree the controller
and co-workers de facto comply with their obligations pursuant to the GDPR
(under Article 39(1)(b) GDPR).
Equally for the GDPR baseline, the GIP and the GDPR review and update
plan (RUP), it is generally recommended to note to which degree the
‘independent monitoring’ by the DPO can be based on GDPR assurance and
GDPR audits that are performed by others, in particular if it is concluded that
the measures and concrete actions that were taken are effective (have real
effect). Here as well, it remains important that the DPO keeps examining this
autonomously as a professional expert. within the framework of
independently monitoring compliance (professionally and competently).
For the time being, it seems to be that the most practical line that can be
chosen that already in the set-up, design and performance of GDPR assurance
and GDPR audits, the DPO is involved in a timely manner in the area of
performing legal DPO tasks (monitoring compliance, informing, advising,
cooperating with the supervisory authority and acting as a contact point for
the supervisory authority and acting as a contact point for data subjects).[295]
9.1.9 Action scheme
Whereas a number of introductory comments are made in § 9.1 relating to
GDPR assurance and GDPR audits, in § 9.2 a number of general objectives
and side effects of GDPR assurance and GDPR audits are discussed. Which
subsequent steps can be taken to approach GDPR assurance orderly and
structurally, are central in § 9.3, followed by GDPR assurance Roadmap in
§ 9.4. Logical process steps for performing GDPR audits are central in § 9.5,
followed by a GDPR audit Roadmap in § 9.6. whereas § 9.7 further discusses
the role of the DPO within the framework of GDPR assurance and GDPR
audits, the substantial part of this chapter is completed in § 9.8 with a general
Table of reference for GDPR assurance and GDPR audits that can be used
(further developed) by the DPO – tailored to the enterprise, institution or
organisation – within the framework of the own DPO work plan.
9.2 GDPR assurance and GDPR audits: objectives

and side effects
9.2.1 General objectives of GDPR assurance and GDPR
audits
Every enterprise, institution or organisation can explicitly (according to their

own insights and/or needs) intend to achieve a number of general goals in
performing GDPR assurance and GDPR audits. Among others, the following
general objectives can be derived from Article 39(1)(b) (monitoring
compliance with the GDPR) (read in conjunction with the particular
obligation(s) pursuant to the GDPR):
1. Compliance check appropriate and effective data protection policies

(Article 24(1) and (2)).
2. Compliance check appropriate and effective measures (recital 74).
3. Compliance check GDPR privacy duty of care (Article 5(1)).
4. Compliance check lawfulness (Article 6).
5. Compliance check updated register under Article 30.
6. Compliance check control processes (GDPR requirements and
GDPR controls).
7. Compliance check effective risk management and control.
8. Compliance check effective issue management.
9. Compliance check Data Protection Impact Assessment (DPIA)
duty.
10. Compliance check accountability duty (Article 5(2)).

9.2.1.1 Compliance check appropriate and effective data protection
policies (Article 24(1) and (2))
According to recital 74 of the GDPR, the controller should be obliged to
implement appropriate and effective measures and be able to demonstrate the
compliance of processing activities. Setting-up and performing GDPR
assurance and GDPR audits is an excellent way to check whether the data
protection policies are de facto complied with. As discussed before, the
effective result is of GDPR assurance and GDPR audits is that insight is
obtained in the current (actual) compliance with the implemented measures
because of which the ‘appropriate and effective’ data protection policies can
be placed in compliance perspective and can contribute to further fulfilment
of the accountability duty of Article 5(2) of the GDPR.
As a starting point for GDPR assurance and GDPR audits, it is important that
companies, organisations and institutions (controllers within the meaning of
Article 4) could at least answer the question which appropriate technical and
organisational measures are implemented. GDPR assurance and GDPR audit
reports could provoke re-evaluation of the proper functioning and
effectiveness of the specific implemented measures. In a sense, GDPR
assurance and GDPR audits can be seen as important compliance control
mechanisms where it is established whether all previous implemented
(reviewed and updated, determined to be appropriate and effective) measures
are de facto complied with.
9.2.1.2 Compliance check appropriate and effective measures (recital

74)
According to recital 74, the responsibility and liability of the controller for
any processing of personal data carried out by the controller or on the
controller's behalf should be established. With this kept in mind, GDPR
assurance and GDPR audits can play an important role within the framework
of limitation of liability. After all, if better insights can be obtained because
of good GDPR assurance and GDPR audit reports in order to realise a
situation where de facto all obligations pursuant to the GDPR are complied
with, the chance of successfully holding the controller responsible due to
non-compliance will decrease to some extent.
9.2.1.3 Compliance check instantiation and compliance with GDPR

privacy duty of care (Article 5(1))
The compliance with measures and concrete actions is monitored with GDPR
assurance and GDPR audits for instantiation, compliance, testing and
assessing the effective compliance with the principles relating to processing
of personal data under Article 5(1) (also referred to as the general GDPR
privacy duty of care of the controller). According to this article, personal data
shall be:

limitation’).
f. processed in a manner that ensures appropriate security of the
9.2.1.4. Compliance check instantiation lawfulness (Article 6)

In the case of GDPR assurance and GDPR audits, it is monitored whether
measures and concrete actions are undertaken to assess whether the
processing of personal data under Article 6 indeed takes place on the
therefore required and present lawful foundations. The controller can under
Article 6 only process personal data lawfully if and to the extent that at least
one of the following is applicable.
a. the data subject has given consent to the processing of his or her
b. processing is necessary for the performance of a contract to which
c. processing is necessary for compliance with a legal obligation to
d. processing is necessary in order to protect the vital interests of the
e. processing is necessary for the performance of a task carried out in
the controller.
f. processing is necessary for the purposes of the legitimate interests
9.2.1.5 Compliance check updated register under Article 30

information:

of personal data.
h. as regards the compliance with the recording duty under Article 30,
it occurs in practice of the performance of a good GDPR assurance
and GDPR audit that sufficient attention is devoted to the
following:
1. actual control and objective assessment of the completeness of

the number of processing under Article 30 GDPR.
2. actual control and objective assessment of the data entailed in
the GDPR
recording as per processing (components a to g) of Article 30(1).
9.2.1.6 Compliance check control of processes (GDPR requirements

and GDPR controls)
A general goal of GDPR assurance and GDPR audits is independently

monitoring the ‘proper functioning and effectiveness’ of the GDPR controls
(control measures) that are connected to specific GDPR requirements. Within
that framework, the following could be thought of:
1. concrete GDPR requirements of which within the context of the

GDPR implementation processes (according to the GDPR and
possible additional internal data protection policies) should be
complied with.
2. practical GDPR controls,[298] of practical control measures that can
be used for actually and effectively controlling the GDPR
implementation processes.
It is recalled to memory that, on the basis of Article 24(1), the controller shall
9.2.1.7 Compliance check risk management & control

In a certain sense, GDPR assurance and GDPR audit can be described as a
systematic and structured approach to monitor whether risks are being
controlled by testing in a timely manner and regularly and to assess the
proper functioning and effectiveness of risk control measures (risk
management and control). GDPR assurance and GDPR audits could
contribute to bringing GDPR risks to and keeping them at a lower level, at
any rate at a level that lies within acceptable boundaries for the organisation.
What is an acceptable GDPR risk level for one organisation, might not be the
same for another organisation.
It becomes apparent from GDPR assurance and GDPR audit which measures
are concretely taken to effectively control the privacy risks as well as which
concrete actions are (not) performed de facto. The term ‘risk’ plays a central
role in the GDPR.[299] The risk to the rights and freedoms of natural persons,
of varying likelihood and severity, may result from personal data processing
which could lead, according to recital 75, to physical, severe and less severe
consequences damage for data subjects. For sake of brevity, to what is
observed about this in chapter 6 is referred to.
9.2.1.8 Compliance check effective issue management

Monitoring whether the measures that were taken in the case of GDPR
incidents (GDPR issue management) were effective, is mentioned in practice
as explicit goal of GDPR assurance and GDPR audits. In that case, among
others, extra attention is devoted to:
1. Monitoring whether possible incidents (GDPR issues) are identified

in a timely manner.
2. Monitoring whether the estimation of the risk of the occurrence of
incidents occurred in a timely manner.
In particular within the framework of security issues[300], GDPR issue
management plays a role. In this regard, the controller and processor should,
under Article 32(1) (security of processing) shall implement appropriate
technical and organisational measures to ensure a level of security
appropriate to the risk, including inter alia as appropriate:
1. the pseudonymisation and encryption of personal data.

2. the ability to ensure the ongoing confidentiality, integrity,
3. the ability to restore the availability and access to personal data in a
timely manner in the event of a physical or technical incident.
Within the framework of monitoring whether above-mentioned appropriate
security measures are taken in a timely manner, GDPR assurance and GDPR
audits play an important role.
9.2.1.9 Compliance check Data Protection Impact Assessment (DPIA)
duty
GDPR assurance and GDPR audit play an important role in monitoring the
compliance with the Data Protection Impact Assessment (DPIA) of Article
35. On the basis of Article 35(7)(d), among others effective safeguards and
mechanisms are assessed to guarantee and demonstrate the protection of
personal data. A general goal of GDPR assurance and GDPR audit could be
to monitor the compliance with the duty under Article 35 to effectively
perform a DPIA – often referred to as Privacy Impact Assessment (PIA).
A component of GDPR assurance and GDPR audits is usually also
monitoring whether the DPIA models, that should be used (mandatorily) by
the enterprise, institution or organisation for actually performing a DPIA,
satisfy requirements of the GDPR and can be applied correctly within that
framework.
9.2.1.10 Compliance check accountability (Article 5(2))

A permanent ‘audit assignment’ that is derived from GDPR assurance and
GDPR audits, is to examine whether it is to a sufficient degree recorded that
all activities/actions that are executed in order to comply with the GDPR, are
de facto executed as well as those results including the possible follow-up.
On the basis of Articles 5(2), the controller shall be responsible for, and be
able to demonstrate compliance with, Article 5(1) (‘accountability’). GDPR
assurance and GDPR audit which design and structure are well formed and
performed competently often result in additional ‘GDPR evidence’. It is
therefore highly recommended to report extensively on the complete
trajectory of GDPR assurance and GDPR audits (also for purposes of the
DPA).
9.2.1.11 Side effects of GDPR assurance and GDPR audit

It is plausible that side effects of GDPR assurance and GDPR audits are
dependent on its design and structure. In general, it can be argued that good
and competently performed GDPR assurance and GDPR audits could lead to
the following side effects that (as was the case for a GDPR baseline and
GDPR gap-analysis) could be brought along within the framework of the
DPO work plan.
and the DPO (Article 38(2).
2. Privacy awareness-raising (Article 39(1)(b)).
3. Promote a better insight in the processing activities (Article 30).
4. Promoting insight into the importance of processing for company
critical processes (among others recital 74)
5. Promote more effective performance of legal DPO tasks.
As these side effects correspond mutatis mutandis (broadly) with the side
effects of a GDPR baseline, GDPR gap-analysis and GDPR implementation,
for the sake of brevity one is referred to what already had observed about this
in § 6.1.3.2.
9.3 GDPR Assurance: Process steps

Figure 9.4 Process steps
9.3.1 Step 1: Compose a GDPR Assurance team
Whereas the mandate is received to draft and perform a GDPR assurance plan
(the mandate will usually not be provided to the DPO, but to someone else –
for example a Privacy Officer, GDPR project manager or external GDPR
expert – that is explicitly burdened with review), first a GDPR review team
has to composed. Ideally, this team consists of people with diverse
backgrounds (for example legal, IT, Security, Compliance, Ethics, Quality
and Control). When the GDPR assurance team is composed, this team
establishes at least the following:
1. Which subsequent steps have to be taken for monitoring the

specific guarantees to safeguard the compliance with appropriate
technical and organisational measures as become apparent, among
others, from the ‘list of measures and actions’ as mentioned in the
GDPR implementation plan (GIP)?
within the GDPR team?
completed.
9.3.2 Step 2: Determine the subject of GDPR assurance

Before the actual GDPR assurance examination can be initiated, it first needs
to be clear what has to be guaranteed exactly within the framework of which
specific measures and thereto corresponding concrete actions have to be
monitored. Under reference to Article 39(1)(b), hereinafter for sake of
convenience it is assumed that the goal of GDPR assurance that is discussed
in this chapter, is testing the proper functioning and effectiveness of measures
and concrete actions within that framework within the meaning of Article
24(1). See § 9.2 for a discussion on the general goals (and side effects) of
GDPR assurance and GDPR audit. Within the framework of determining the
subject of GDPR assurance, it is furthermore advisable to take into account at
least the following aspects:
1. What is the goal of particular GDPR assurance?

2. Is it a matter of possible ‘special circumstances’ that have to be
taken into account in performing particular GDPR assurance?
3. Which GDPR quality criteria have to be considered within the
framework of current GDPR assurance?
9.3.3 Step 3: Establish the scope of GDPR assurance

Whereas the subject of GDPR assurance is determined, the next step is to
establish the scope of GDPR assurance. The goal is to define as precisely as
possible (SMART) what specific GDPR assurance has to entail. It is
recommended to take at least the following aspects into account:

legislation and regulation
5. General (security) norms such as
ISO/CIE/CEN/CENELEC/ENISA.[301]
9.3.4 Step 4: Determine the applicable GDPR review criteria
Whereas it is described as clearly as possible in step 3 what has to be
reviewed within the framework of particular GDPR assurance, in step 4 the
criteria are determined that a good review of GDPR compliance should fulfil,
what has to be determined on the basis of qualitatively acceptable proof (also
in light of Article 5(2)). In general, the following general review questions
could be relevant:
1. Review criteria relating to the good effect of measures/actions:
a. Does the measure/action function as expected, as this was

initially intended and designed?
b. Are all conditions fulfilled that were (possibly) set for the
measure/action?
c. Does the measure/action have such an effect that relevant
(special) circumstances are sufficiently taken into account?
d. Is there a matter of some form of ‘conflict’ considering the
effect of the measure (action) compared to the other measure
(action)?
2. Review criteria relating to the effectiveness of measures/actions:

a. Is the goal de facto (actually) achieved that was intended
with this measure/action?
b. Are the problems that are the basis of the GDPR
measures/actions solved?
c. Is there a matter of possible (undesired) side effects of a
GDPR measure/action?
In general, it could be argued that – by analogy with Article 39(2) – in
determining the final GDPR review criteria for specific GDPR assurance due
regard shall be given to the risk associated with processing operations, taking
into account the nature, scope, context and purposes of processing.
9.3.5 Step 5: Perform the actual GDPR Assurance activities

In the penultimate step of GDPR assurance, the actual performance of GDPR
assurance activities is the main focus, or the collection of data and
information for the purposes of specific GDPR assurance on the basis of
which it is reviewed whether the results (of proper functioning and
effectiveness) intended with the ‘guarantees’ and ‘safeguards’ is or is not
achieved. In this examination, the previous mentioned beforehand defined
GDPR assurance review criteria are the main focus. If and provided that it is
established that the effect of certain measures (actions) is not optimal or the
effectiveness leaves to be desired, it is evident that subsequently the question
is asked how one and another can be improved (updated). The additional
corrections that derive therefrom should be performed shortly after and
should be entailed as point of concern (recommendation) in the GDPR
assurance report.
9.3.6 Step 6: Report on the performed GDPR assurance

activities
Whereas steps 1 to 5 are completed and the necessary guarantees and

safeguards within the meaning of the GDPR are reviewed for proper
functioning and effectiveness, it is recommended to record the design,
approach, results and findings of the GDPR assurance activities on the basis
of acceptable proof (that for example satisfies the previously mentioned
DRAAI criteria) in the form of an (internal and/or external) report. On the
basis of Article 5(2), the controller shall be responsible for, and be able to
demonstrate compliance with, the obligations pursuant to the GDPR
(‘accountability’).
9.3.7 A clear GDPR Assurance plan

To have at one’s disposal a clear, logically sequential plan for GDPR
assurance activities – and thereto corresponding concrete actions – can
provide various advantages, among which the following.
1. A framework for goal-oriented and systematically organising

relevant GDPR assurance activities.
2. A clear framework for further design of the GDPR assurance
process.
3. Insight into the sequence and logical composition of the GDPR
assurance process towards internal and external stakeholders (for
example: standardize, approve, digitalize, phase, monitor, analyse
and report).
4. A framework for more effective design of GDPR control processes
(time, money, quality, information and organisation).
9.3.8 Organise knowledge and expertise around GDPR

assurance
The (process) managers for the performance of GDPR assurance activities

(for example privacy officers, compliance officers, security officers,
information specialists, Q&A officers), could gain efficiency and
effectiveness of review activities by ‘organising the necessary knowledge’ for
performing GDPR assurance. One could concretely think of involving at least
those disciplines that could for example be of added value in assessing the
‘proper functioning and effectiveness’ of the particular ‘guarantees’ and
‘safeguards. Besides expertise from the various disciplines, it is also
recommended to possess knowledge and insights from daily practice of
operational processes (knowledge and experience with the practice of data
protection).
9.4 GDPR Assurance: Roadmap

9.4.1 Why a roadmap for GDPR assurance?
Performing GDPR assurance well and competently (with or without external

support) could form a challenge, both on organisational and substantial level,
for the enterprise, institution or organisation. A clear roadmap for GDPR
assurance could at least lead to some organisational relief, because the main
steps can be visualized subsequently and clearly, taking into account the
methodical realisation of the beforehand defined objectives of particular
GDPR assurance. Planning should be an integral component of the design
process (set-up) of professional GDPR assurance. In general, a well-thought
planning (based on a structured roadmap) provides among others the
following advantages.
1. Increases the chance of actually achieving the beforehand defined

goals.
2. Provides a methodical overview.
3. Provides the opportunity to set priorities and apply the necessary
focus.
4. Provides better insight into the necessary time behaviour.
5. Increases the insight into the necessary resources (IT, capital and
(additional) expertise).
6. Enhance the effective productivity (realising GDPR deliverables).
7. Provide better understanding of and emphasizes the importance of
an effective approach (to prevent duplicates and unnecessary
repetitions).
8. Raises the odds that certain activities are actually being carried out.
10. Prevents important tasks from becoming urgent tasks (prevents
stress).
9.4.2 Roadmap GDPR assurance

Figure 9.5 Roadmap assurance
9.4.2.1 Mandate for GDPR assurance
The first step on the roadmap GDPR assurance is obtaining sufficient
mandate for carrying out all activities that are necessary for performing
intended GDPR assurance.[302]
9.4.2.2 Composing the GDPR assurance team

It is important that the chairman of the GDPR assurance team reaches a
balance within the team between the various roles, tasks, required expertise
areas and responsibilities.[303]
9.4.2.3 Embedding GDPR stakeholder management

Competent chairmen of various GDPR teams subscribe the fundamental idea
that for successful completion of a GDPR assurance assignment all
stakeholders have to be identified and involved in the review of the GDPR
measures that were taken to comply with the obligations pursuant to the
GDPR.[304]
9.4.2.4 Establish risk orientation GDPR assurance

In reviewing the processing of personal data, extra attention seems relevant
for reviewing the risk to the rights and freedoms of natural persons, of
varying likelihood and severity, may result from personal data processing
which could lead to, according to recital 75 of the GDPR, physical, material
or non-material damage.[305]
9.4.2.5 Interim report on GDPR assurance

It is advisable to regularly form an interim report, keeping in mind the
already achieved and still to achieve (intended) end results of the review
activities within the framework of GDPR assurance.[306]
9.4.2.6 Composing final reports GDPR assurance (Article 5(2))

The performance of GDPR assurance assignment is (just like every other
GDPR project) completed with a sound end report, of which the primary goal
is to take responsibility (accountability).[307]
In a sense, Article 5(2) adds an extra (accountability) dimension in the area of
processing personal data to reports and the importance of underlying
evidence of conclusions that are the basis of the reports. According to latter
article, the controller shall be responsible for, and be able to demonstrate
compliance (‘accountability’) with, Article 5(1) (principles relating to
processing of personal data). See here the purpose and necessity to entail
‘accountability’ as permanent component in every GDPR project.
9.4.3 Success factors for the proper performance of

GDPR assurance
Under reference to the previously discussed Standish Group Chaos Report
2011[308], one could generally distinguish a number of factors that can
contribute to achieving the intended goals with GDPR assurance. In
particular, the obvious interests are:
1. Team members with sufficient (relevant) expertise in the area of

reviewing measures and actions to legal norms.
2. Clear formulation of beforehand defined goals of GDPR assurance
(ideally formulated as such in the mandate for performing GDPR
assurance).
9.5 GDPR audit: Process steps

Figure 9.6 Audit process steps
9.5.1 Step 1: Compose a GDPR audit team
Whereas the mandate is received to draft and perform a GDPR audit plan (the
mandate will usually not be provided to the DPO, but to someone else – for
example a Privacy Officer, GDPR project manager or external GDPR expert
– that is explicitly burdened with review), first a GDPR audit team has to
composed. Ideally, this team consists of people with diverse backgrounds (for
example legal, IT, Security, Compliance, Ethics, Quality and Control).
Once the GDPR audit team is composed, this team establishes at least the
following:
1. Which subsequent steps have to be taken for monitoring

compliance with appropriate technical and organisational measures
as become apparent, among others, from the ‘list of measures and
actions’ as mentioned in the GDPR implementation plan (GIP).
within the GDPR audit team.
completed.
9.5.2 Step 2: Determine the subject of the GDPR audit

Before the GDPR audit can be initiated, it first needs to be clear which
measures and thereto corresponding concrete actions should be the subject of
the GDPR audit (or the subject of control and verification on the basis of
acceptable proof). Under reference to Article 39(1)(b), hereinafter for sake of
convenience it is assumed that the goal of the GDPR audit that is discussed in
this chapter – on the basis of a GDPR audit plan – is performing the
necessary activities with the goal of monitoring and verifying whether the
controller under Article 24(1) has done the necessary within the framework
of implementing appropriate technical and organisational measures, in order
to perform the processing of personal data in accordance with the GDPR.
Within the framework of determining the subject of the GDPR audit, it is
furthermore advisable to take into account at least the following aspects:
1. What is the goal of the particular GDPR audit?

2. Is it a matter of possible ‘special circumstances’ that have to be
taken into account in performing the particular GDPR audit?
9.5.3 Step 3: Determine the scope of the GDPR audit

Whereas the subject of the GDPR audit is determined, the next step is to
determine the scope of the GDPR audit. The goal is to define as precisely as
possible (SMART) what the specific GDPR audit has to entail. It is
recommended to take at least the following aspects into account.

legislation and regulation.
5. General (security) norms such as
ISO/CIE/CEN/CENELEC/ENISA.[309]
9.5.4 Step 4: Determine the applicable GDPR audit criteria

Whereas it is described as clearly as possible in step 3 what has to be
monitored germane the actions to be assessed, in step 4 the audit criteria of
the particular GDPR audit are determined. In general, the following GDPR
audit criteria are mentioned:
1. GDPR audit criteria for monitoring (and verifying provable) the

good effect of GDPR measures/actions.
2. GDPR audit criteria for monitoring and verifying the effectiveness
of GDPR measures/actions.
In general, it could be argued that – by analogy with Article 39(2) – in
determining the GDPR audit criteria due regard shall be given (in other
words, as long as there is space for that) to the risk associated with processing
operations, taking into account the nature, scope, context and purposes of
processing.
9.5.5 Step 5: Perform the actual GDPR audit activities

In the penultimate step of the GDPR audit plan, the actual performance of the
previous planned GDPR audit is the main focus, or the carrying out of
(additional) acts the subject to the previous four steps, because of which the
previous agreed control and verification goals are realised where the
acceptable proof plays a central role. In the performance, the previous
mentioned beforehand defined GDPR audit criteria for monitoring deserve
special attention.
9.5.6 Step 6: Report on the performed GDPR audit activities

Once steps 1 to 5 are completed and the appropriate technical and
organisational measures are monitored, reviewed (for proper functioning
and/or effectiveness) in accordance with the GDPR audit plan and verified on
the basis of permissible proof, it is recommended to record the results in the
form of an (internal and/or external) report.
On the basis of Article 5(2), the controller shall be responsible for, and be
able to demonstrate compliance with, the obligations pursuant to the GDPR
(‘accountability’). Also, in regard to the framework of obligations of the
controller to mention the performance GDPR audits in the own GDPR
policies.[310]
9.5.7 A clear GDPR audit (action) plan

To have at one’s disposal a clear, logically sequential plan for GDPR auditing
(monitoring and verifying) the compliance with appropriate technical and
organisational measures – and the thereto corresponding concrete actions –
provides various advantages, among which the following:
1. A clear framework for the design of the GDPR audit process.

2. Insight into the sequence and logical set-up of the GDPR audit
process towards internal and external stakeholders (for example:
standardize, approve, digitalize, phase, monitor, analyse and
report).
3. Evidence towards internal and external stakeholders.
Following above-mentioned steps could be of practical help. Another design
of steps in the GDPR audit plan is of course conceivable.
9.5.8 Organise knowledge and expertise around the GDPR

audit
The ones responsible for performing GDPR audits (GDPR auditor, lead
GDPR auditor, Privacy Officer, compliance officer etc.) could gain efficiency
and effectiveness of by ‘organising the necessary knowledge’ for performing
the particular GDPR audit. One could concretely think of involving at least
those disciplines that could for example be of added value in actually
performing concrete control measures and control actions relating to the
compliance with obligations pursuant to the GDPR. In practice the
involvement of for example HR, IT, Security and Business Operations could
lead to surprising input, because of which the actual proper functioning and
effectiveness of GDPR implementation measures could eventually be
enhanced.
9.6 GDPR audit: Roadmap

9.6.1 Why a roadmap for GDPR audits?
Performing a GDPR audit well and competently (with or without supporting
software or external experts) could form a challenge, both on organisational
and substantial level. A clear roadmap for the GDPR audit could at least lead
to some organisational relief, because the main steps can be visualized
subsequently and clearly, taking into account the methodical realisation of the
beforehand defined objectives of the GDPR audit. Planning should be an
integral component of the design process (set-up) of a good GDPR audit. In
general, a well-thought planning (based on a structured roadmap) provides
among others the following advantages:
1. Increases the chance of actually achieving the beforehand defined

GDPR audit objectives.
2. Provides a methodical overview of the GDPR audit.
3. The opportunity to set priorities and apply the necessary focus.
4. Better insight into the necessary time behaviour of the GDPR audit.
5. Increases the insight into the necessary resources (IT, capital and
expertise).
6. Enhances the effective productivity (realising GDPR deliverables).
7. Provides better understanding of and emphasizes the importance of
an effective approach (to prevent duplicates and unnecessary
repetitions).
8. Raises the odds that certain activities are actually being carried out.
10. Prevents important tasks from becoming urgent tasks (prevents
stress).
9.6.2 Roadmap of the GDPR audit
Figure 9.7 Roadmap

9.6.2.1 Mandate for performing the GDPR audit
The first step on the roadmap of the GDPR audit is obtaining sufficient
mandate for carrying out all activities that are necessary for performing the
GDPR audit.[311]
9.6.2.2 Composing the GDPR audit team

It is important that the chairman (leader) of the GDPR audit team achieves a
balance in the team between the various roles, tasks, required expertise areas
and responsibilities, in particular in light of the subject and scope of the
GDPR audit.[312]
9.6.2.3 Embedding GDPR stakeholder management

Competent chairmen (leaders) of various GDPR audit team subscribe the
fundamental idea that for successful completion of a GDPR audit, all
stakeholders have to be identified and involved in monitoring and verifying
the GDPR measures that were taken for compliance with obligations pursuant
to the GDPR.[313]
9.6.2.4 Determine risk orientation of the GDPR audit

In reviewing the processing of personal data, extra attention seems in place
for review of the risk to the rights and freedoms of natural persons, of varying
likelihood and severity, which, according to recital 75, may result from
personal data processing which could lead to physical, material or non-
material damage.[314]
Within this framework, an often-used method is the composition of the so-
called ‘GDPR privacy risk map’.[315] The likelihood of the occurrence of the
identified risk is usually placed on the x-axis of such a map and the impact of
such a risk is placed on the y-axis. In general, it is recommended to make a
GDPR privacy risk map tailored to the enterprise, institution or organisation,
in order to increase the added value for the GDPR audit.
9.6.2.5 Make an interim report on the GDPR audit

It is advisable to regularly make an interim report, keeping in mind the
already achieved and still to achieve (intended) end results of the reviewing
activities within the framework of the GDPR audit.[316]
9.6.2.6 Compose final reports of the GDPR audit (Article 5(2))

The GDPR audit is (just like every other company project) completed with a
sound end report taking responsibility as primary goal (accountability).
In a sense, Article 5(2) adds an extra (accountability) dimension in the area of
processing personal data to reports and the importance of underlying
evidence of conclusions that are the basis of the reports. According to latter
article, the controller shall be responsible for, and be able to demonstrate
compliance (‘accountability’) with, Article 5(1) (principles relating to
processing of personal data). See here the purpose and necessity to entail
‘accountability’ as permanent component in every GDPR project.
If and provided that the GDPR audit’s objective was to measure if and if yes
to which degree Article 5(1) is complied with, considering its relatively open
character, it is even more important to:
1. Already during the GDPR implementation phase, good parameters

are used under Article 5(2) to demonstrate compliance with
(account for) the principles of Article 5(1).
2. All measures and actions that were taken in the GDPR audit are
reviewed to the beforehand defined (and SMART formulated)
objectives.
9.6.3 Success factors for proper performance of GDPR audits

Under reference to the previous discussed Standish Group Chaos Report
2011[317], one could generally distinguish a number of factors that can
contribute to achieving the intended objectives of the particular GDPR audit.
In particular, the obvious interests are:
1. Team members with sufficient (relevant) expertise in the area of

monitoring and verifying the compliance with obligations pursuant
to the GDPR.
2. Clear formulation of beforehand defined objectives of the particular
GDPR audit (ideally formulated as such in the mandate for
performing the GDPR audit).
9.7 GDPR Assurance and GDPR Audits: the role

of the DPO
The DPO is expected to perform his/her tasks across the full width of the
‘obligations pursuant to the GDPR’. In the wording of Article 39(1)(a), ‘The
data protection officer shall have at least the task to inform and advise the
controller or the processor and the employees who carry out processing of
In answering the question which role the DPO can, may or could fulfil in the
actual performance of GDPR assurance, the following considerations should
at least be taken into account.
It is not up for discussion that it is of utmost importance GDPR for the good
performance of legal tasks by the DPO that there is good sight on the
complete and correct (or rectified) compliance with obligations pursuant to
the GDPR. Within the framework of ‘independent’ functioning of the DPO
(see among others Article 38(3)), the question can be raised whether it is wise
to assign the DPO a large executing role within the context of GDPR
assurance. Would it not fit better in the professional profile of the DPO (see
in particular chapter 2) to reserve a larger role for the DPO to inform and
advise within the context of independent information, advise and monitoring
within the framework of GDPR assurance? After all, this line also fits better
within the framework of the vision, mission and strategy (VMS) of the DPO
work plan. Does an intensive role of the DPO fit within the framework of
implementing measures and performing concrete actions as part of GDPR
assurance?
If the DPO is involved in the performance of GDPR assurance (for example
as member of a feedback body, steering committee, technical project
manager), it appears the DPO should give constructive attention to the vision,
mission and strategy (VMS) of the own DPO work plan, keeping in mind the
practical development of the DPO work plan, in light of the legally enshrined
tasks of the DPO (within the meaning of Article 39).[318]
In accordance with Article 35(2), the controller shall seek the advice of the
DPO, when carrying out a data protection impact assessment (DPIA).
Providing advice as regards this DPIA and monitoring its performance
pursuant to Article 35 belongs to (under Article 39(1)(c)) the legal tasks of
the DPO. Is it possible that a too intensive role of the DPO within the context
of performing GDPR assurance could come in conflict with the performance
of the task to provide advice in the context of a DPIA? This especially
applies given the explicit assignment to the DPO to monitor that their advice
in the context of the DPIA is actually performed. A too intensive role of the
DPO in the performance of GDPR assurance does not seem to go well this
this.
For the sake of constructively ‘informing’ and ‘advising’ pursuant to Article
39(1), it is recommended that the DPO contributes on the basis of good
insight in the way in which privacy supervisory authorities look at GDPR
assurance, in particular the risk approach of these privacy supervisory
authorities and the by them recommended methodologies (see among others
the privacy risk methodology of the CNIL). In answering the question which
role the DPO can, may or could have in the actual performance of GDPR
audit, due regard should at least be given to the following considerations.
As regards the GDPR audits, the DPO has an explicit task within the context
of ‘monitoring the compliance with the GDPR.’ Article 39 determines
relating to the legal tasks of the DPO in paragraph 1, sub b the following, ‘to
monitor compliance with this Regulation, with other Union or Member State
data protection provisions and with the policies of the controller or processor
in relation to the protection of personal data, including the assignment of
operations, and the related audits.’
The performance of a GDPR audit as ‘other task’ is in principle allowed,
given that the controller shall ensure that this ‘other task’ under Article 38(6)
does not result in a conflict of interests (with the tasks codified in Article 39).
The reasoning where it is argued that a too large involvement of the DPO in
carrying out concrete actions within the framework of a GDPR audit does not
go well with the independent monitoring of the compliance with the GDPR,
should be endorsed. After all, it should not be the case that the ‘butcher
qualifies its own meat’.
In consideration 97 it is further specified that the data protection officer
‘should assist the controller or processor to monitor internal compliance with
this Regulation’. Within the framework of the tasks relating to monitoring the
compliance, data protection officers should in particular, in the vision of the
EDPB:[319]
1. Collect information to identify processing activities.

2. Analyse and check the compliance of processing activities.
3. Inform, advise and issue recommendations to the controller or the
processor.
Monitoring of compliance does not mean that it is the DPO who is personally
responsible where there is an instance of non-compliance, according to the
EDPB. The GDPR makes it clear that it is the controller, not the DPO, who is
required to ‘implement appropriate technical and organisational measures to
ensure and to be able to demonstrate that processing is performed in
accordance with this Regulation’ (Article 24(1)). Data protection compliance
is a corporate responsibility of the data controller, not of the DPO.
10
CHAPTER 10
ACCOUNTABILITY AND REPORTING IN A
DPO WORK PLAN
10.1 Introduction accountability and reporting in

the GDPR
10.1.1 An Accountability and Reporting Plan (ARP)
The General Data Protection Regulation (GDPR) frequently subscribes the
importance of accountability (keeping in mind transparency) and reporting
(which contains systematic descriptions in a structured manner). Also, within
the framework of a professional DPO work plan, sufficient attention should
be devoted to accountability and reporting of (professional expert) provided
insights and executed activities of the DPO. Ideally, this is moulded into a
well-thought, on the basis of clear goals and previously formulated steps and
phases, or an ‘Accountability and Reporting Plan (ARP)’ about which is
considered and (at least temporarily) designed ex ante (i.e. based on
forecasts) the actual activities by the DPO.[320] For the sake of totality, it is
noted that the DPO is supposed to devote attention on at least two levels to
the theme ‘accountability and reporting’.
In the first place on the level of the controller or processor. Within the
framework of various GDPR obligations, the controller and/or processor
should be able to demonstrate compliance with the principles relating to
processing of personal data. Within this context, the articles 5(2), 24(1) and
32 of the GDPR[321] are explicitly mentioned. The DPO monitors (on the basis
of Article 39(1)(b)) among others that these obligations of the controller or
processor are complied with. In this chapter, these obligations pursuant to the
GDPR are not given any attention, unless explicitly mentioned otherwise.
In the second place on the level of the performance of legal tasks by the DPO
him/herself. In this regard, the DPO directly reports[322] to the highest
management level of the controller or processor. Although neither the GDPR
itself, nor the preamble (recitals) of the GDPR enter into discussion about
‘directly reporting’, at least the following can be noted concerning the ‘taking
responsibility and reporting’ within the context of the GDPR – as far relevant
for the DPO.
A. With regard to the form. The English version of the GDPR

mentions in Article 38(3) that the data protection officer ‘shall
directly report to the highest management level of the controller or
the processor’, which indicates a ‘written form’ in which the DPO
can report to the highest management level as meant here. Another
example of directly reporting (according to the EDPB)[323] is the
drafting of an annual report of the DPO’s activities provided to the
highest management level.
B. With regard to different views of the DPO. If the controller or
processor makes decisions that are incompatible with the GDPR
and the DPO's advice, the DPO should be given the possibility to
make his or her dissenting opinion clear to the highest management
level and to those making the decisions, according to the EDPB.[324]
In this respect, Article 38(3) provides that the DPO ‘shall directly
report to the highest management level of the controller or the
processor’. Such direct reporting ensures that senior management
(e.g. board of directors) is aware of the DPO’s advice and
recommendations as part of the DPO’s mission to inform and
advise the controller or the processor.
C. With regard to the addressee of ‘directly reporting’. Referring to
the Professional Standards for Data Protection Officers of the EU
institutions and bodies working under Regulation (EC) 45/2001[325]
explicit attention is paid to the addressee of the direct report of the
DPO. § 2 (DPO independence and status) of this ‘Professional
Standards’ notes among others the following, ‘A DPO who reports
to, and is reviewed by, a direct superior in the hierarchy (director or
head of unit) may feel pressure to cooperate and get along smoothly
with management and other colleagues, as vigorous performance of
DPO duties may have a negative impact on career. The proper
performance of DPO tasks often requires that the DPO take a firm
and insisting attitude also with controllers who have a high position
in the organisation, which may be perceived, at best, as
bureaucratic or, at worst, unpleasant ‘trouble-making’. Thus, the
DPO must be able to withstand the pressures and difficulties which
accompany this important position. To alleviate this pressure, the
DPO should report to, and be reviewed by, the administrative head
of the institution or body. This is particularly important for part-
time DPOs, who should report directly to, and be reviewed by, the
appointing authority for their DPO duties, and to/by the normal
superior in the hierarchy for other duties.’
D. With regard to the frequency. Although the GDPR has not
explicitly indicated (codified) how often the DPO should ‘directly
report’ to the highest management level, the EDPB (WP29),[326] by
way of example, mentions the drafting of an annual report of the
DPO’s activities provided to the highest management level. The
Network of Data Protection Officers of the EU Institutions and
Bodies, however, mentions a minimum of 1 to 2 years.[327]
On the basis of above-mentioned comments and observations, the following
can be concluded, also keeping in mind the hereinafter to be discussed
subjects:
1. The DPO can, requested or not, (for reasons of his/her own)

directly report to the highest management level of the controller or
processor.
2. The content of the ‘direct report’ by the DPO to the highest
management level of the controller or processor, is at the discretion
of the DPO. After all, neither the GDPR nor the Regulations of the
EDPB (WP29) have set more detailed requirements to the content
of the direct report.
3. The frequency of the ‘direct reports’ should be coordinated between
the DPO and the highest management level of the controller or
processor. A number of scenarios are conceivable of which the
following are explicitly mentioned:
a. The DPO reports annually in writing to the highest
management level of the controller or processor.
b. The DPO reports on request to the highest management
level of the controller or processor.
c. The DPO reports on the basis of one’s own discretion to the
highest management level of the controller or processor.
This is of particular interest within the framework of
expectation management.
d. The DPO reports to the specific stakeholders, because this
is advisable and adds value (also) within the framework of
expectation management on the basis of one’s own
discretion.
Above-mentioned gives at least provoke formulating subsequent questions
that are ideally placed within the context of an ARP, keeping in mind taking
accountability in a transparent way and report in a structured and systematic
way about the fulfilment and performance of at least the GDPR tasks of the
DPO. Within this framework, at least the following questions can be raised.
1. What is the ratio (rationale) of an ARP?

2. What is the purpose (added value) of an ARP?
3. What is the goal of an ARP?
4. How detailed should an ARP be?
5. What is the practical (management) value of an ARP?
Below, finding answers to these questions is at the focus of attention.
10.1.2 Rationale of an ARP

By analogy with the debate regarding the rationale (in the sense of ‘added
value’) of an annual report of the DPO, it could be argued that the ratio of
‘accounting and reporting by the DPO’ pursuant to the GDPR also refers to
‘promoting insight into the approach of the DPO in performing his/her legal
tasks regarding the compliance with obligations pursuant to the GDPR of the
controller and/or processor.’
10.1.3 Goals of an ARP
The main aim of an ARP can simply be explained as actually taking
responsibility by the DPO in the manner in which he/she has performed the
tasks as mentioned in Article 39 of the GDPR (jo Article 38(4) of the GDPR).
[328]
Besides this main aim, among others the following aims can be
distinguished:
1. Providing insight into the expenditure of resources that are attended

with operationalising the function of the DPO.
2. Parts of the findings of the DPO regarding concrete actions that are
performed as per task of the DPO.
3. 3. Promoting GDPR compliance by the controller or processor in a
transparent way.
4. Providing important input for GDPR project managers.
5. Promoting a GDPR compliance ‘sense of urgency’ within the
enterprise, institution or organisational or specific departments or
activities.
10.1.4 Scope of an ARP

For maximising the purpose of an ARP and for realising the defined goals, it
is important to interpret (as you wish, delineate) its scope as clearly as
possible. In other words, to which degree does the scope of the ARP reach?
In practice, (under reference to Article 39), roughly the following scopes can
be distinguished.
1. The data protection provisions that are entailed (incorporated)

within the GDPR itself (Article 39(1)).
2. Other Union data protection provisions (Article 39(1)).
3. Member State data protection provisions (Article 39(1)).
4. Policies of the controller (Article 39(2)).
5. Industry codes of conduct (Article 40).
6. Requirements regarding GDPR certification mechanisms (Article
42).[329]
An ARP as discussed here, in principle lends itself well for expansion of the
scope to additional scopes, such as additional data privacy compliance
dimensions (that are directly or indirectly related to the GDPR). A concrete
example are the following dimensions in light of the DAMA data
management model,[330] where the following expertise areas are mentioned, 1)
data governance, 2) data architecture management (data protection by
design), 3) data development, 4) database operations management, 5) data
security management, 6) reference and master data management, 7) data
warehousing and business intelligence management, 8) document and content
management, 8) meta data management and 9) data quality management.
10.1.5 Logical process phases of an Accountability and

Reporting plan
In performing his/her tasks, the DPO usually processes a lot of information

that covers as many situations and circumstances. It is therefore
recommended to think about information gathering processes and
information processing processes in a timely manner. Especially since
responsibility has to be taken periodically on a number of subjects, themes,
researches etc., ideally coordinated beforehand with the controller. Also, on
the level of process steps, it is favourable to distinguish a number of clear
steps in the ARP of the DPO. A possible fulfilment is presented in § 10.3,
where the following steps are distinguished.
1. Determine what has to be accounted for in the report of the DPO.

2. Determine who (which roles) have to be involved in the
accountability process according to the DPO.
3. Determine the scope of the DPO accountability report.
4. Make a first draft of the DPO accountability report.
5. Involve all stakeholders for feedback in the first draft of the DPO
accountability report.
6. Compose the final version of the DPO accountability report.
10.1.6 Management value of an ARP

Apart from the fact that because of the DPO accountability report eventually
important insights can be obtained of the notions and expectations of the
DPO in relation to the controller and/or processor regarding the compliance
with obligations pursuant to the GDPR, the ARP of the DPO could eventually
also provide insight into the backgrounds, argumentation and foundation of
the expectations of the DPO. This in itself could already provide interesting
information (as you wish “GDPR intelligence”) for the board and responsible
manager.[331]
10.1.7 Importance of the DPO in an ARP

The DPO has an interest in various ways in systematically (methodical)
accounting for (in the form of an action plan) for the good performance of
his/her tasks within the meaning of Article 39 of the GDPR. At least the
following considerations deserve attention.
1. The ARP provides a clear framework for accounting for activities

in an organised way. In this regard, the DPO monitors under Article
39(1) jo 24 of the GDPR that the controller – taking into account
the nature, scope, context and purposes of processing as well as the
risks of varying likelihood and severity for the rights and freedoms
of natural persons – shall implement appropriate technical and
organisational measures to ensure and to be able to demonstrate
that processing is performed in accordance with the GDPR. Those
measures shall be reviewed and updated where necessary. Due to a
beforehand defined ARP, professional efforts of the DPO in that
area can be exposed and appreciated in a structured manner.
2. For monitoring the compliance with the GDPR well by the
controller, setting up and designing an ARP is not only interesting,
but also relevant. After all, the DPO can (also due to the, in the
GDPR implementation plan (GIP) mentioned measures annex
concrete actions), can record his/her vision, findings and
conclusions using as specific as possible terms – in a structured
manner – on the question to which degree the controller, processor
and co-workers comply with their obligations pursuant to the
GDPR (under Article 39(1)(b)). These efforts of the DPO are
eventually also interesting as ‘GDPR evidence’ towards
stakeholders, in particular the DPA.

Whereas in § 10.1, a number of introductory basic question are formulated
for the DPO regarding an ARP (among which ratio and scope of an ARP), in
§ 10.2, a number of main goals and side effects of an ARP are discussed.
Which steps can be subsequently taken to perform an ARP orderly and
structurally, is the main focus in § 10.3. When a few special points of concern
for the DPO within the framework of an ARP are discussed in § 10.4, the
substantive part of this chapter is completed in § 10.5 with a general table of
reference for an ARP that the DPO – tailored to the enterprise, organisation
or institution – could use (further developed) within the framework of the
own DPO work plan.
10.2 ARP: Goals and side effects

10.2.1 Main goals of an ARP
The DPO can intend to explicitly achieve a number of general goals with an
ARP (according to his own insights and/or priorities). The following main
goals can among others be derived from the GDPR.
1. As a Professional directly report to the highest management level

(Article 38(3)) and/or relevant stakeholder(s).
2. As a Professional provide insight to the highest management level
(Article 38(3)) and/or relevant stakeholder(s) into the expectations
for realising an appropriate data protection policy by the controller
(Article 24(2)).
for implementing appropriate and effective measures (recital 74).
for fulfilment, appliance and compliance with the principles
relating to processing of personal data (Article 5).
for monitoring the lawfulness of processing (Article 6).
for realising and maintaining a register ex Article 30.
for review and update of the GDPR implementation measures
(GDPR requirements and GDPR controls).
within the framework of GDPR risk management and control.
within the framework of GDPR issue management.
within the framework of Data Protection Impact Assessment
(DPIA) obligations.
10.2.1.1 Professional capacity direct reporting
The DPO, as a professional, provides to the highest management level and/or
GDPR stakeholder(s) of the controller or the processor insight into the way in
which he/she exerted for promoting compliance with the obligations pursuant
to the GDPR that primarily rests with the controller, processor and
employees.[332] According to WP173 in Opinion 3/2010[333], the goal of
accountability is, ‘… to reaffirm and to strengthen the responsibility of
controllers towards the processing of personal data. This is without prejudice
to concrete accountability measures that could complement this principle.’
10.2.1.2 Insight into the expectations of the DPO: appropriate data

protection policies
The DPO, as a professional, provides insight to the highest management level
of the controller or processor and/or their stakeholder(s) into his/her
expectations regarding the realisation of appropriate data protection policies
(within the meaning of Article 24(2) GDPR) by the controller or processor.
10.2.1.3 Insight into the expectations of the DPO: appropriate and

effective measures
Professionally, the DPO provides insight to the highest management level of

the controller or processor and/or their stakeholder(s) into his/her
expectations regarding the realisation of appropriate data protection policies
by the controller or processor.
According to recital 74, the responsibility and liability of the controller for
any processing of personal data carried out by the controller or on the
controller's behalf should be established. In particular, the controller should
be obliged to implement appropriate and effective measures and be able to
demonstrate the compliance of processing activities with this Regulation,
to the rights and freedoms of natural persons.[334]
10.2.1.4 Insight into the expectations of the DPO: instantiation and

compliance with principles
of the controller of processor and/or their stakeholder(s) into his/her
expectations regarding the instantiation and compliance with the principles
relating to processing personal data (under Article 5(1)).
The DPO assesses the measures and concrete actions to instantiate and
comply with the principles relating to processing of personal data ex Article
5(1) (also referred to as the general GDPR duty of care of the controller) in
the GDPR Accountability and Report Plan (ARP). According to this Article,
the personal data shall be:
a. Processed lawfully, fairly and in a transparent manner in relation to

b. Collected for specified, explicit and legitimate purposes and not
c. Adequate, relevant and limited to what is necessary in relation to
the purposes for which they are processed (‘data minimisation’).
d. Accurate and, where necessary, kept up to date. every reasonable
e. Kept in a form which permits identification of data subjects for no
limitation’).
f. Processed in a manner that ensures appropriate security of the
10.2.1.5 Insight into the expectations of the DPO: lawfulness of

processing
expectations regarding the lawfulness of processing personal data. Processing
by the controller shall be lawful only ex Article 6(1) if and to the extent that
at least one of the thither mentioned conditions apply.
10.2.1.6 Insight into the expectations of the DPO: records of processing

activities
expectations regarding the records of processing activities as mentioned in
Article 30.
under its responsibility. That record shall contain all of information
mentioned in that article.
Concerning the compliance with the recording duty ex Article 30, it often
occurs in practice of the performance of a good ARP that the DPO also
devotes attention to the following two aspects:
1. Actual control of the completeness of the number of processing ex

Article 30 GDPR.
2. Actual control of the to be registered data in the records as per
processing (components a to g) of Article 30(1) GDPR.
10.2.1.7 Insight into the expectations of the DPO: review and update
expectations regarding the duty to review and update where necessary
appropriate technical and organisational measures as mentioned in Article
24(1) (last sentence).
It is recalled to memory that the controller implements appropriate technical

and organisational measures on the basis of Article 24 to ensure and to be
able to demonstrate that processing is performed in accordance with this
rights and freedoms of natural persons). Within this framework, the GDPR
requirements and GDPR controls are of particular interest.
10.2.1.8 Insight into the expectations of the DPO: GDPR risk

management and control
expectations regarding GDPR risk management. It becomes apparent from
the ARP which measures should be ideally implemented concretely by the
controller to control GDPR risks as well as which concrete actions
correspond with those in the vision of the DPO. The term ‘risk’ plays an
important role in the GDPR.[336]
10.2.1.9 Insight into the expectations of the DPO: GDPR issue

management
expectations regarding GDPR issue management. The promotion of
implementing measures to control incidents (issue management) is in practice
often mentioned as explicit goal of a GDPR implementation plan (GIP). In
that case, the DPO should devote attention in particular to at least the
following two aspects:
1. The proper functioning to identify (mark) possible incidents

(issues).
2. The efficient estimation of the risk in the occurrence of incidents.
In particular within the framework of security issues[337], issue management
plays a role. The DPO can provide insight to the controller and/or processor
through accountability and reporting in his/her vision for realising a security
level tuned to the risk (under Article 32) in order to better protect the personal
data that are being processed.[338]
Ex Article 32(1) (security of processing), the controller and the processor
shall implement appropriate technical and organisational measures to ensure
a level of security appropriate to the risk, including inter alia as appropriate.
1. The pseudonymisation and encryption of personal data.

2. The ability to ensure the ongoing confidentiality, integrity,
3. The ability to restore the availability and access to personal data in
a timely manner in the event of a physical or technical incident.
10.2.1.10 Insight into the expectations of the DPO: DPIA duties

of the controller of processor and/or their stakeholder(s) into the compliance
with Data Protection Impact Assessment (DPIA) obligations. Ex Article
35(3), a data protection impact assessment shall in particular be required in
the case of:
a. A systematic and extensive evaluation of personal aspects relating

to natural persons which is based on automated processing,
including profiling, and on which decisions are based that produce
legal effects concerning the natural person or similarly significantly
c. A systematic monitoring of a publicly accessible area on a large
scale.
d. A component of an ARP of the DPO could in this framework for
example also entail the vision of the DPO regarding the possible
already used DPIA policies and DPIA model(s) in the enterprise,
organisation or institution and whether they are applied well or not.
10.2.2 Side effects of an ARP

It is plausible that side effects of an ARP could depend on its design and
structure. In general, it could be argued that a good and competently
performed ARP as part of the DPO work plan could lead to the following
side effects that (as was the case for the GDPR baseline, GDPR gap-analysis,
GDPR review and GDPR update) could be used in the framework of the DPO
work plan.
and the DPO (Article 38(2)).
2. GDPR awareness raising (Article 39(1)(b)).
3. Promote better insight into the processing activities (Article 30).
4. Promote insight into the importance of processing for corporate
5. Promote an effective performance of legal DPO tasks.
Since these side effects correspond mutatis mutandis (roughly) with the side
effects of a GDPR baseline, GDPR gap-analysis and GDPR implementation,
for sake of brevity one is referred to what is already discussed on this in
§ 6.1.3.2.
10.3 GDPR accountability and reporting: process

steps
Performing an ARP well and competently, with or without external support,
could form a challenge, both on organisational and substantial level, for the
DPO. Formulating a number of clear steps in the ARP could at least lead to
some organisational relief, because the main steps can be visualized
subsequently and clearly, taking into account the methodical realisation of the
beforehand defined objectives of the ARP.
Figure 10.4 Roadmap
10.3.1 Step 1: Determine the subject of accountability reports

The first step to professional accountability and reporting on the activities of
the DPO is determining the subject of the accountability report, or answering
the question that (subjects, themes, researches etc.) is accounted for.
In general (on the basis of arbitrariness) the following subjects can be
distinguished for purposes of a ‘report on activities of the DPO’ that ideally
complement the previously communicated component(s) of the DPO work
plan by the DPO.[339]
1. GDPR anomalies that strike the eye (stand out).
2. Regular GDPR researches by the DPO.
3. Special GDPR researches by the DPO.
4. External or internal GDPR audits that are performed.
5. GDPR audits of the DPO himself within the framework of
‘monitoring compliance.’
6. GDPR policies of the controller.
7. The allocation of GDPR responsibilities.
8. Sufficient attention for GDPR awareness.
9. GDPR and information security (Article 32(1)).
10. Notification of a personal data breach (Article 33(1)).
11. GDPR compliant behaviour of data subjects within the organisation
(co-workers, interns, etc.).
12. GDPR data flow management (for example within the framework
of Article 30).
13. GDPR training of the personnel involved with processing.
14. Compliance with GDPR principles relating to processing of
personal data
15. Compliance with GDPR recommendations (advise) by the DPO.
16. GDPR supply chain liability (for example relating to dysfunctional
processing agreements).
17. Comprehensible communication on GDPR subjects.
18. Ethical (etiquette related) aspects of the GDPR, with particular
interest for digital ethics.[340]
19. GDPR sources of the DPO.
20. Cooperation between the DPO and the DPA (Article 39(1)(d)).
Relating to the determination of the subject of an accountability report by the
DPO, the so-called ‘duty of loyalty’ as mentioned in the ‘Professional
Standards for Data Protection Officers of the EU Institutions and Bodies’[341]
is also interesting. The following is noted.
‘The DPO should prepare a report, normally once or twice a year, to inform
his/her institution, and in particular the controllers, of the status of data
protection compliance. The reports should be published on the
institution/body’s intranet site. A copy of these reports should be available to
the EDPS, either by publication or by sending it to him/her directly. These
reports could, for instance, include:
1. A status report on notifications, prior checks, and the state of the
institution/body’s Register.
2. A summary of any supervision activities of the EDPS with respect
to the institution/body over the relevant period.
3. Information on any training activities that were provided over the
relevant period, and any training planned for the future.
4. A status report on efforts undertaken to satisfy the
recommendations made by the EDPS in prior checking opinions.
5. Report on requests and complaints received from data subjects, and
their status.
6. The results of checks and audits carried out by the DPO in selected
parts of the organisation using a rotation system, including
conclusions as to the state of compliance and where necessary
recommendations to solve situations of non (or non-full)
compliance.
7. Report of activities in the EU DPO Network.
8. Report of activities of internal correspondents’ network, if
applicable.
9. Such report should be presented to the highest management level of
the organisation, highlighting best practices and examples of good
compliance but also areas which require further attention or specific
actions.’
10.3.2 Step 2: Identify and approach the stakeholders of the

DPO accountability report
Whereas it is determined by the DPO in the first step which subjects, themes
and researches will be discussed by the DPO in the envisaged DPO
accountability report, in the second step, the relevant GDPR stakeholders are
identified and approached with the request to give a first response to the draft
of the envisaged GDPR accountability report by the DPO.
In performing the tasks of the DPO within the framework of obligations
pursuant to the GDPR of the controller, processor or employees, it is for that
matter not implausible that the DPO involves various internal and external
experts. Therefore, it often occurs that external parties are asked for a legal
opinion or second expert opinion that require special GDPR expertise, given
the complex facts and circumstances of the specific case. If and provided that
this is the case, it is generally recommended to include such GDPR experts’
opinions integrally in the DPO accountability report.
10.3.3 Step 3: Determine the scope of the DPO accountability

report
When the subject of the DPO accountability report is determined, the GDPR
stakeholders are identified and approached, the scope of the DPO
accountability report is definitively defined (and delineated) in step three by
the DPO himself. It is generally recommended to take into account the
following (previously mentioned) aspects.

2. Measures as mentioned in other Union data protection legislation
and regulation
3. Industry codes of conduct under Article 40.
4. Measures as mentioned in national data protection laws and
regulations.
5. General (security) norms, such as
ISO/CIE/CEN/CENELEC/ENISA.
10.3.4 Step 4: Compose a first draft of the DPO

accountability report
On the basis of the information gathered from the first three steps, the
received feedback and final score determination, in the fourth step the DPO
composes a draft DPO accountability report, primarily entailing the
professional findings of the DPO regarding the compliance with obligations
by the controller, processor and employees pursuant to the GDPR.[342]
In general, it could be recommended to, keeping in mind the goal of the DPO
accountability report, provide professional insight to the highest management
level (under Article 38(3)) and/or relevant stakeholder(s) in the expectations
of the DPO regarding the review and update of, for example, GDPR
implementation measures (GDPR requirements and GDPR controls). In such
a case, it is advisable that the DPO devotes attention in the first draft to the
relevant aspects for the controller and/or processor, so that the particular
GDPR stakeholders provide for a first response. In the extension of current
example, the DPO could devote among others, further attention to the
following aspects.
1. In what way does the DPO expect that the controller and/or
processor shall have due regard to the risk associated with
processing operations, taking into account the nature, scope,
context and purposes of processing?
2. In what way does the DPO value the used compliance parameters
within the framework of the GDPR gap-analysis?
3. On which grounds does the DPO conclude that the beforehand
defined (and SMART formulated) goals of the GDPR
implementation plan (GIP) are or are not achieved?
10.3.5 Step 5: Involve all GDPR stakeholders

After completion of the four previous steps, the DPO should at least request
the most important GDPR stakeholders of the organisation for a first response
to the draft of the accountability report in order to comment on and perfection
of the draft.
One could concretely think here of involving at least those disciplines that
have been for example of added value in actually performing concrete GDPR
measures and actions to (nonetheless) comply with the particular obligations
of the controller and/or processor pursuant to the GDPR. The most important
stakeholders have to be identified and involved in giving a response on the
draft of the accountability report of the DPO. A stakeholder can in general be
referred to as a person or organisation that is actively involved in GDPR
projects, or whose interests can be influenced positively or negatively by the
accountability report of the DPO. More concretely, one could think of for
example the board, (higher and middle) management, resource management,
privacy officers, compliance officers and heads of departments.
10.3.6 Step 6: Compose the final version of the DPO

accountability report
Whereas steps 1 to 5 are successfully completed, the DPO possesses
sufficient information and feedback to compose the final report of the
specific DPO accountability report.
Clear conclusions and recommendations of the DPO are usually valued by all
GDPR stakeholders. In that regard, it is advisable that the DPO as per GDPR
compliance measures that is discussed, describes as precise (clear) as possible
what the specific GDPR compliance measures in his/her vision entail. Within
this framework, attention is usually devoted to the following aspects by the
controller and/or processor:
1. Ratio and background of the specific GDPR compliance measure.

2. Relevant parameters for measuring GDPR compliance.
3. Which specific circumstances are relevant in order to have due
regard to the risk associated with processing operations, taking into
10.4 Accountability and reports: points of interest

for the DPO
As identified multiple times, the DPO is required to perform his/her tasks on
the full width of ‘obligations pursuant to the GDPR’. In the wording of
Article 39(1)(a) of the GDPR, ‘The data protection officer shall have at least
task to inform and advise the controller or the processor and the employees
who carry out processing of their obligations pursuant to this Regulation and
to other Union or Member State data protection provisions.’
In light of the special role, task and positioning of the DPO, the following
also deserves attention – among others by analogy with the ‘ethical
standards’ of the DPO that operates on the basis of Regulation (EC) 45/2001
– of the DPO operating under Regulation (EC) 2016/697 (GDPR).
Loyalty
The ‘duty of loyalty’ as entailed in the ‘Professional Standards for Data

Protection Officers of the EU institutions and bodies‘, reads as follows.[343]
‘The DPO owes a duty of loyalty to the protection of personal data in the
institution or body that appointed him/her. Accordingly:
a. The DPO shall take all steps necessary to ensure the application of
data protection requirements within his/her institution, as
elaborated in the Regulation, the institution/body’s implementing
rules, and these standards.
b. The DPO shall exercise independent professional judgment in
performing his/her duties and render candid advice to his/her
institution, its controllers, and data subjects on data protection
matters.
c. While handling a complaint of a data subject, the DPO shall act
with diligence and promptness to impartially analyse the issues
raised in order to determine whether there has been a violation of
the requirements of the Regulation. If so, he/she should attempt to
resolve the matter with his/her institution and thereafter report to
the complainant on the solution found. A DPO shall not counsel or
assist his/her institution to alter, destroy or conceal a document or
other material relevant to the complaint.’
Confidentiality
The ‘obligation of confidentiality’ as entailed in the ‘Professional Standards

for Data Protection Officers of the EU institutions and bodies’, reads as
follows[344]: ‘The DPO and related staff shall not divulge information or
documents which they obtain in the course of their duties, and are subject to
the requirements of professional secrecy.’
If and provided that the DPO would be involved in performing GDPR
policies of the controller (for example as member of a GDPR sound board,
GDPR steering committee, GDPR project manager or as member of the
GDPR implementation team), the DPO should at least keep devoting
constructive attention, keeping in mind accounting for within that framework,
to the vision, mission and strategy (VMS) of the own DPO work plan, also
placed within the context of loyalty and confidentiality.
10.5 Table of reference DPO work plan: ARP

With among others the goal of providing insight into the role of the DPO
within the context of accountability and report as discussed in this chapter,
placed in the light of the vision, mission and strategy (VMS) of the DPO
work plan (as extensively discussed in chapter 4), the following table of
reference is composed that could provide a general framework for the DPO
for further fulfilment and development, tailored to the own enterprise,
institution or organisation where the DPO (under Article 39(2)) shall have
due regard to the risks associated with processing operations, taking into
ANNEXURES
1. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April
2016, General Data Protection Regulation (GDPR) after corrigendum.
2. Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of personal data by
competent authorities for the purposes of the prevention, investigation, detection or
prosecution of criminal offences or the execution of criminal penalties, and on the free
movement of such data, and repealing Council Framework Decision 2008/977/JHA.
3. DIRECTIVE (EU) 2016/681 OF THE EUROPEAN PARLIAMENT AND OF THE
COUNCIL of 27 April 2016 on the use of passenger name record (PNR) data for the
prevention, detection, investigation and prosecution of terrorist offences and serious
crime.
4. REGULATION (EU) 2018/1725 OF THE EUROPEAN PARLIAMENT AND OF THE
COUNCIL of 23 October 2018 on the protection of natural persons with regard to the
processing of personal data by the Union institutions, bodies, offices and agencies and on
the free movement of such data, and repealing Regulation (EC) No 45/2001 and
Decision No 1247/2002/EC.
5. DECISION OF THE EUROPEAN DATA PROTECTION SUPERVISOR adopting
implementing rules concerning the Data Protection Officer pursuant to Article 45(3) of
Regulation (EU) N° 2018/1725
6. WP 243 rev.01 Guidelines on Data Protection Officers (‘DPOs’), 5 April 2017
ANNEXURES
1. REGULATION (EU) 2016/679 [GDPR]
2. DIRECTIVE (EU) 2016/680 [CRIMINAL OFFENCES]
3. DIRECTIVE (EU) 2016/681 OF THE EUROPEAN PARLIAMENT
AND OF THE COUNCIL
4. REGULATION (EU) 2018/1725 OF THE EUROPEAN
PARLIAMENT AND OF THE COUNCIL
5. DECISION OF THE EUROPEAN DATA PROTECTION
SUPERVISOR
6. WP 243 rev.01 Guidelines on Data Protection Officers (‘DPOs’), 5
April 2017
[1]
WP 173, Opinion 3/2010 on the principle of accountability (13 July 2010), § 13, p. 5.
[2]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 3.2, p. 14.
[3]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 1, p. 5.
[4]
See for example Article 18 of the Council Directive 95/46/EC of 24 October 1995 on the protection
of individuals with regard to the processing of personal data and on the free movement of such data
[1995] OJ L281/31 and consideration 54 of the GDPR.
[5]
[6]
Historically, the term privacy officer is mostly used in the American context where a privacy
compliance officer was appointed (initially voluntarily and later mandatory) in certain companies in
certain sectors in particular for the protection (security) of personal data, among others customer data,
medical data and financial data of individual people. See for more detail, Roberta Fusaro, ‘Chief
Privacy Officer’ (Harvard Business Review 2000) https://hbr.org/2000/11/chief-privacy-officer
accessed 11 May 2019.
[7]
See First Amendment Note (II, nr. 11, p. 6), Dutch Parliamentary History.
[8]
Courts may be exempted from that obligation, when acting in their judicial capacity. See Article 32
of Council Directive (EU) 2016/680 of 27 April 2016 on the protection of natural persons with regard
to the processing of personal data by competent authorities for the purposes of the prevention,
investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and
on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA [2016]
OJ L119/89.
[9]
Within this context, WP29 refers to ‘core activities’, further elaborated on in WP 243 rev.01,
Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 2.1.2, p. 7.
[10]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 2.1.1, p. 6.
[11]
According to the definition of ‘public sector body’ and ‘body governed by public law’ in Article
2(1) and (2) of Council Directive 2003/98/EC of 17 November 2003 on the re-use of public sector
information [2003] OJ L345/90.
[12]
[13]
[14]
WP29 has formulated criteria for the interpretation of ‘large scale’, 1) the number of data subjects
concerned, 2) the volume of data being processed and 3) the duration of the data processing activity and
4) the geographical extent of the processing activity. See WP 243 rev.01, Guidelines on Data
Protection Officers (‘DPOs’) (April 05, 2017), § 2.1.3, p. 7 – 8. Next to that, the Dutch DPA has given
more detailed explanatory notes for specific providers of care. It has mentioned the number of 10,000
(patients) to identify when there is a case of processing personal data on a large scale. See
www.autoriteitpersoonsgegevens.nl (available in Dutch).
[15]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 2.1.3,
footnote 14, p. 7.
[16]
[17]
[18]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 2.1.4,
footnote 16, p. 8.
[19]
[20]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 2.1.4, p. 8 –
9.
[21]
[22]
[23]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 2.2, p. 9 – 10.
[24]
According to Article 12(1) of the GDPR: ‘The controller shall take appropriate measures to provide
any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and
34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible
form, using clear and plain language, in particular for any information addressed specifically to a
child.’ According to WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05,
2017), § 2.3, footnote 22, p. 10.
[25]
[26]
For a more detailed discussion, See also Kadir, Romeo F., Business Companion Data Protection –
Practical GDPR Guidance, EIPACC (2021), www.dataprotectionbooks.com.
[27]
[28]
[29]
[30]
[31]
In accordance with Article 3(3) of the GDPR, the GDPR applies to the processing of personal data
by a controller not established in the Union, but in a place where Member State law applies by virtue of
public international law.
[32]
[33]
Confidentiality is equally important: for example, employees may be reluctant to complain to the
DPO if the confidentiality of their communications is not guaranteed in WP 243 rev.01, Guidelines on
Data Protection Officers (‘DPOs’) (April 05, 2017), § 2.6, p. 12.
[34]
Communicating the name of the DPO to the supervisory authority is however of essential interest if
the DPO wants to act as a contact point between the organisation and the supervisory authority (Article
39(1)(e) of the GDPR).
[35]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 2.6, p. 12 –
13.
[36]
[37]
[38]
[39]
[40]
Zwenne 2016, ‘Wat doen we met de functionaris voor de gegevensbescherming (m/v)?’ (2016) 3
Tijdschrift voor Internetrecht 89 (only available in Dutch).
[41]
[42]
See with respect to the safeguarding principles of data protection among others, Kadir, Romeo F.,
Business Companion Data Protection – Practical GDPR Guidance, EIPACC (2021),
www.dataprotectionbooks.com.
[43]
[44]
[45]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 2, p. 5 – 6.
[46]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 2, footnote
11, p. 6.
[47]
[48]
[49]
[50]
It is established in Article 24(1) of the GDPR that ‘taking into account the nature, scope, context
and purposes of processing as well as the risks of varying likelihood and severity for the rights and
freedoms of natural persons, the controller shall implement appropriate technical and organisational
measures to ensure and to be able to demonstrate that processing is performed in accordance with this
Regulation. Those measures shall be reviewed and updated where necessary’.
[51]
According to recital 80 of the GDPR.
[52]
[53]
[54]
[55]
According to Article 39(1)(b) of the GDPR.
[56]
[57]
Article 24(1)(d) of Council Regulation (EC) 45/2001 of 18 December 2000 on the protection of
individuals with regard to the processing of personal data by the Community institutions and bodies
and on the free movement of such data [2000] OJ L8/1.
[58]
[59]
[60]
WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 3.1, p. 13 –
14.
[61]
[62]
According to recital 97 of the GDPR.
[63]
[64]
[65]
[66]
See also Bayerisches Landesamt für Datenschutzaufsicht Ansbach (20.10.2016) where the German
privacy supervisory authority has issued a fine for combining the function of Head IT with the position
of DPO. See www.lda.bayern.de.
[67]
[68]
Also, according to Article 63(4) of the Wbp (former Dutch Data Protection legislation) which
mentions the confidentiality obligation of the officer of what has become known to him on the basis of
a complaint or a request of a data subject, unless the data subject agrees with publication.
[69]
For a more detailed discussion, see also, See also Kadir, Romeo F., Business Companion Data
Protection – Practical GDPR Guidance, EIPACC (2021), www.dataprotectionbooks.com.
[70]
Arend-Jan Eshuis, Joost van Tilborg, Barend Koch et al, ‘De succesvolle medewerker’ in Smit,
Verhoeven and Driessen (Eds), Personeelsselectie en assessment: wetenschap in de praktijk
(Koninklijke Van Gorcum 2006), p. 42 (available in Dutch).
[71]
Arend-Jan Eshuis, Joost van Tilborg, Barend Koch et al, ‘De succesvolle medewerker’ in Smit,
Verhoeven and Driessen (Eds), Personeelsselectie en assessment: wetenschap in de praktijk
(Koninklijke Van Gorcum 2006), p. 42 (available in Dutch).
[72]
Paul van der Maesen de Sombreff, ‘Vat krijgen op strategische competenties: haal competenties uit
eigen experts’ [2002] Gids voor Personeelsmanagement 44 (available in Dutch).
[73]
Daniel Goleman, Working with emotional intelligence (Bantam Books 1998).
[74]
Robert Quinn, Sue Faerman, Michael Thompson et al, Becoming a master manager: a competency
framework (2nd edition, John Wiley and Sons 1996).
[75]
Arend-Jan Eshuis, Joost van Tilborg, Barend Koch et al ‘De succesvolle medewerker’ in Smit,
Verhoeven and Driessen (eds), Personeelsselectie en assessment: wetenschap in de praktijk
(Koninklijke Van Gorcum 2006), p. 53 – 54 (available in Dutch).
[76]
Arend-Jan Eshuis, Joost van Tilborg, Barend Koch et al ‘De succesvolle medewerker’ in Smit,
(Koninklijke Van Gorcum 2006), p. 55 (available in Dutch). Reproduction and adaptation of Patricia
McLagan, The Models for HRD practice (American Society for Training and Development 1989).
[77]
Henk Verhoeven and Barend Koch, ‘Andere manieren van kijken’ in Smit, Verhoeven and
Driessen (eds), Personeelsselectie en assessment: wetenschap in de praktijk (Koninklijke Van Gorcum
2006), p. 135 (available in Dutch).
[78]
According to Henk Verhoeven and Barend Koch, ‘Andere manieren van kijken’ in Smit,
(Koninklijke Van Gorcum 2006), p. 136 (available in Dutch). Under reference to Barbara Brown and
Michael Campion, ‘Biodata Phenomenology: Recruiters’ Perceptions and Use of Biographical
Information in Resume Screening’ (1994) 79 Journal of Applied Psychology 6 897.
[79]
Jane Harvey-Cook and Richard Taffler, ‘Biodata in professional entry-level selection: statistical
scoring of common format applications’ (2000) 73 Journal of Occupational and Organizational
Psychology 103.
[80]
Alec Serlie and Arnold Driessen, ‘Wegen en Beslissen’ in Smit, Verhoeven and Driessen (eds),
Personeelsselectie en assessment: wetenschap in de praktijk (Koninklijke Van Gorcum 2006), p. 170
(available in Dutch).
[81]
STAR is an acronym for Situation, Task, Activity and Result. The core of this method is that
behaviour from the recent past is the best predictor for future behaviour. It comes down to giving
examples of actual (work) behaviour that is related to the position profile. Consequently, one can show
they are suitable for fulfilling the function they applied for.
[82]
[83]
Lisa DiBenedetto Velardi, ‘8 Tips for Building a Successful Compliance Communication Plan’
(Compliance Wave 23 September 2015) https://www.compliancewave.com/blog/8-tips-for-building-a-
successful-compliance-communication-plan accessed 11 May 2019.
[84]
[85]
John Mackenzie Owen, ‘Kennismanagement’ in Handboek informatiewetenschap, I 560 (Samson
2011), p 1 – 27 (available in Dutch).
[86]
[87]
In a similar sense, ‘Privacywet en privacyfunctionaris: val ik in de prijzen?’ (NGFG April 2009), p.
9 (available in Dutch).
[88]
Ponemon Institute LLC, The True Cost of Compliance: A Benchmark Study of Multinational
Organizations (January 2011), p. 3.
[89]
54% of the Dutch employees would directly decline a job of an employer with a bad reputation,
regardless of the salary increase that they would receive. Even a salary increase of more than 10%
would not convince a quarter of the Dutch professionals to accept the offer. These companies have to
dig deep into their pockets to bring in talent and keep it. In Max van Liemt ‘De 7 eigenschappen van
effectieve Employer Branding’ (Recruiting Roundtable 12 September 2011)
https://www.recruitingroundtable.nl/2011/09/12/7-eigenschappen-van-effectieve-employer-branding/
[90]
DNB, ‘De 7 Elementen van een Integere Cultuur: Beleidsvisie en aanpak gedrag en cultuur bij
financiële ondernemingen 2010 – 2014’ (November 2009) § 3, p. 6 (available in Dutch).
[91]
[92]
See among others chapter 1.
[93]
For a thematic article by article discussion on the GDPR obligations, see also Kadir, Romeo F.,
[94]
Ontology is used here within the meaning of studying categories within a domain that forms a
logical basis for a (scientific approach of) representation of knowledge.
[95]
Commission, ‘Proposal for a Regulation of the European Parliament and of the Council on the
protection of individuals with regard to the processing of personal data and on the free movement of
such data (General Data Protection Regulation)’ COM (2012) 11 final.
[96]This harmonization means an alignment without being detrimental to the fact that pursuant to
Article 38(3) GDPR, the DPO is not allowed to receive instructions while performing his or her tasks.
[97]
For an Article-by-Article discussion of ‘GDPR obligations’, see also Kadir, Romeo F., Business
Companion Data Protection – Practical GDPR Guidance, EIPACC (2021),
[98]
See also Kadir, Romeo F. (Ed.), GDPR Official Resources – A comprehensive collection of the
most important official sources for a better understanding of the GDPR, EIPACC (2021),
[99]
For further research, see among others ENISA, ‘Recommendations on European Data Protection
Certification’ (27 November 2017) https://www.enisa.europa.eu/publications/recommendations-on-
european-data-protection-certification accessed 11 May 2019.
[100]
See https://www.coso.org.
[101]
For a practical approach of privacy risk management, see also CNIL, ‘Methodology for Privacy
Risk Management: How to implement the Data Protection Act’ (June 2012)
https://www.cnil.fr/sites/default/files/typo/document/CNIL-ManagingPrivacyRisks-Methodology.pdf
[102] See also, Kadir, R.F., Handbook Certified Data Protection Officer (DPO) – Body of Knowledge &
Skills (BOKS), EIPACC Publications (2021), www.dataprotectionbooks.com.
[103]
Anita van Bergenhenegouwen, ‘Business Intelligence ontwikkelproces: de kritische succesfactoren
voor een succesvol project’ (Thesis, Open Universiteit 2008) (available in Dutch).
[104]
The Standish Group Report: Chaos 2011 https://www.projectsmart.co.uk/white-papers/chaos-
report.pdf (p. 15).
[105]
For more details, see also Kadir, Romeo F., Business Companion Data Protection – Practical
GDPR Guidance, EIPACC (2021), www.dataprotectionbooks.com.
[106]
[107]
[108]
According to Article 39(1)(b) of the GDPR.
[109]
The following possible personal drivers of the DPO were distinguished there: Data Protection
Expert(s), take on a leadership role, accountability, increase the degree of acceptance, apply knowledge
and skills and visualize a careful balance of interests.
[110]
The following advantages can generally be connected to process improvement for the DPO, 1) the
DPO is capable of qualitatively better performance of tasks, 2) the DPO is better equipped to
substantiate the necessity of a specific financial budget, 3) the DPO can organise himself in such a way
that excessive stress is avoided, 4) the DPO can deploy IT more efficiently to support (simplify) its own
AO/IC, 5) the DPO can accomplish more, with less support (of for example HR), 6) the DPO reduces
the chances of making mistakes, 7) the DPO can save time because of good process management, 8)
the DPO responds quicker and more efficiently to changes in processes, 9) the DPO can be of better
service to internal stakeholders (colleagues, Works Council etc.), 10) the DPO can be of better service
to external stakeholders (DPA, data subjects).
[111]
A professional DPO work plan appreciates the findings of internal and external audits within the
meaning that sufficient attention is devoted to possible risks of non-compliance in the interest of the
own organisation.
[112]
Some advantages for the organisation of proper attention to risk and incidents management in the
DPO work plan could be for example (depending on the circumstance) the following, 1) handle risks
cleverly, 2) connect to management actions, 3) opening debates on risk acceptance, 4) better providing
of professional service by the organisation (better customer experience), 5) reducing the amount of
management time to deal with minor problems, 6) more internal focus on doing the right things well, 7)
a better basis for determining strategies.
8. Obtaining competitive advantage, 9) a more efficient use of resources, 10) less restoration costs due
to non-compliance.
[113]
According to recital 74 of the GDPR, ‘The responsibility and liability of the controller for any
processing of personal data carried out by the controller or on the controller's behalf should be
established. In particular, the controller should be obliged to implement appropriate and effective
measures and be able to demonstrate the compliance of processing activities with this Regulation,
including the effectiveness of the measures. Those measures should take into account the nature, scope,
context and purposes of the processing and the risk to the rights and freedoms of natural persons.’ The
risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from
personal data processing which could lead to physical, material or non-material damage, according to
[114]
For a comprehensive collection of official GDPR resource documents, see also Kadir, Romeo F.
(Ed.), GDPR Official Resources – A comprehensive collection of the most important official sources
for a better understanding of the GDPR, EIPACC (2021), www.dataprotectionbooks.com.
[115]
[116]
For more detailed explanation of related terms and definitions, see also
[117]
Commission, ‘Proposal for a Regulation of the European Parliament and of the Council on the
protection of individuals with regard to the processing of personal data and on the free movement of
such data (General Data Protection Regulation)’ COM (2012) 11 final. See also Kadir, Romeo F.
(Ed.), GDPR Official Resources – A comprehensive collection of the most important official sources
for a better understanding of the GDPR, EIPACC (2021), www.dataprotectionbooks.com.
[118]
Supplement to the Commission, ‘Proposal for a Regulation of the European Parliament and of the
Council on the protection of individuals with regard to the processing of personal data and on the free
movement of such data (General Data Protection Regulation)’ COM (2012) 11 final. p. 1.
[119]
Commission, ‘Europe 2020: A strategy for smart, sustainable and inclusive growth’ COM (2010)
2020 final.
[120]
According to recital 75 of the Commission, ‘Proposal for a Regulation of the European Parliament
and of the Council on the protection of individuals with regard to the processing of personal data and
on the free movement of such data (General Data Protection Regulation)’ COM (2012) 11 final.
[121]
Council Regulation (EC) 45/2001 of 18 December 2000 on the protection of individuals with
regard to the processing of personal data by the Community institutions and bodies and on the free
movement of such data [2000] OJ L8/1. This Regulation is repealed by Regulation (EU) 2018/1725 of
the European Parliament and of the Council of 23 October 2018 on the protection of natural persons
with regard to the processing of personal data by the Union institutions, bodies, offices and agencies
and on the free movement of such data, OJ L 295, 21.11.201.
[122]
EDPS, ‘Position paper on the role of Data Protection Officers in ensuring effective compliance
with Regulation (EC) 45/2001’ (28 November 2005)
https://edps.europa.eu/sites/edp/files/publication/05-11-28_dpo_paper_en.pdf accessed 11 May 2019.
See also EDPS, Position paper on the role of Data Protection Officers of the EU institutions and bodies
(18-09-30).
[123]
This Working Party was set up under Article 29 of Council Directive 95/46/EC of 24 October
1995 on the protection of individuals with regard to the processing of personal data and on the free
movement of such data [1995] OJ L281/31. It is an independent European advisory body on data
protection and privacy. Its tasks are described in Article 30 of Directive 95/46/EC and Article 15 of
Directive 2002/58/EC. The secretariat is provided by Directorate C (Fundamental rights and rule of
law) of the European Commission, Directorate General Justice and Consumers, B-1049 Brussels,
Belgium, Office No MO59 02/27 Website: http://ec.europa.eu/justice/data-protection/index_en.htm.
[124]
Council Regulation (EC) 45/2001 of 18 December 2000 on the protection of individuals with
regard to the processing of personal data by the Community institutions and bodies and on the free
movement of such data [2000] OJ L8/1.
[125]
Network of Data Protection Officers of the EU institutions and bodies, ‘Professional Standards for
Data Protection Officers of the EU institutions and bodies working under Regulation (EC) 45/2001’
https://ec.europa.eu/anti-fraud/sites/antifraud/files/docs/body/dpo_standards.pdf accessed 11 May 2019.
[126]
See www.eadpp.eu and https://www.eadpp.eu/eadpp-certification.
[127]
The EADPP CDPO Certification Body of Knowledge & Skills (BOKS) is discussed in detail in
Kadir, R.F., Handbook Certified Data Protection Officer (CDPO) – Body of Knowledge & Skills
(BOKS), EIPACC Publications (2021) | www.dataprotectionbooks.com.
[128]
See https://privapedia.com/exams.php.
[129]
The EADPP CDPO Certification Code of Ethics is discussed in detail in Kadir, R.F., Handbook
Certified Data Protection Officer (CDPO) – Body of Knowledge & Skills (BOKS), EIPACC
Publications (2021) | www.dataprotectionbooks.com. See also https://privapedia.com/exams.php and
below Annexure 10 for the full text of the EADPP Certification Code of Ethics.
[130]
For a detailed discussion on ‘appropriate measures’ see also Kadir, Romeo F., Business
www.dataprotectionbooks.com. For a comprehensive collection of official GDPR resource documents,
see also Kadir, Romeo F. (Ed.), GDPR Official Resources – A comprehensive collection of the most
important official sources for a better understanding of the GDPR, EIPACC (2021),
[131]
For a more detailed discussion, see above Chapter 2.
[132]
See www.gdprcertifications.eu. Prudential control of internal audit findings can be of interest for
the DPO work plan. See also The EADPP CDPO Certification Body of Knowledge & Skills (BOKS) is
discussed in detail in Kadir, R.F., Handbook Certified Data Protection Officer (CDPO) – Body of
Knowledge & Skills (BOKS), EIPACC Publications (2021) | www.dataprotectionbooks.com.
[133]
Compare the definition of an inventory list within the meaning of the ‘Archiefwet’ (the Dutch
Archive legislation), being a systematic, or otherwise automated, description of archive components
with a table of contents, explanatory introduction and such. File inventories are also part of it.
[134]
According to recital 9 of the GDPR, the objective of the GDPR is to manage the legal
fragmentation within the EU in the area of privacy and data protection. Differences in the level of
protection of the rights and freedoms of natural persons, in particular the right to the protection of
personal data, with regard to the processing of personal data in the Member States may prevent the free
flow of personal data throughout the Union. Those differences may therefore constitute an obstacle to
the pursuit of economic activities at the level of the Union, distort competition and impede authorities
in the discharge of their responsibilities under Union law. Such a difference in levels of protection is
due to the existence of differences in the implementation and application of Directive 95/46/EC. In
order to ensure a consistent and high level of protection of natural persons and to remove the obstacles
to flows of personal data within the Union, the level of protection of the rights and freedoms of natural
persons with regard to the processing of such data should be equivalent in all Member States, according
to recital 10 of the GDPR.
[135]
Compare also with the general goals of internal control within the meaning of COSO. COSO
presumes the philosophy that internal control is a process, focused on obtaining a reasonable degree of
security with regard to achieving aims in the following four domains, 1) Strategic: Achieving strategic
aims, 2) Operational: Effectivity and efficiency of business processes, 3) Reporting: Reliability of
information transfer and 4) Compliance: Compliance with relevant legislation and regulations.
[136]
See http://ec.europa.eu/newsroom.
[137]
See http://ec.europa.eu/justice/data-protection/reform.
[138]
Transfers are necessary for the implementation of a contract between the data subject and the
controller or for the implementation of precontractual measures, taken at the request of the data subject.
[139]
See www.autoriteitpersoonsgegevens.nl for the situations in which the Dutch DPA prescribes the
performance of a DPIA.
[140]For a more detailed discussion on the general GDPR privacy duty of care, see Kadir, Romeo F.,
www.dataprotectionbooks.com. For a more basic explanation of applicable principles of processing,
see Romeo Kadir, ’Privacy and Data Protection, Certified GDPR Compliance, which can be accessed
by visiting: https://www.udemy.com/course/european-institute-certified-gdpr-data-protection-
compliance/.
[141]
For a collection of relevant EU case law regarding these rights, see among others Kadir, Romeo
F., Business Companion Data Protection – Practical GDPR Guidance, EIPACC (2021),
[142]
For the importance of a professional complaints handling procedures see also Kadir, R.F.,
Handbook Certified Data Protection Officer (CDPO) – Body of Knowledge & Skills (BOKS), EIPACC
Publications (2021) | www.dataprotectionbooks.com.
[143]
Examples of goals related to Business Intelligence are the inventory of personal data regarding
customer acquisition, customer insight, customer acceptance, data management, credit control and
collection management.
[144]
[145]
With these guidelines, the Dutch DPA wants to clarify their expectations of the security of
personal data. In that regard, the organisation has the space to design the security of personal data that
is most suitable, concerning the method and the resources, to their specific situation. An organisation
should always safeguard the rights of stakeholders and there should be an adequate, competently
applicable security in which the organisation optimally utilizes the knowledge of the expertise area
information security. See www.autoriteitpersoonsgegevens.nl (available in Dutch).
[146]
In similar sense also Article 32(3) of the GDPR (security of processing).
[147]
See also Romeo Kadir, GDPR Dictionary, Contextualization of GDPR related terms and
definitions, PPG (2020), www.gdprliterature.eu.
[148]
ISO 5807:1985, see https://www.iso.org/standard/11955.html.
[149]
For a more elaborate discussion, see Kadir, Romeo F., Business Companion Data Protection –
[150] For an alternative roadmap with an elaborate clarification, see among others
http://labs.centerforgov.org/data-governance/data-inventory/.
[151]
The team roles of Belbin and the Belbin test are the limelight in the world of HR professionals.
The British scientist Meredith Belbin (1926) introduced his team roles in 1981. In principle, the roles
supplement and reinforce each other, although not every team member only has strong points of course.
The weaknesses of a team member, defined by Belbin as ‘allowable weaknesses’, are compensated by
other team members. See also www.belbin.com.
[152]
Bruce Tuckman, ‘Developmental sequence in small groups’ (1965) 63 Psychological Bulletin 6,
384.
[153]
The Standish Group Chaos Report 2014, The Smart Project, www.standishgroup.com.
[154]
See also https://edpb.europa.eu.
[155]
See Article 24(1)(d) of Council Regulation (EC) 45/2001 of 18 December 2000 on the protection
of individuals with regard to the processing of personal data by the Community institutions and bodies
[156]
See also e-Dictionary Privacy & Data Protection | https://privapedia.com/dictionary.php.
[157]
For a discussion on the goals and side effects, see hereinafter.
[158]
See www.europrivacy.org and www.eipacc.eu.
[159]
For a more detailed discussion on recital 39 of the GDPR, see chapter 4.
[160]
With regard to the documentation and recording duty (Article 30(1)), DPIA duty (Article 35),
Privacy duty of care (Article 5(1)) and obligations relating to the transaction of rights of stakeholders,
see for a more detailed discussion Kadir, Romeo F., Business Companion Data Protection – Practical
GDPR Guidance, EIPACC (2021), www.dataprotectionbooks.com.
[161]
Further processing for archiving purposes in the public interest, scientific or historical research
purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be
incompatible with the initial purposes (‘purpose limitation’), according to Article 5(1)(b) of the GDPR.
[162]
The controller shall be able to demonstrate compliance with these principles ex Article 5(2) of the
GDPR. See Kadir, Romeo F., Business Companion Data Protection – Practical GDPR Guidance,
EIPACC (2021), www.dataprotectionbooks.com.
[163]
Maintaining such a record ex Article 30(5) of the GDPR shall not apply to an enterprise or an
organisation employing fewer than 250 persons unless the processing it carries out is likely to result in
a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing
includes special categories of data as referred to in Article 9(1) or personal data relating to criminal
convictions and offences referred to in Article 10.
[164]
Under reference to Article 4(17), representative means a natural or legal person established in the
Union who, designated by the controller or processor in writing pursuant to Article 27, represents the
controller or processor with regard to their respective obligations under this Regulation.
[165]
For a more elaborate discussion concerning GDPR requirements and GDPR controls, see Kadir,
Romeo F., Business Companion Data Protection – Practical GDPR Guidance, EIPACC (2021),
[166]
For more detail, see, chapter 3, paragraph 3.3 (Risk orientation in the DPO work plan).
[167]
With regard to issue management in the case of integrity risks, see among others De
Nederlandsche Bank, ‘Integrity Risk Analysis: More where necessary, less where possible’ (August 17,
2015) http://www.toezicht.dnb.nl/en/binaries/51-234068.PDF accessed May 12, 2019.
[168]
See EDPB Recommendation 01/2019 on the draft list of the European Data Protection
Supervisor regarding the processing operations subject to the requirement of a data protection
impact assessment (Article 39.4 of Regulation (EU) 2018/1725) https://edpb.europa.eu/our-
work-tools/our-documents/doporuceni/recommendation-012019-draft-list-european-data-
protection_en . See also Kadir, Romeo F., Business Companion Data Protection – Practical GDPR
Guidance, EIPACC (2021), www.dataprotectionbooks.com.
[169]
The principle of transparency requires that any information and communication relating to the
processing of those personal data be easily accessible and easy to understand, and that clear and plain
language be used. That principle concerns, in particular, information to the data subjects on the identity
of the controller and the purposes of the processing and further information to ensure fair and
transparent processing in respect of the natural persons concerned and their right to obtain confirmation
and communication of personal data concerning them which are being processed, according to recital
39 of the GDPR.
[170]
Files or sets of files, as well as their cover pages, which are not structured according to specific
criteria should not fall within the scope of this Regulation, according to recital 15 of the GDPR.
[171]
The following advantages can generally be connected to process improvement for the DPO, 1) the
DPO is capable of qualitatively better performance of tasks, 2) the DPO is better equipped to
substantiate the necessity of a specific financial budget, 3) the DPO can organise himself in such a way
that excessive stress is avoided, 4) the DPO can deploy IT more efficiently to support (simplify) its own
AO/IC, 5) the DPO can accomplish more, with less support (of for example HR), 6) the DPO reduces
the chances of making mistakes, 7) the DPO can save time because of good process management, 8)
the DPO responds quicker and more efficiently to changes in processes, 9) the DPO can be of better
service to internal stakeholders (colleagues, Works Council etc.), 10) the DPO can be of better service
to external stakeholders (DPA, data subjects).
[172]
A professional work plan appreciates the findings of internal and external audits within the
meaning that sufficient attention is devoted to possible risks of non-compliance in the interest of the
own organisation.
[173]
Some advantages for the organisation of proper attention to risk and incidents management in the
DPO work plan could be for example (depending on the circumstance) the following, 1) handle risks
cleverly, 2) connect to management actions, 3) opening debates on risk acceptance, 4) better providing
of professional service by the organisation (better customer experience), 5) reducing the amount of
management time to deal with minor problems, 6) more internal focus on doing the right things well, 7)
a better basis for determining strategies.
8. Obtaining competitive advantage, 9) a more efficient use of resources, 10) less restoration costs due
to non-compliance.
[174]
According to recital 74 of the GDPR, the responsibility and liability of the controller for any
processing of personal data carried out by the controller or on the controller's behalf should be
established. In particular, the controller should be obliged to implement appropriate and effective
measures and be able to demonstrate the compliance of processing activities with this Regulation,
including the effectiveness of the measures. Those measures should take into account the nature, scope,
context and purposes of the processing and the risk to the rights and freedoms of natural persons. The
risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from
personal data processing which could lead to physical, material or non-material damage, according to
[175]
Within this framework, compare this with the specific task of the DPO in Article 39(1)(b) of the
GDPR.
[176]
The team roles of Belbin and the Belbin test are the limelight in the world of HR professionals.
The British scientist Meredith Belbin (1926) introduced his team roles in 1981. In principle, the roles
supplement and reinforce each other, although not every team member only has strong points of course.
The weaknesses of a team member, defined by Belbin as ‘allowable weaknesses’, are compensated by
other team members. See also www.belbin.com.
[177]
Bruce Tuckman, ‘Developmental sequence in small groups’ (1965) 63 Psychological Bulletin 6,
384.
[178]
See in particular the Charter of Fundamental Rights of the European Union (2000/C 364/01),
Chapter II (Freedoms), retrieved from Kadir, Romeo F. (Ed.), GDPR Official Resources – A
comprehensive collection of the most important official sources for a better understanding of the
GDPR, EIPACC (2021), www.dataprotectionbooks.com.
[179]
For more detail, see chapter 7.
[180]
[181]
See Article 8(1) of the Charter of Fundamental Rights of the European Union (The ‘Charter’) and
Article 16(1) of the Treaty on the Functioning of the European Union (TFEU). See also Kadir, Romeo
F. (Ed.), GDPR Official Resources – A comprehensive collection of the most important official
sources for a better understanding of the GDPR, EIPACC (2021), www.dataprotectionbooks.com.
[182]
See among others recital 4 of the GDPR.
[183]
Article 2(a) of Council Directive 95/46/EC of 24 October 1995 on the protection of individuals
with regard to the processing of personal data and on the free movement of such data [1995] OJ
L281/31 defines ‘personal data’ as ‘any information relating to an identified or identifiable natural
person ('data subject'). an identifiable person is one who can be identified, directly or indirectly, in
particular by reference to an identification number or to one or more factors specific to his physical,
physiological, mental, economic, cultural or social identity’.
[184]
Examples goals related to Business Intelligence are a baseline of personal data regarding customer
acquisition, customer insight, customer acceptance, data management, credit control, and collection
management.
[185]
These mechanisms could also help to demonstrate that the controller or processor complies with
the rules, especially relating to the establishment of the risk relating to the processing, the assessment of
the origin, nature, probability and severity, and the determination of best practices to reduce the risk.
[186]
See for example www.eipacc.eu.
[187]
See www.autoriteitpersoonsgegevens.nl.
[188]
Right of access (Article 15), Right to rectification (Article 16), Right to erasure (‘right to be
forgotten’) ex Article 17, Right to restriction of processing (Article 18), Notification obligation
regarding rectification or erasure of personal data or restriction of processing (Article 19), Right to data
portability (Article 20), Right to object (Article 21) and the right not to be subject to automated
individual decision-making, including profiling (Article 22). See also Kadir, Romeo F., Business
[189]
See below, Annexure 12 of a list of DPAs in the European Economic Area (EEA).
[190]
For the record, it should be noted that not every GDPR obligation necessarily has to entail all
components that are mentioned here. The number of relevant components can differ as per GDPR
obligation.
[191]
For example, within the framework of binding corporate rules (see Article 47(2)(d) of the GDPR).
[192]
See also Kadir, Romeo F., Business Companion Data Protection – Practical GDPR Guidance,
[193]
See https://eipacc.eu/regulatory-gdpr-compliance/.
[194]
See among others the data management model of DAMA www.dama.org.
[195]
Above-mentioned additional data compliance dimensions are not part of the following analysis
unless specifically mentioned otherwise.
[196]
See among others the ‘AICPA/CICA Privacy Maturity Model’ (March 2011) that is based on the
Generally Accepted Privacy Principles (GAPP), published by the American Institute of Certified Public
Accountants (AICPA) and Canadian Institute of Chartered Accountants (CICA) in 2009
https://iapp.org/media/presentations/11Summit/DeathofSASHO2.pdf accessed 14 May 2019. Compare
with the previous edition (April 2010) also Information and Privacy Commissioner Ontario, ‘Privacy
Risk Management: Building privacy protection into a Risk Management Framework to ensure that
privacy risks are managed, by default’ (April 2010), p. 20, Annex 2 https://www.ipc.on.ca/wp-
content/uploads/2010/04/Privacy-Risk-Management-Building-privacy-protection-into-a-Risk-
Management-Framework-to-ensure-that-privacy-risks-are-managed.pdf accessed 14 May 2019.
[197]
See Kadir, Romeo F., Business Companion Data Protection – Practical GDPR Guidance, EIPACC
(2021), www.dataprotectionbooks.com.
[198]
[199]
See for example ISO/IEC 27018 (Cloud Computing) and ISO/IEC 29100:2011, briefly discussed
in chapter 5.
[200]
Compare the ISO/IEC 27001 Standards family for information security management as part of
EIPACC certification audits, https://eipacc.eu/regulatory-gdpr-compliance/.
[201]
For a more elaborate discussion, see also Romeo Kadir, GDPR Business Companion, GDPR
Ultimate Business Guide Series, Part 1, PPG (2020). www.gdprliterature.eu.
[202]
For an alternative roadmap with an elaborate explanation, see among others:
http://labs.centerforgov.org/data-governance/data-inventory/.
[203]
Guidance on the implementation of appropriate measures and on the demonstration of compliance
by the controller or the processor, especially as regards the identification of the risk related to the
processing, their assessment in terms of origin, nature, likelihood and severity, and the identification of
best practices to mitigate the risk, could be provided in particular by means of approved codes of
conduct, approved certifications, guidelines provided by the Board or indications provided by a data
protection officer, according to recital 77 of the GDPR.
[204]
Compare within this framework also the PIA model (2015) of NOREA, which is a risk analysis
instrument that can identify and trace privacy risks, see https://www.norea.nl/english.
[205]
For a more detailed discussion on the GDPR privacy risk map, see also Kadir, Romeo F., Business
[206]
CNIL, ‘Methodology for Privacy Risk Management: How to implement the Data Protection Act’
(June 2012), p. 18 https://www.cnil.fr/sites/default/files/typo/document/CNIL-ManagingPrivacyRisks-
Methodology.pdf accessed May 11, 2019.
[207]
The Standish Group Chaos Report 2011, https://www.projectsmart.co.uk/white-papers/chaos-
report.pdf (p. 15).
[208]
[209]
WP 248, Guidelines on Data Protection Impact Assessment (DPIA) and determining whether
processing is ‘likely to result in a high risk’ for the purposes of Regulation 2016/679 (4 April 2017).
[210]
Implementation (of the Latin verb implére, ‘fill out’ or ‘fulfil’) is the introduction of a new system,
plan, idea, model, design, standard or policy in an organisation. The term is, among others, used in the
IT world, in public administration (implementation of policies) and in the legal context
(implementation van legislation).
[211]
For a discussion on possible GDPR ambition levels, see among others chapter 6.
[212]
For a discussion on the goals and side effects, see hereinafter § 7.2.
[213]
See for example (standard) GDPR certification trajectories at www.eipacc.eu.
[214]
See among others the data management model of DAMA www.dama.org.
[215]
These steps will be discussed in more detail, below in paragraph 7.3.
[216]
For a more detailed discussion, see chapter 6.
[217]
[218]
As regards the documentation and recording duty (Article 30(1)), DPIA duty (Article 35), privacy
duty of care (Article 5(1)) and obligations relating to realising the rights of data subjects, see § 2.4.
[219]
Autoriteit Persoonsgegevens (AP), ‘In 10 stappen voorbereid op de AVG’ (13 April 2017), p. 1
https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/in_10_stappen_voorbereid_op_de_avg.pdf
accessed, 12 May 2019 (available in Dutch).
[220] See Kadir, Romeo F., Business Companion Data Protection – Practical GDPR Guidance,
EIPACC (2021), www.dataprotectionbooks.com. See also e-Dictionary Privacy & Data Protection,
https://privapedia.com/dictionary.php.
[221]
In accordance with recital 51 of the GDPR, personal data which are, by their nature, particularly
sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their
processing could create significant risks to the fundamental rights and freedoms.
[222]
See also chapter 6.
[223]
Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in
the performance of their tasks, according to Article 6(1) of the GDPR.
[224]
Keeping such records shall ex Article 30(5) of the GDPR not apply to an enterprise or an
[225]
For more detail, see chapter 3, paragraph 3.3 (risk orientation in the DPO work plan).
[226]
Nederlandsche Bank, ‘Integrity Risk Analysis: More where necessary, less where possible’ (17 August
2015) http://www.toezicht.dnb.nl/en/binaries/51-234068.PDF accessed 12 May 2019.
[227]
The WP29 interprets “systematic” as meaning one or more of the following (see the WP29
Guidelines on Data Protection Officer 16/EN WP 243): 1) occurring according to a system, 2) pre-
arranged, organised or methodical, 3) taking place as part of a general plan for data collection, 4)
carried out as part of a strategy. According to WP 248 rev.01, Guidelines on Data Protection Impact
Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the
purposes of Regulation 2016/679 (as last Revised and Adopted on 4 October 2017), footnote 15, p. 9.
[228]
See also Recommendation 01/2019 on the draft list of the European Data Protection Supervisor
regarding the processing operations subject to the requirement of a data protection impact assessment
(Article 39.4 of Regulation (EU) 2018/1725).
[229]
See § 3.1.3 (Business case for a professional DPO work plan).
[230]
In light of the duty of the controller and the processor to ensure that the DPO does not receive any
instructions, an extra argument can be found for the statement that the DPO, especially considering the
character of the steering information, cannot be an active member of the GDPR implementation team,
let alone be the leader of this team. See Article 38(3) of the GDPR.
[231]
EIPACC (2021), www.dataprotectionbooks.com. For a comprehensive collection of official GDPR
resource documents, see also Kadir, Romeo F. (Ed.), GDPR Official Resources – A comprehensive
collection of the most important official sources for a better understanding of the GDPR, EIPACC
[232]
According to Article 14(1) (information to be provided where personal data have not been
obtained from the data subject), where personal data have not been obtained from the data subject, the
controller shall provide the data subject with the following information: (a) the identity and the contact
details of the controller and, where applicable, of the controller's representative. (b) the contact details
of the data protection officer, where applicable. (c) the purposes of the processing for which the
personal data are intended as well as the legal basis for the processing. (d) the categories of personal
data concerned. (e) the recipients or categories of recipients of the personal data, if any. (f) where
applicable, that the controller intends to transfer personal data to a recipient in a third country or
international organisation and the existence or absence of an adequacy decision by the Commission, or
in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1),
reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where
they have been made available.
[233]
For a more detailed discussion on the component ‘conditions’ in the GBC model, see § 6.2.7.
[234]
For a more detailed discussion on the component ‘recitals’ in the GBC-model, see § 6.2.7.
[235]
See with regard to GDPR controls in general also § 7.2.1.6.
[236]
[237]
See also § 6.2.4 (matrix of GDPR obligations).
[238]
See for example § 7.4.
[239]
[240]
A stakeholder can be referred to as a person of organisation that is actively involved in the project,
or whose interests can be influenced positively or negatively through the implementation or completion
of the project.
[241]
Guidance on the implementation of appropriate measures and on the demonstration of compliance
by the controller or the processor, especially as regards the identification of the risk related to the
processing, their assessment in terms of origin, nature, likelihood and severity, and the identification of
best practices to mitigate the risk, could be provided in particular by means of approved codes of
conduct, approved certifications, guidelines provided by the Board or indications provided by a data
protection officer, according to recital 77 of the GDPR.
[242]
For more detail, see § 6.4.2.3. See also Kadir, Romeo F., Business Companion Data Protection –
Practical GDPR Guidance, EIPACC (2021), www.dataprotectionbooks.com and e-Dictionary Privacy
& Data Protection | https://privapedia.com/dictionary.php.
[243]
With regard to the development of a GDPR risk map, see among others § 6.4.2.3.
[244]
The Standish Group Chaos Report (2011), where the following general success factors are
mentioned, 1) strong involvement of team members, 2) strong involvement of higher management, 3)
proper planning, 4) realistic expectations, 5) smaller project milestones, 6) project co-workers with
sufficient (relevant) expertise, 7) competent (possessing the necessary skills) project co-workers, 8)
ownership of the principal with the project management, 9) clearly formulated vision & corporate
objectives (SMART deliverables) and last but not least 10) devoted, hard-working, result-oriented
project team.
[245]
See among others § 6.1.3.2.1 (Privacy Awareness Programme).
[246]
WP 248 rev.01, Guidelines on Data Protection Impact Assessment (DPIA) and determining
whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 (as last
Revised and Adopted on 4 October 2017).
[247]
See § 6.4.2.3.
[248]
[249]
[250]
More focused on Article 24(1) of the GDPR, the appropriate technical and organisational
measures implemented by the controller should be reviewed and, where necessary, updated.
[251]
In other words, new facts and circumstances once the review and update of the implemented
appropriate technical and organisational measures is completed.
[252]
For a discussion on the goals and side effects, see below § 2.
[253]
For more EU context, see among others Kadir, Romeo F., Business Companion Data Protection –
[254]
See for example the (standard) GDPR certification trajectory at www.eipacc.eu.
[255]
See among others the data management model of DAMA (www.dama.org) as discussed in § 7.1.4.
[256]
[257]
Relating to the documentation and recording duty (Article 30(1)), DPIA duty (Article 35), privacy
duty of care (Article 5(1)) and obligations in light of the realisation of the rights of data subjects, see
§ 5.2.
[258]
Autoriteit Persoonsgegevens (AP), ‘In 10 stappen voorbereid op de AVG’ (13 April 2017), p. 1
https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/in_10_stappen_voorbereid_op_de_avg.pdf
accessed 12 May 2019 (available in Dutch).
[259]
[260]
In accordance with recital 51, personal data which are, by their nature, particularly sensitive in
relation to fundamental rights and freedoms merit specific protection as the context of their processing
could create significant risks to the fundamental rights and freedoms.
[261]
[262]
[263]
For an overview of 104 privacy controls, see among others NOREA, ‘NOREA Guide Privacy
Control Framework: Control objectives and controls for privacy audits and privacy assurance
engagements’ (May 2018), p. 8 and further https://www.norea.nl/download/?id=4160 accessed 15 May
2019.
[264]
[265]
In the second sentence of Article 24(1), the wording ‘where necessary’ is used. This seems to
imply that the probability of the risks has to be taken into account at all times. See § 7.2.1.8.
[266]
[267]
The WP29 interprets “systematic” as meaning one or more of the following (see the WP29
Guidelines on Data Protection Officer 16/EN WP 243): 1) occurring according to a system, 2) pre-
arranged, organised or methodical, 3) taking place as part of a general plan for data collection, 4)
carried out as part of a strategy. According to WP 248 rev.01, Guidelines on Data Protection Impact
Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the
purposes of Regulation 2016/679 (as last Revised and Adopted on 4 October 2017), footnote 15, p. 9.
[268]
Recommendation 01/2019 on the draft list of the European Data Protection Supervisor
regarding the processing operations subject to the requirement of a data protection impact
assessment (Article 39.4 of Regulation (EU) 2018/1725).
[269]
For a discussion on the general goals (and side effects) of a GDPR implementation plan, see § 8.2.
[270]
[271]
For a more detailed discussion on the component ‘conditions’ in the GBC-model, see § 6.2.7.
[272]
For a more detailed discussion on the component ‘recitals’ in the GBC-model, see § 6.2.7.
[273]
See § 7.4.2.1. See also Kadir, Romeo F., Business Companion Data Protection – Practical GDPR
Guidance, EIPACC (2021), www.dataprotectionbooks.com.
[274]
See also § 7.4.2.2.
[275]
See also § 7.4.2.3.
[276]
See also § 3.3.3.
[277]
See also § 7.4.2.5.
[278]
See also § 7.4.2.6.
[279]
The Standish Group Chaos Report 2011, p. 15 (https://www.projectsmart.co.uk).
[280]
See WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’) (April 05, 2017), § 4.2, p.
17.
[281]
The tasks of the Data Protection Officers are mentioned in Article 39(1) of the GDPR and it is
specified that the DPO fulfils ‘at least’ the following tasks. Consequently, nothing hinders the
controller to appoint the DPO with other tasks that are not explicitly mentioned in Article 39(1), or to
specify those tasks in more detail.
[282]
For a list of provided by the EDPB, see Recommendation 01/2019 on the draft list of the
European Data Protection Supervisor regarding the processing operations subject to the
requirement of a data protection impact assessment (Article 39.4 of Regulation (EU)
2018/1725).
[283]
See § 6.4.2.3.
[284]
[285]
There is usually a distinction between internal audit (own research in the factual GDPR
compliance by qualified auditors and auditors that are declared competently by the board of the
controller) and external audit (a study by qualified auditors and auditors declared competently by the
controller, performed at processors). A ‘cross audit’ is normally referred to in the situation where
research is undertaken by the one entity (within a holding company) in another entity (either subsidiary
or sister companies).
[286]
See Article 24(1) for this primary obligation of the controller and processor.
[287]
Approval occurs subject to the coherence mechanism mentioned in Article 63.
[288]
Article 47(2)(h) mentions, ‘…any data protection officer designated in accordance with Article 37
or any other person or entity in charge of the monitoring compliance with the binding corporate rules
within the group of undertakings, or group of enterprises engaged in a joint economic activity, as well
as monitoring training and complaint-handling.’
[289]
For a discussion on the goals and side effects, see below § 2.
[290]
Residual risks are risks that seize to exist, despite the performance of concrete actions.
[291]
See for example the (standard) GDPR certification trajectory at www.eipacc.eu.
[292]
Interesting for example within this framework are the controls as discussed in NOREA, ‘NOREA
Guide Privacy Control Framework: Control objectives and controls for privacy audits and privacy
assurance engagements’ (May 2018), p. 8 https://www.norea.nl/download/?id=4160 accessed 15 May
2019.
[293]
[294]
With regard to GDPR management value in general, see also § 6.1.5. For a more detailed
discussion on GDPR management measures, see among others See also Kadir, Romeo F., Business
www.dataprotectionbooks.com. See also e-Dictionary Privacy & Data Protection,
[295]
[296]
[297]
[298]
For an overview of 104 privacy controls, see among others NOREA, ‘NOREA Guide Privacy
Control Framework: Control objectives and controls for privacy audits and privacy assurance
engagements’ (May 2018), p. 8 https://www.norea.nl/download/?id=4160 accessed 15 May 2019. See
also Kadir, Romeo F., Business Companion Data Protection – Practical GDPR Guidance, EIPACC
(2021), www.dataprotectionbooks.com. For a comprehensive collection of official GDPR resource
documents, see also Kadir, Romeo F. (Ed.), GDPR Official Resources – A comprehensive collection
of the most important official sources for a better understanding of the GDPR, EIPACC (2021),
www.dataprotectionbooks.com. See also e-Dictionary Privacy & Data Protection |
[299]
[300]
[301]
See www.eipacc.eu.
[302]
See also § 7.4.2.1.
[303]
See also § 7.4.2.2.
[304]
See also § 7.4.2.3.
[305]
See also § 3.3.3.
[306]
Compare § 7.4.2.5.
[307]
See also § 7.4.2.6.
[308]
The Standish Group Chaos Report 2011, p. 15 (https://www.projectsmart.co.uk).
[309]
See www.eipacc.eu.
[310]
Which can be derived from Article 39(1)(b) of the GDPR. See among others also Article 28(3)(h)
(processor contract) and Article 47(2)(j) (binding corporate rules).
[311]
See also § 7.4.2.1.
[312]
See also § 7.4.2.2.
[313]
See also § 7.4.2.3.
[314]
See also § 3.3.3.
[315]
For a more detailed discussion on the GDPR privacy risk map, see also Kadir, Romeo F., Business
[316]
Compare § 7.4.2.5.
[317]
The Standish Group Chaos Report 2011, p. 15 (www.projectsmart.co.uk).
[318]
See also § 9.8, Table of reference DPO work plan GDPR assurance & GDPR audit.
[319]
[320]
The same plan can be used ex ante for accountability and for the designing of reports that are
edited ex post.
[321]
For a more detailed discussion of the interpretation of these obligations, see among others Kadir,
[322]
See for the annual report of the DPA among others Article 59. Each supervisory authority shall
draw up an annual report on its activities, which may include a list of types of infringement notified and
types of measures taken in accordance with Article 58(2). Those reports shall be transmitted to the
national parliament, the government and other authorities as designated by Member State law. They
shall be made available to the public, to the Commission and to the Board. With regard to the reporting
duty of the Board, see Article 71. According to the first paragraph of this Article, The Board shall draw
up an annual report regarding the protection of natural persons with regard to processing in the Union
and, where relevant, in third countries and international organisations. The report shall be made public
and be transmitted to the European Parliament, to the Council and to the Commission. In accordance
with paragraph 2 of Article 71, the annual report shall include a review of the practical application of
the guidelines, recommendations and best practices referred to in point (l) of Article 70(1) as well as of
the binding decisions referred to in Article 65. With regard to the reporting duty (activities report) van
de European Data Protection Supervisor (EDPS, see Article 48 Regulation (EC) 45/2001 of the
European Parliament and of the council on the protection of individuals with regard to the processing of
personal data by the Community institutions and bodies and on the free movement of such data (18
December 2001). Article 48 has codified that, ‘The European Data Protection Supervisor shall submit
an annual report on his or her activities to the European Parliament, the Council and the Commission
and at the same time make it public. The European Data Protection Supervisor shall forward the
activities report to the other Community institutions and bodies, which may submit comments with a
view to possible examination of the report in the European Parliament, in particular in relation to the
description of the measures taken in response to the remarks made by the European Data Protection
Supervisor under Article 31.’
[323]
[324]
[325]
Data Protection Officers of the EU institutions and bodies working under Regulation (EC) 45/2001’ (14
October 2010), p. 8 https://ec.europa.eu/anti-fraud/sites/antifraud/files/docs/body/dpo_standards.pdf
accessed 11 May 2019. Council Regulation (EC) 45/2001 of 18 December 2000 on the protection of
individuals with regard to the processing of personal data by the Community institutions and bodies
[326]
[327]
Compare the Network of Data Protection Officers of the EU institutions and bodies, ‘Professional
Standards for Data Protection Officers of the EU institutions and bodies working under Regulation
(EC) 45/2001’ (14 October 2010), § 4.1, p. 13 https://ec.europa.eu/anti-
fraud/sites/antifraud/files/docs/body/dpo_standards.pdf accessed 11 May 2019.
[328]
Article 38(4) of the GDPR reads as follows, ‘Data subjects may contact the data protection officer
with regard to all issues related to processing of their personal data and to the exercise of their rights
under this Regulation.’
[329] See for example the (standard) GDPR certification trajectory at www.eipacc.eu. See also Kadir,
[330]
[331]
With regard to GDPR management value in general, see also § 6.1.5.
[332]
For more detail, see hereinafter the Table of reference ARP (in § 10.5) where the focus point of
the DPO work plan is categorized in vision, mission and strategy (VMS) of the DPO work plan.
[333]
WP 173, Opinion 3/2010 on the principle of accountability (13 July 2010), § 25, p. 8.
[334] In accordance with recital 51, personal data which are, by their nature, particularly sensitive in
relation to fundamental rights and freedoms merit specific protection as the context of their processing
could create significant risks to the fundamental rights and freedoms. For more a more detailed
analysis, see also Kadir, Romeo F., Business Companion Data Protection – Practical GDPR Guidance,
(2021), www.dataprotectionbooks.com. See also e-Dictionary Privacy & Data Protection |
[335]
[336]
[337]
[338]
In this regard, the DPO can work together closely with the Chief Information Security Officer
(CISO).
[339]
Compare also the EDPS which mentions within this context, an ‘annual work programme and an
annual report’ that ‘may be submitted by the DPO on his/her activities. A work programme of the DPO
should define its priorities and show which results the DPO wants to achieve in terms of raising
awareness, inventory, notifications, prior checking and register, etc.’ According to EDPS,
‘Implementing rules concerning the tasks, duties and powers of the Data Protection Officer (Article
24.8)’ (29 July 2010), § 3, p. 5 https://edps.europa.eu/sites/edp/files/publication/10-07-
29_guidelines_dpo_tasks_en.pdf accessed 15 May 2019.
[340]
See also the Ethics Advisory Group of the EDPS. According to the EDPS, ‘This Ethics Advisory
Group … will enable the realisation of the benefits of technology for society and the economy in ways
that reinforce the rights and freedoms of individuals.’ Press Release EDPS/2016/05 (Brussels, 28
January 2016) https://edps.europa.eu/sites/edp/files/edpsweb_press_releases/edps-2016-05-
edps_ethics_advisory_group_en.pdf accessed 15 May 2019.
[341]
Compare Network of Data Protection Officers of the EU institutions and bodies, ‘Professional
Standards for Data Protection Officers of the EU institutions and bodies working under Regulation
(EC) 45/2001’ (14 October 2010), § 4.1, p. 13 https://ec.europa.eu/anti-
[342]
See Article 39(1) of the GDPR.
[343]
October 2010), § 5.1, p. 14 https://ec.europa.eu/anti-
[344]
October 2010), § 5.3, p. 15 https://ec.europa.eu/anti-

Handbook Certified Data Protection Officer Practical Work Plan Guidance

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Handbook Certified Data Protection Officer Practical Work Plan Guidance

Uploaded by

Copyright:

Available Formats

© 2021

European Institute for Privacy, Audit, Compliance & Certification

Handbook Certified Data Protection Officer, Body of Knowledge

1. Certified data protection officers (CDPOs)

President of the EADPP CDPO Certification Academic Board

Amsterdam (the Netherlands) | European Union | 2021

1. REGULATION (EU) 2016/679 [GDPR]

2. DIRECTIVE (EU) 2016/680 [CRIMINAL OFFENCES]

3. DIRECTIVE (EU) 2016/681 OF THE EUROPEAN PARLIAMENT AND OF THE

4. REGULATION (EU) 2018/1725 OF THE EUROPEAN PARLIAMENT AND OF THE

5. DECISION OF THE EUROPEAN DATA PROTECTION SUPERVISOR

6. WP 243 rev.01 Guidelines on Data Protection Officers (‘DPOs’), 5 April 2017

7. WP243 ANNEX - FREQUENTLY ASKED QUESTIONS

8. AEPD Certification scheme

9. CNIL DPO Certification

10. EADPP CDPO Certification Code of Conduct

11. EADPP CDPO Certification Mechanism (PPT)

12. LIST OF DPA’s in the European Economic Area (EEA)

Whereas the foundation of the DPO in the GDPR is deployed in chapter 1

1.2 Recognition of the DPO in the GDPR

1.3 Designating a DPO

As to the designation of DPOs, Articles 37 (2) to (7) provide as follows.

2. A group of undertakings may appoint a single data protection

qualities and, in particular, expert knowledge of data protection law

6. The data protection officer may be a staff member of the

protection officer and communicate them to the supervisory

1.3.1 Historical experiences with the functioning of the DPO

1.3.2 Mandatory designation in accordance with the GDPR

1.3.2.1 Public authority or body

1.3.2.2 Core activities

1.3.2.3 Large scale

1. The number of data subjects concerned - either as a specific number

1. Processing of patient data in the regular course of business by a

1. Processing of patient data by an individual physician.

1.3.2.4 Regular and systematic monitoring

1.3.2.5 Special categories of data: criminal data

1. A small family business active in the distribution of household

1.3.4 A DPO for multiple organisations

1.3.4.1 Support by a DPO team

It may be necessary to set up a DPO team, according to the EDPB (WP29)[27]

1.3.4.2 A DPO for several public authorities or bodies

1.3.5 Operational aspects of the DPO appointment

1. Accessibility and localisation of the DPO[29]

To ensure that – in compliance with Section 4 of the GDPR – the DPO

2. Publication and communication of the DPO’s contact detail

2. Communicate the contact details to the relevant supervisory

1.3.6 Requirements of the DPO pursuant to the GDPR

1.3.6.1 Professional qualities

1.3.6.2 Expertise in the field of legislation

1.3.6.3 Expertise concerning the data protection practice

1.3.6.4 Ability to fulfil the following tasks (as mentioned in Article 39 of

1. To inform and advise the controller or the processor and the

1.3.6.5 DPO on the basis of a service contract (external DPO)

1. The EDPB (WP29) recommends that controllers and processors

1. To inform and advice.

1. Whether or not to carry out a DPIA.

Pursuant to Article 38 of the GDPR, the following tasks can be added to

1. Directly report to the highest management level of the controller or

2.2 Optional tasks

2.3 Task specific competencies

2.4.1 Legal requirements of the DPO positioning under the

1. Involvement in a proper and timely manner.

1. The DPO is invited to participate regularly in meetings of senior

1. Active support of the DPO’s function by senior management (such