2021
European Institute for Privacy, Audit, Compliance & Certification (EIPACC)
Further inquiries can be addressed to:
publications@eipacc.eu
Recommended Citation:
Kadir, Romeo F., Handbook Certified Data Protection Officer (DPO) Practical Work Plan Guidance, EIPACC (2021), www.dataprotectionbooks.com
ISBN/EAN 9789083115450
NUR 820
BISAC LAW059000
2021
European Institute for Privacy, Audit, Compliance & Certification (EIPACC)
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the publishers prior consent. Except for the quotation of short passages for the purposes of criticism and review, no part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior written permission of the publisher or a license.
Without limiting the rights under copyright reserved above, no part of this book may be reproduced, stored in or introduced into a retrieval system, or transmitted, in any form or by any means (electronic, mechanical, photocopying, recording or otherwise) without the written permission of both the copyright owner and the author of the book.
Every effort has been made to obtain permission to use all copyrighted illustrations reproduced in this book. Nonetheless, whosoever believes to have rights to this material is advised to contact the publisher.
Fictitious names of companies, products, people, characters and/or data that may be used herein (in case studies or in examples) are not intended to represent any real individual, company, product or event.
This publication is translated from Dutch into English. The European Institute for Privacy, Audit, Compliance & Certification (EIPACC) takes no responsibility for the quality of the translations into other languages. The views expressed in this handbook do not bind EIPACC. The handbook refers to a selection of commentaries, manuals and other primary sources. EIPACC takes no responsibility for their content, nor does their inclusion amount to any form of endorsement of these publications.
EIPACC has no responsibility for the persistence or accuracy of URLs for external or third-party internet websites referred to in this publication and does not guarantee that any content on such websites is, or will remain, accurate or appropriate .
FOREWORD
Providing for a practical guide for the Data Protection Officer (DPO) lies at the heart of this publication. As stated by the European Data Protection Board (EDPB) it is best practice for the DPO to have a work plan. What does such a work plan look like? Providing an answer to that question lies at the core of this publication. According to the EDPB, it is valued a good practice for the DPO (or the organisation) to compose a work plan, but the form or content of such a work plan is not discussed by the EDPB. In order to answer this central question, the two following (more concrete) lines of orientation for a DPO work plan are being applied.
Firstly, the text as enshrined in the General Data Protection Regulation (GDPR) itself codifies an important line of orientation in the embodiment of Articles 37 to 39 of the GDPR in which the designation, positions and tasks of the DPO are discussed.
Secondly, an orientation line is found in the typical role the DPO is playing in the daily data protection practice which can be inferred from, among others, an action plan (or work plan) from an enterprise (institution or organisation). In pursuit of compliance with the obligations pursuant to the GDPR, at least the following steps (in any form o r comparable language) can usually be distinguished.
1. Establish GDPR policies.
2. Make an inventory of personal data.
3. Perform a GDPR baseline.
4. Perform a GDPR gap-analysis.
5. Perform a GDPR implementation.
6. Perform GDPR review and update.
7. Perform GDPR assurance and audit.
8. Compose and communicate the GDPR accountability and reports.
The approach of two lines of orientation that is chosen for this practical guidance deliberately pursues to serve justice to the dichotomous practice of everyday life in which many DPOs operate. On the one hand, there is this continuous expectation that the DPO will just take care of all we need to do, while on the other hand, Articles 37 to 39 of the GDPR actually actively construct a certain distance between the DPO and the more operational GDPR activities. A special reason for this is to the benefit of preserving the independent functioning of the DPO which is emphasized among others in recital 97 of the GDPR.
Taking into account previous feedback on the legibility (and feedback on earlier manuscripts of this book), a deliberate choice is made to where appropriate just repeat (copy-paste) the content of certain previous paragraphs and/or parts of the book to promote the legibility and learning effects.
The mission, vision and strategy of the DPO work plan are taken as a starting point to compose general tables of reference for the DPO, which entail connecting factors for more depth of each of the subjects that are mentioned in the specific chapters. The lay-out of these tables are equal in every chapter and are primarily intended for orientation for more concrete elaboration by the DPO in his or her work plan in accordance with their own enterprise, institution or organisation.
The GDPR defines a number of important tasks for the DPO which are in some way positioned on a thin line of fragile checks and balances of various GDPR stakeholders. The specific positioning of the DPO is also relevant for the success of one of the most important goals of the GDPR, protecting the fundamental rights and freedoms of natural persons (data subjects in the GDPR) and in particular the right to protection of their personal data pursuant to Article 1(2) GDPR.
According to the European Data Protection Board (formerly operating as WP29), the DPO (or the organisation) should avail of a work plan which the organisation will use as a basis for providing, among others, necessary resources for the DPO. With the entry into force of the GDPR as of 25 May 2018, the need to work on professional maturity of the Data Protection Officer (DPO) became more and more urgent. Moreover, the Spanish supervisory authority (AEDP) was the first European privacy supervisory authority that (although not based on Article 42 GDPR) to publish a Certification Scheme of Data Protection Officers in which a number of concrete knowledge and competence areas are mentioned, followed by the CNIL Certification Scheme of DPO Skills and Knowledge in September 2018. This certification scheme of the French Data Protection Authority introduced certification criteria setting out, in particular, the conditions for admissibility of applications and the list of 17 DPO skills and knowledge required to be certified and also contained accreditation criteria setting out the requirements applicable to certification bodies wishing to be accredited by the CNIL to certify DPO skills and knowledge.
This publication is part of a larger series of publications for the professional DPO. Especially for junior and medior/advanced (and even some senior/expert) level DPOs the following two additional sources are considered to be an indispensable work of reference:
