The Data Protection Officer (DPO) is at the “heart” of the legal framework for many organisations, facilitating compliance with the provisions of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR). The DPO monitors and reviews an organisation’s compliance with the applicable Personal Data Protection legislation, regulation and standards.
A DPO should be appointed based on professional qualities, expert knowledge of the GDPR legislation and the ability to fulfil his/her tasks. The DPO should learn and understand the organisation’s processing activities and the systems used in order to perform the DPO’s tasks effectively.
The DPO should be involved, properly and in a timely manner, in all issues that are relevant to the protection of personal data. The DPO should also have sufficient autonomy and resources to carry out his/her tasks effectively.
To perform his/her tasks effectively, a good practise is the DPO to prepare a GDPR checklist to review and check the organisation’s processing activities. Here are eight essential points that a DPO should review and check:
The eight essential points of a DPO checklist:
1) Does the organisation comply with the GDPR provisions? The DPO should check if the organisation applies the necessary actions to comply with the GDPR provisions. In particular, the DPO should check if the organisation has valid purpose(s) to process personal data and if the purpose(s) are based on a lawful basis.
2) Does the organisation process personal data based on the correct legal basis? The DPO should review the purpose(s) that the organisation process personal data and ensure that a legal basis exist. The DPO should regularly review the organisation’s processing activities to ensure whether the legal basis has changed.
3) Are GDPR policies in place? The DPO should ensure that the organisation has developed GDPR policies relevant to its processing activities. Furthermore, the DPO should ensure that the necessary security measures for the protection of the personal data are included in the organisation’s GDPR policies.
4) Have the security measures been implemented and followed? The DPO should test all the security measures that the organisation has implemented, for properly functioning.
5) Does the organisation’s website include the necessary information regarding the processing of personal data? The DPO should check and ensure that a Personal Data Protection statement is uploaded on the organisation’s website informing the visitor for the processing of his/her personal data. Furthermore, the DPO should ensure that information for the use of “Cookies” is appeared on the website.
6) Does the company keep in place a “Record of Processing Activities”? In case the organisation is obliged to keep in place a “Record of Processing Activities”, the DPO should check and ensure that a “Record of Processing Activities” is prepared and kept in place and includes at least the minimum information in accordance with the GDPR. The DPO should also ensure that the information is up to date.
7) Does the company provide the necessary information to data subjects? The DPO should check and ensure that the organisation provides the necessary information, in accordance with the GDPR, to data subjects regarding the processing of their personal data by the organisation.
8) Does the organisation transfer personal data to a third country or international organisation? In case the organisation transfers personal data to a third country or international organisation, the DPO should check that the relevant information is included in the organisation’s GDPR Policy, on the “Record of Processing Activities” and the data subjects have been informed accordingly. The DPO should also check if the transfer is lawful in accordance with the provisions of the GDPR.
The preparation and implementation of a GDPR checklist is a helpful tool for the DPO to ensure that his/her organisation complies with the GDPR provision. A GDPR checklist should be prepared in accordance with an organisation’s processing activities and GDPR principles. Furthermore, the use of a GDPR checklist will help the DPO to assess the organisation’s processing activities and identify possible weaknesses in the organisation’s GDPR procedures.
Find your next course in GDPR from a variety of online pre-recorded GDPR courses on ICPTE. The courses can be accredited by regulators and other bodies for CPD Units that require CPD training in financial and other regulation.