Accountability Roadmap For Demonstrable GDPR Compliance

Accountability Roadmap
for Demonstrable
GDPR Compliance
A mapping of the NT's Privacy Management Accountability
Framework™ to GDPR Compliance Obligations
Accountability Roadmap for Demonstrable GDPR Compliance
Overview
The new accountability principle in Article 5(2) of the GDPR requires organisations to demonstrate compliance with the principles of the GDPR.
Article 24 sets out how organisations can do this by requiring the implementation of appropriate technical and organisational measures to
ensure that organisations can demonstrate that the processing of personal data is performed in accordance with the GDPR. NT's Research has
identified 39 Articles under the GDPR that require evidence of a technical or organisational measure to demonstrate compliance and has
mapped these to the NT's Privacy Management Accountability Framework™. The result is the identification of 55 “mandatory” privacy
management activities that, if implemented, may produce documentation that will help demonstrate ongoing compliance with your GDPR
compliance obligations (some activities may not apply to your organisation). The document also identifies additional privacy management
activities that, while not considered mandatory for demonstrating compliance with the GDPR, if implemented, may produce additional
documentation to help demonstrate compliance.
To get started using this document:
1. Begin by reviewing Part 1,”Overview of NT's Privacy Management Framework mapped to the Articles in the GDPR that Require
Evidence to Demonstrate Compliance. “This will provide you with an outline of the 55 “mandatory” privacy management activities that
map to the 39 Articles in the GDPR that require evidence to demonstrate compliance.
2. In Part 2, review all mandatory privacy management activities listed in Column 2.
3. For each mandatory privacy management activity, refer to the relevant Article listed in Column 3 and then read the GDPR Article
description in Column 4 to determine if the activity applies to your organisation.
4. If the privacy management activity applies to your organisation, refer to Column 5 to read how this activity may help your organisation
comply with the obligation set out in the Article and see a list of sample evidence to demonstrate compliance.
5. After determining your organisation’s “mandatory” privacy management activities and creating your initial “Roadmap” for compliance,
refer to the additional privacy management activities identified that if implemented may produce additional documentation to help
demonstrate compliance.
Page | 2
Part 1: Overview of NT's Privacy Management Framework mapped to the Articles in the GDPR that
Require Evidence To Demonstrate Compliance
Privacy
Management Privacy Management Activities GDPR Article Reference
Categories
1. Maintain Assign responsibility for data privacy to an individual (e.g. Privacy Officer, Privacy Counsel, CPO,) 27
Governance Representative
Structure Engage senior management in data privacy (e.g. at the Board of Directors, Executive Committee)
Appoint a Data Protection Officer/Official (DPO) in an independent oversight role 37, 38
Assign responsibility for data privacy throughout the organization (e.g. Privacy Network)
Maintain roles and responsibilities for individuals responsible for data privacy (e.g. Job descriptions) 39
Conduct regular communication between the privacy office, privacy network and others 38
responsible/accountable for data privacy
Engage stakeholders throughout the organization on data privacy matters (e.g., information security,
marketing, etc.)
Report to internal stakeholders on the status of privacy management (e.g. board of directors,
management)
Report to external stakeholders on the status of privacy management (e.g., regulators, third–parties,
clients)
Conduct an Enterprise Privacy Risk Assessment 24, 39
Integrate data privacy into business risk assessments/reporting
Maintain a privacy strategy
Maintain a privacy program charter/mission statement
Require employees to acknowledge and agree to adhere to the data privacy policies
2. Maintain Maintain an inventory of personal data holdings (what personal data is held and where) 30
Personal Data Classify personal data holdings by type (e.g. sensitive, confidential, public)
Inventory and Obtain regulator approval for data processing (where prior approval is required)
Data Transfer Register databases with regulators (where registration is required)
Mechanisms
Maintain flow charts for data flows (e.g. between systems, between processes, between countries)
Page | 3
Privacy
Categories
Maintain records of the transfer mechanism used for cross–border data flows (e.g., standard 45, 46, 49
contractual clauses, binding corporate rules, approvals from regulators)
Use Binding Corporate Rules as a data transfer mechanism 46, 47
Use contracts as a data transfer mechanism (e.g., Standard Contractual Clauses) 46
Use APEC Cross Border Privacy Rules as a data transfer mechanism
Use regulator approval as a data transfer mechanism 46
Use adequacy or one of the derogations from adequacy (e.g. consent, performance of a contract, public 45, 49, 48
interest) as a data transfer mechanism
Use the EU–US Privacy Shield as a data transfer mechanism 46
3. Maintain Maintain a data privacy policy 5, 24, 91
Internal Data Maintain an employee data privacy policy
Privacy Policy Document legal basis for processing personal data 6, 9, 10
Integrate ethics into data processing (Codes of Conduct, policies and other measures)
Maintain an organizational code of conduct that includes privacy
4. Embed Maintain policies/procedures for collection and use of sensitive personal data (including biometric data) 9
Data Privacy Maintain policies/procedures for collection and use of children and minors’ personal data 8, 12
Into Maintain policies/procedures for maintaining data quality 5
Operations Maintain policies/procedures for the de–identification of personal data 89
Maintain policies/procedures to review processing conducted wholly or partially by automated means 12, 22
Maintain policies/procedures for secondary uses of personal data 6, 13, 14
Maintain policies/procedures for obtaining valid consent 6, 7, 8
Maintain policies/procedures for secure destruction of personal data
Integrate data privacy into use of cookies and tracking mechanisms
Integrate data privacy into records retention practices 5
Integrate data privacy into direct marketing practices 21
Integrate data privacy into e–mail marketing practices
Integrate data privacy into telemarketing practices
Integrate data privacy into digital advertising practices (e.g., online, mobile)
Integrate data privacy into hiring practices
Page | 4
Privacy
Categories
Integrate data privacy into the organization’s use of social media practices 8
Integrate data privacy into Bring Your Own Device (BYOD) policies/procedures
Integrate data privacy into health & safety practices
Integrate data privacy into interactions with works councils
Integrate data privacy into practices for monitoring employees
Integrate data privacy into use of CCTV/video surveillance
Integrate data privacy into use of geo–location (tracking and or location) devices
Integrate data privacy into delegate access to employees' company e–mail accounts (e.g. vacation, LOA,
termination)
Integrate data privacy into e–discovery practices
Integrate data privacy into conducting internal investigations
Integrate data privacy into practices for disclosure to and for law enforcement purposes
Integrate data privacy into research practices (e.g., scientific and historical research) 21, 89
5. Maintain Conduct privacy training 39
Training and Conduct privacy training reflecting job specific content
Awareness Conduct regular refresher training
Program Incorporate data privacy into operational training, such as HR, security, call centre
Deliver training/awareness in response to timely issues/topics
Deliver a privacy newsletter, or incorporate privacy into existing corporate communications
Provide a repository of privacy information, e.g., an internal data privacy intranet
Maintain privacy awareness material (e.g. posters and videos)
Conduct privacy awareness events (e.g., an annual data privacy day/week)
Measure participation in data privacy training activities (e.g. numbers of participants, scoring)
Enforce the Requirement to Complete Privacy Training
Provide ongoing education and training for the Privacy Office and/or DPOs
Maintain certification for individuals responsible for data privacy, including continuing professional
education
Integrate data privacy risk into security risk assessments 32
Page | 5
Privacy
Categories
Integrate data privacy into an information security policy 5, 32

Maintain technical security measures (e.g. intrusion detection, firewalls, monitoring) 32
Maintain measures to encrypt personal data 32
Maintain an acceptable use of information resources policy
6. Manage Maintain procedures to restrict access to personal data (e.g. role–based access, segregation of duties) 32
Information Integrate data privacy into a corporate security policy (protection of physical premises and hard assets)
Security Risk Maintain human resource security measures (e.g. pre–screening, performance appraisals)
Maintain backup and business continuity plans
Maintain a data–loss prevention strategy
Conduct regular testing of data security posture 32
Maintain a security certification (e.g., ISO)
7. Manage Maintain data privacy requirements for third parties (e.g., clients, vendors, processors, affiliates) 28, 32
Third–Party Maintain procedures to execute contracts or agreements with all processors 28, 29
Risk Conduct due diligence around the data privacy and security posture of potential vendors/processors 28
Conduct due diligence on third party data sources
Maintain a vendor data privacy risk assessment process
Maintain a policy governing use of cloud providers
Maintain procedures to address instances of non–compliance with contracts and agreements
Conduct ongoing due diligence around the data privacy and security posture of vendors/processors
Review long–term contracts for new or evolving data privacy risks
8. Maintain Maintain a data privacy notice that details the organization’s personal data handling practices 8, 13, 14
Notices Provide data privacy notice at all points where personal data is collected 13, 14, 21
Provide notice by means of on–location signage, posters
Provide notice in marketing communications (e.g. emails, flyers, offers)
Provide notice in contracts and terms
Maintain scripts for use by employees to explain or provide the data privacy notice
Maintain a privacy Seal or Trustmark to increase customer trust
9. Respond to Maintain procedures to address complaints
Requests and Maintain procedures to respond to requests for access to personal data 15
Page | 6
Privacy
Categories
Complaints Maintain procedures to respond to requests and/or provide a mechanism for individuals to update or 16, 19
from correct their personal data
Individuals Maintain procedures to respond to requests to opt–out of, restrict or object to processing 7, 18, 21
Maintain procedures to respond to requests for information
Maintain procedures to respond to requests for data portability 20
Maintain procedures to respond to requests to be forgotten or for erasure of data 17, 19
Maintain Frequently Asked Questions to respond to queries from individuals
Investigate root causes of data protection complaints
Monitor and report metrics for data privacy complaints (e.g. number, root cause)
10. Monitor Integrate Privacy by Design into system and product development 25
for New Maintain PIA/DPIA guidelines and templates 35
Operational Conduct PIAs/DPIAs for new programs, systems, processes 5, 6, 25, 35
Practices Conduct PIAs or DPIAs for changes to existing programs, systems, or processes 5, 6, 25, 35
Engage external stakeholders (e.g., individuals, privacy advocates) as part of the PIA/DPIA process 35
Track and address data protection issues identified during PIAs/DPIAs 35
Report PIA/DPIA analysis and results to regulators (where required) and external stakeholders (if 36
appropriate)
11. Maintain Maintain a data privacy incident/breach response plan 33, 34
Data Privacy Maintain a breach notification (to affected individuals) and reporting (to regulators, credit agencies, law 12, 33, 34
Breach enforcement) protocol
Management Maintain a log to track data privacy incidents/breaches 33
Program Monitor and Report data privacy incident/breach metrics (e.g. nature of breach, risk, root cause)
Conduct periodic testing of data privacy incident/breach plan
Engage a breach response remediation provider
Engage a forensic investigation team
Obtain data privacy breach insurance coverage
12. Monitor Conduct self–assessments of privacy management 25, 39
Data Handling Conduct Internal Audits of the privacy program (i.e., operational audit of the Privacy Office)
Practices Conduct ad–hoc walk-throughs
Page | 7
Privacy
Categories
Conduct ad–hoc assessments based on external events, such as complaints/breaches

Engage a third–party to conduct audits/assessments
Monitor and report privacy management metrics
Maintain documentation as evidence to demonstrate compliance and/or accountability 5, 24
Maintain certifications, accreditations, or data protection seals for demonstrating compliance to
regulators
13. Track Identify ongoing privacy compliance requirements, e.g., law, case law, codes, etc. 39
External Maintain subscriptions to compliance reporting service/law firm updates to stay informed of new
Criteria developments
Attend/participate in privacy conferences, industry associations, or think–tank events
Record/report on the tracking of new laws, regulations, amendments or other rule sources
Seek legal opinions regarding recent developments in law
Document decisions around new requirements, including their implementation or any rationale behind
decisions not to implement changes
Identify and manage conflicts in law
Page | 8
Part 2 – Accountability Roadmap for Demonstrable GDPR Compliance – Detailed Mapping of Nymity’s Privacy Management
Framework mapped to the Articles in the GDPR that Require Evidence to Demonstrate Compliance
Explanation of the Accountability Roadmap Table:
Privacy Privacy Management Relevant GDPR Article Description How the Mandatory Privacy Management
Management Activities (Mandatory Article(s) Activity may help achieve compliance with
Categories Privacy management GDPR obligations
Activities are highlighted)
Identifies the A list of privacy A list of GDPR A brief annotation explaining the A description of how the privacy management
Privacy management activities in Article(s) that meaning and impact of the Article. activity may help organisations demonstrate
Management the NT Privacy require compliance with the obligations set out in the
Category in Management Accountability evidence to related Article(s) and a list of sample evidence to
the NT Framework. “Mandatory” demonstrate demonstrate compliance.
Framework privacy management compliance,
e.g. Maintain activities are highlighted mapped to the
Governance and represent those specific privacy
Structure activities that that once management
implemented may help: activity.
1. Achieve ongoing
compliance with the
GDPR
2. Produce
documentation that
will help demonstrate
compliance
In some cases the privacy

management activity may
not be applicable for your
organisation.
The merged columns are not shaded and identify privacy management activities that, while not considered
mandatory for demonstrating compliance with the GDPR, if implemented, may produce additional
documentation to help demonstrate compliance.
Page | 9
1. Maintain Assign Responsibility for 27 Article 27 – Representatives of This privacy management activity addresses how
Governance data privacy to an controllers or processors not organisations assign responsibility for the
Structure individual (e.g. Privacy established in the Union operational aspects of a privacy programme to
Officer, Privacy Counsel, an individual.
CPO, Representative) This Article states that in cases Example evidence to demonstrate compliance:
where a non–EU data controller or
data processor is offering goods or 1. Written mandate for the Representative
services (paid or free) to EU data to act on behalf of the controller or
subjects, or is monitoring the processor; or
behaviour of data subjects within the 2. Evidence of communication of the
EU, the data controller or Representative, e.g. within a privacy
processor must designate in notice or via a website.
writing a representative in the
EU. Exceptions apply.
Engage senior management While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
in data privacy (e.g. at the management activity may produce additional documentation to help demonstrate compliance with:
Board of Directors,  Article 5 – Principles relating to processing of personal data.
Executive Committee)
Appoint a Data Protection 37, 38 Article 37 – Designation of the data This privacy management activity addresses the
Officer/Official (DPO) in an protection officer appointment of a Data Protection Officer,
independent oversight role including assignment of tasks. In order to
This Article provides that the data achieve GDPR compliance, the assignment of
controller or the data processor shall responsibility for privacy includes the broader
designate a data protection officer organisation, guaranteeing the independence of
("DPO") in three circumstances. If the office, funding and resourcing the office,
they: addressing the resolution of conflicts of interest,
and stressing the DPO’s responsibility for
1. Are a public sector body; oversight of all processing activities.
Page | 10
2. Are a body which processes
large amounts of special
data (Articles 9 & 10); or
3. Undertake large scale,
regular & systematic.
Additionally the appointment may Example evidence to demonstrate compliance:

be required by specific Union or
Member State law. The DPO must 1. Privacy notice including the DPO’s
have expert knowledge of data contact details;
protection law. They may be an 2. Evidence that the DPO’s contact details
employee or third party under have been communicated to the
contract. Their contact details must Supervisory Authority;
be published and given to the 3. Evidence of DPO qualifications, e.g. CV,
Supervisory Authority. Certifications;
4.An organisational chart showing the
Article 38 – Position of the data DPO reports to the highest level of
protection officer management;
This Article positions the DPO within 5.A job description or mandate for the
the organisation, requiring DPO role; and
involvement in all issues relating to 6.Budget and resources allocated for the
processing personal data, with DPO role.
sufficient resources, acting in an
independent manner, and with
direct reporting to the highest
management level. They shall
also be available to be contacted by
data subjects.
Assign responsibility for While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
data privacy throughout the management activity may produce additional documentation to help demonstrate compliance with:
organisation (e.g. Privacy  Article 5 – Principles relating to processing of personal data.
Network)  Article 24 – Responsibility of the controller
Page | 11
Maintain roles and 39 Article 39 – Tasks of the data This privacy management activity addresses
responsibilities for protection officer defining the privacy roles in an organisation
individuals responsible for through job descriptions, by contract or other
data privacy (e.g. Job This Article sets out the tasks of the methods.
descriptions) DPO: advise the Controller or
Processor and its employees of data A job description or mandate for the DPO role
protection obligations; monitor addressing the specific tasks set out by Article
compliance, including assigning 39.
responsibilities, training and audits;
advising on & monitoring DP impact
assessments; cooperating and
contacting the supervisory authority
as required; and reviewing
processing risk.
Conduct regular 38 Article 38 – Position of the data This privacy management activity addresses how
communication between protection officer individuals who are accountable and responsible
the privacy office, privacy for data privacy regularly communicate with
network and others Article 38 positions the DPO within each other. This communication is essential for
responsible/accountable the organisation, requiring the DPO to be involved in all issues relating to
for data privacy involvement in all issues relating to the processing of personal data.
processing personal data, with
sufficient resources, acting in an Example evidence to demonstrate compliance:
independent manner, and with
direct reporting to the highest 1. Provide evidence of regular communication
management level. They shall between the DPO and stakeholders in the
also be available to be contacted by privacy office and throughout the
data subjects. organisation;
2. Meeting agendas and minutes;
3. Membership on committees, boards or
working groups; or
4. Workflows or procedures indicating the
requirement for DPO involvement in certain
Page | 12
processing activities (e.g. DPIAs, vendor
selection, complaints).
Engage stakeholders While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
throughout the management activity may produce additional documentation to help demonstrate compliance with:
organisation on data  Article 5 – Principles relating to processing of personal data
privacy matters (e.g.,  Article 24 – Responsibility of the controller
information security,
marketing, etc.)
Report to internal While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
stakeholders on the status management activity may produce additional documentation to help demonstrate compliance with:
of privacy management  Article 5 – Principles relating to processing of personal data
(e.g. board of directors,  Article 24 – Responsibility of the controller
management)
Report to external While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
stakeholders on the status management activity may produce additional documentation to help demonstrate compliance with:
of privacy management  Article 5 – Principles relating to processing of personal data
(e.g., regulators, third-  Article 24 – Responsibility of the controller
parties, clients)
Conduct an Enterprise 24, 39 Article 24 – Responsibility of the This privacy management activity enables the
Privacy Risk Assessment controller privacy office to identify issues and risks and
determine, based on the likelihood and impact,
This Article requires the data where to prioritise resources to mitigate the
controller to implement appropriate risks.
technical and organisational
measures to ensure and be able to Note that this privacy management activity
demonstrate compliance with the refers to high level risk assessments, not project
GDPR. or initiative based risk assessments which are
addressed in privacy management category 10.
The appropriateness of these Monitor for New Operational Practices.
measures is based on a risk
assessment that takes into account Example evidence to demonstrate compliance:
the nature, scope, context, and
Page | 13
purposes of the processing as well as
the risks of varying likelihood and 1. Enterprise Risk Assessment which
severity for the rights and freedoms includes data privacy; or
of individuals. There is a specific 2. Privacy Risk Assessment and mitigation
reference that, where proportionate plan.
in relation to the processing
activities, data protection policies
shall be implemented.
Article 39 – Tasks of the data

protection officer
This Article sets out the tasks of the

DPO including having due regard to
the risk associated with processing
operations, taking into account the
nature, scope, context, and purposes
of processing.
Integrate data privacy into While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
business risk management activity may produce additional documentation to help demonstrate compliance with:
assessments/reporting  Article 5 – Principles relating to processing of personal data
 Article 39 – Tasks of the data protection officer (requiring the DPO to take into consideration the
risks associated with processing operations in the performance of his or her tasks)
Maintain a privacy strategy While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
management activity may produce additional documentation to help demonstrate compliance with:
 Article 5 – Principles relating to processing of personal data
Maintain a privacy While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
charter/mission statement management activity may produce additional documentation to help demonstrate compliance with:
Require employees to While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
acknowledge and agree to management activity may produce additional documentation to help demonstrate compliance with:
Page | 14
adhere to the data privacy  Article 24 – Responsibility of the controller
policies
2.Maintain Maintain an inventory of 30 The obligation applies to both This privacy management activity will help the
Personal Data personal data holdings controllers and processors. privacy office develop an inventory of processing
Inventory and (what personal data is held activities that addresses the information
Data Transfer and where) Article 30 – Records of processing required to be maintained.
Mechanisms activities
1. A listing of categories of data and data
This Article sets out a detailed list of subjects, the purposes for which the
information that must be maintained data was collected, categories of
as records of processing activities recipients and the country they are
carried out by and on behalf of the located in, retention periods, and other
controller, as well as the details set out in Article 30.
requirement to make the records
available to data subjects and
Supervisory Authorities upon
request.
Exceptions apply.
Classify personal data While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
holdings by type (e.g. management activity may produce additional documentation to help demonstrate compliance with:
sensitive, confidential,  Article 9 – Processing of special categories of personal data
public)
Obtain regulator approval
for data processing (where
prior approval is required)
Register databases with
regulators (where
registration is required)
Maintain flow charts for While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
data flows (e.g. between management activity may produce additional documentation to help demonstrate compliance with:
systems, between  Article 46 – Transfers subject to appropriate safeguards
Page | 15
processes, between
countries)
Maintain records of the 45, 46, 49 Article 45 – Transfers on the basis of This privacy management activity supports the
transfer mechanism used an adequacy decision privacy office managing international data flows
for cross-border data flows and tracking their use of cross–border transfer
(e.g., standard contractual This Article provides that personal mechanisms.
clauses, binding corporate data may not be transferred to a
rules, approvals from third country or international Example evidence to demonstrate compliance:
regulators) organisation without a specific
authorization where the Commission 1. A personal data inventory which
has decided the country or identifies international data transfers
organisation ensures an adequate and indicates the basis for each
level of protection. transfer; or
2. Evidence of the assessment of non–
Exceptions apply. adequate third countries prior to a
transfer.
Article 46 – Transfers subject to
appropriate safeguards.
This Article states that in cases

where a third country has not been
assessed as providing an adequate
level of data protection by the
Commission, the data controller or
processor may transfer personal
data to a third country provided
there are appropriate safeguards in
place, enforceable data subject
rights and legal remedies.
Page | 16
Article 49 – Derogations for specific
situations
This Article outlines derogations for

specific situations and enumerates
circumstances in which personal
data may be transferred to a third
country even in the absence of an
adequacy decision or other
appropriate safeguards. Examples
include:
 With explicit consent of the

data subject;
 For performance of a
contract or implementation
of pre–contractual
measures;
 For important reasons of
public interest;
 For establishment, exercise
or defence of legal claims;
 In order to protect the vital
interests of a person;
 For transfers made from
public registers in certain
cases; or
 In the compelling legitimate
interests of the data
controller.
Page | 17
Use Binding Corporate 46, 47 Article 46 – Transfers subject to This privacy management activity addresses the
Rules as a data transfer appropriate safeguards implementation, approval and monitoring of
mechanism binding corporate rules, which govern data
This Article states that in cases transfers among members of a corporate group
where a third country has not been and can be used as a legal mechanism for
assessed as providing an adequate international data transfers.
level of data protection by the
European Commission, the data Example evidence to demonstrate compliance:
controller or processor may transfer
personal data to a third country 1. Approved binding corporate rules;
provided there are in place 2. Results of BCR monitoring activities (e.g.
appropriate safeguards including Data Privacy Accountability Scorecard,
binding corporate rules. Audits); or
3. Up to date listing of the scope and
coverage of the BCR.
Article 47 – Binding corporate rules
This Article provides the

requirements for approval of binding
corporate rules as a data transfer
mechanism.
Use contracts as a data 46 Article 46 – Transfers subject to This privacy management activity addresses the
transfer mechanism (e.g., appropriate safeguards. use of Standard Contractual Clauses to facilitate
Standard Contractual the transfer of personal data to a third country.
Clauses) This Article states that in cases
where a third country has not been Example evidence to demonstrate compliance:
level of data protection by the 1. Contracts with data importers/
European Commission, the data exporters that include the Standard
controller or processor may transfer Contractual Clauses.
personal data to a third country
Page | 18
provided there are appropriate
safeguards in place such as standard
data protection clauses.
Use APEC Cross Border
Privacy Rules as a data
transfer mechanism
Use regulator approval as a 46 Article 46 – Transfers subject to This privacy management activity addresses the
data transfer mechanism appropriate safeguards. use of regulator approval to facilitate the
transfer of personal data to a third country.
This Article states that in cases
where a third country has not been Example evidence to demonstrate compliance:
level of data protection by the 1. Decisions of the supervisory authority
European Commission, the data approving the transfer (e.g. approving
controller or processor may transfer contractual safeguards in contracts with
personal data to a third country data importers/ exporters).
provided there are appropriate
safeguards in place such as
authorisation by a Member State or
supervisory authority.
Use adequacy or one of the 45, 48, 49 Article 45 – Transfers on the basis of This privacy management activity addresses
derogations from adequacy an adequacy decision relying on derogations to the requirement to
(e.g. consent, performance send personal data to third countries which
of a contract, public This Article provides that personal provide an “adequate” level of protection for
interest) as a data transfer data may not be transferred to a personal data.
mechanism third country or international
organisation without a specific Example evidence to demonstrate compliance:
authorization where the Commission
has decided the country or 1. A personal data inventory which
organisation ensures an adequate identifies international data transfers
level of protection. and indicates the basis for each
transfer;
Page | 19
Exceptions apply. 2. Consent forms from data subjects,
including an explanation of the possible
Article 48 – Transfers or disclosures risk posed by a lack of appropriate
not authorised by Union law safeguards); and
3. An assessment balancing the legitimate
This Article addresses when data interests of the data controller against
controllers or processors may rely on the rights and freedoms of the data
a court judgment or tribunal decision subjects.
in order to transfer personal data to
a third country.
Article 49 – Derogations for specific

situations
This Article enumerates derogations

for specific situations that may
support the transfer of personal data
to a third country even in the
absence of an adequacy decision or
other appropriate safeguards.
Among others, examples of
derogations include explicit consent
of the data subject or for the
performance of a contract.
Use the EU-US Privacy 46 Article 46 – Transfers subject to This privacy management activity addresses the
Shield as a data transfer appropriate safeguards requirements for using the EU–US Privacy Shield
mechanism (if ratified) as a data transfer mechanism.
This article states that in cases
where a third country has not been Sample evidence to demonstrate compliance:
level of data protection by the 1. Maintain a privacy policy that
European Commission, the data explicitly refers to the Privacy Shield,
Page | 20
controllers or processor may transfer contains the relevant contact details
personal data to a third country and refer to an independent recourse
provided there are in place mechanism; or
appropriate safeguards, enforceable 2. Ensure annual renewal of the self–
data subject rights and legal certification to the Privacy Shield
remedies. principles.
3.Maintain Maintain a data privacy 5, 24, 91 Article 5 – Principles relating to This privacy management helps the organisation
Internal Data policy processing of personal data create and maintain an organisational–level
Privacy Policy This Article sets out the general privacy policy to provide guidance to employees
principles that all processing regarding the processing and protection of
activities must abide by, including: personal data to ensure that such processing
aligns with the obligations of the GDPR.
 Lawfulness, fairness and
transparency; Where relevant (Article 91) it will also address
 Purpose limitation; specific data processing obligations that apply to
 Data minimisation; organisations such as churches and other
 Accuracy; religious associations.
 Storage or retention
limitation; Example evidence to demonstrate compliance:
 Integrity and confidentiality;
and
 Accountability. 1. Privacy policy setting out how the
organisation processes personal data;
and
The accountability principle states
2. Where applicable, a copy of the church
that data controllers are responsible
or religious association’s data
for and able to demonstrate
protection rules or policy.
compliance with the data processing
principles.
One of the most notable changes

from obligations under the Directive
Page | 21
is the explicit requirement to make
organisations more accountable for
their data practices.
Article 24 – Responsibility of the

controller
This Article requires the data

controller to implement appropriate
measures to ensure and be able to
demonstrate compliance with the
GDPR.
The appropriateness of these

measures is based on a risk
assessment that takes into account
the nature, scope, context, and
purposes of the processing as well as
the risks of varying likelihood and
severity for the rights and freedoms
of individuals. There is a specific
reference that, where proportionate
in relation to the processing
activities, data protection policies
shall be implemented.
Article 91 – Existing data protection

rules of churches and religious
associations
Page | 22
This Article provides that churches

and religious associations and
communities that apply
comprehensive rules relating to
processing personal data may
continue to apply such rules,
provided the rules are brought in
line with the GDPR.
Maintain an employee data While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
privacy policy management activity may produce additional documentation to help demonstrate compliance with:
 Article 13 – Information to be provided where personal data are collected from the data subject
 Article 14 – Information to be provided where personal data have not been obtained from the
data subject
Document legal basis for 6, 9, 10 Article 6 – Lawfulness of processing This privacy management activity addresses how
processing personal data the organisation determines the legal basis on
This Article provides legal grounds which processing takes place and ensuring a
on which personal data can be record of this analysis.
processed, as well as how to
determine when further processing Example evidence to demonstrate compliance:
is compatible with the original
purposes for processing. 1. Log for recording the legal basis for
processing personal data, including where
Article 9 – Processing of special applicable a detailed log of the provided
categories of personal data unambiguous consent; or
2. Results from DPIAs showing how
This article sets out a general determinations were made balancing the
prohibition on the processing of legitimate interests of the data controller
sensitive data, followed by legal against the interests or fundamental rights
grounds on which sensitive personal and freedoms of data subjects.
data can be processed.
Page | 23
Article 10 – Processing of personal
data relating to criminal convictions
and offences
This Article provides the legal basis

upon which personal data relating to
criminal convictions and offences
may be processed.
Integrate ethics into data While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
processing (Codes of management activity may produce additional documentation to help demonstrate compliance with:
Conduct, policies and other  Article 6 – Lawfulness of processing
measures)
Maintain an organizational While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
code of conduct that management activity may produce additional documentation to help demonstrate compliance with:
includes privacy  Article 5 – Principles relating to processing of personal data
4.Embed Data Maintain 9 Article 9 – Processing of special This privacy management activity helps the
Privacy Into policies/procedures for categories of personal data organisation put in place in place policies and
Operations collection and use of procedures to ensure that that special categories
sensitive personal data This Article sets out a general of personal data are processed only in
(including biometric data) prohibition on the processing of accordance with the legal grounds set out in
special categories of data, followed Article 9.
by legal grounds on which this data
can be processed. Special categories Example evidence to demonstrate compliance:
of data include: racial or ethnic 1. Organisational policy on handling
origin; political opinions; religious or special categories of personal data;
philosophical beliefs; trade–union 2. Sample data classification guides;
membership; genetic data; biometric 3. Consent forms/evidence of explicit
data; data concerning health or sex consent;
life; and sexual orientation. 4. Collective agreements that set out
processing of sensitive data of
employees;
Page | 24
5. Details or proof that special categories
of personal data were obtained from a
publicly available source; or
6. Privacy policy language covering the
processing of special categories of
personal data.
Maintain 8, 12 Article 8 – Conditions applicable to This privacy management activity helps the
policies/procedures for child’s consent in relation to organisation put in place certain policies and
collection and use of information society services procedures to ensure that consent is given or
children and minors’ This article states that where the authorised by the holder of parental
personal data legal basis of consent is being relied responsibility over the child when information
on in relation to offering information services are offered directly to a child.
society services to minors under the
age of 16 (or to younger children not Example evidence to demonstrate compliance:
younger than 13, if the age threshold
is lowered by Member State law), 1. Policy for obtaining parental consent; or
verifiable parental consent must be 2. Evidence of technological method used
obtained. to obtain parental consent.
Article 12 – Transparent
information, communication and
modalities for the exercise of the
rights of the data subject
This Article requires that when data

controllers are providing information
to data subjects, whether through
privacy notices, in communications
regarding access, rectification,
correction, and objection rights, or
as part of breach notifications, the
communication must be in a concise,
Page | 25
transparent, intelligible, and easily
accessible form, use clear and plain
language.
Maintain 5 Article 5 – Principles relating to This privacy management activity relates to
policies/procedures for processing of personal data putting in place policies and procedures to
maintaining data quality ensure data is accurate and, where necessary,
This Article sets out the general kept up–to–date, and for data that is inaccurate
principles that all processing in light of the purposes for which they are
activities must abide by, including: processed, the data is erased or rectified.
 Lawfulness, fairness and Example evidence to demonstrate compliance:

transparency;
Refer to example evidence under the following
 Purpose limitation; Articles:
 Data minimisation;
 Accuracy;
 Lawfulness – see Articles 6, 9 and 10;
 Transparency – see Articles 13 and 14;
limitation; and
 Purpose limitation – see Article 6;
 Integrity and confidentiality.
 Integrity and confidentiality – see Article
32;
 Accountability – see Article 24.
Maintain policies/ 89 Article 89 – Safeguards and This privacy management activity addresses how
procedures for the de- derogations relating to processing organisations put in place a specific technical
identification of personal for archiving purposes in the public and organisational measure to ensure respect
data interest, scientific or historical for the principle of data minimisation.
research purposes or statistical
purposes
This Article provides that processing

for archiving purposes in the public Example evidence to demonstrate compliance:
interest, or for scientific or historical
research, or for statistical purposes
Page | 26
is subject to appropriate safeguards,
including data minimisation. Thus, 1. Policies and procedures around data
processing should use minimisation, pseudonymisation, or
pseudonymised or anonymised data anonymisation of data;
to the extent possible. 2. Research Ethics Board approvals that
address data minimisation and privacy
protections; and
3. Technical solutions that result in the
pseudonymisation or anonymisation of
personal data.
Maintain policies/ 12, 22 Article 22 – Automated individual This privacy management activity supports
procedures to review decision–making, including profiling determining whether processing activities are
processing conducted captured by the restriction on automated
wholly or partially by This Article addresses the right of decision–making and presents options for
automated means data subjects to not be subject to a achieving compliance. As part of this activity,
decision based solely on automated data controllers must implement measures to
processing, where such decision safeguard the data subject's rights and freedoms
would have a legal or significant and legitimate interests. These measures (e.g.,
effect concerning him or her. providing a right to express a point of view and
contest the decision) would need to adhere to
Article 12 – Transparent Article 12's requirements around clarity of
information, communication and communication, time frames and appropriate
modalities for the exercise of the responses.
rights of the data subject
Example evidence to demonstrate compliance:
This Article requires that when data
controllers are providing information 1. Policy or procedures related to
to data subjects, whether through automated decision–making;
privacy notices, in communications 2. Data inventory identifying automated
regarding access, rectification, processing and stating a legal basis for
correction, and objection rights, or such processing; and
as part of breach notifications, the
Page | 27
communication must be in a concise, 3. Evidence of a manual
transparent, intelligible and easily intervention/human check in decision
accessible form, use clear and plain making processes.
language.
Maintain 6, 13, 14 Article 6 – Lawfulness of processing This privacy management activity addresses
policies/procedures for having policies and procedures that define how
secondary uses of personal This Article provides for the legal to handle situations when the organisation
data grounds upon which personal data wishes to use personal data beyond the primary
can be processed, as well as how to purpose.
determine when further processing
is compatible with the original Secondary uses of data must be disclosed in
purposes for processing. information notices under Article 13 and 14.
Article 13 – Information to be Example evidence to demonstrate compliance:

provided where personal data are
collected from the data subject 1. Log for recording the legal basis for
processing personal data.
This Article provides that where
personal data relating to data
subjects are collected, controllers
must provide certain minimum
information to those data subjects
through an information notice. It
also sets out requirements for timing
of the notice and identifies when
exemptions may apply.
Article 14 – Information to be
provided where personal data have
not been obtained from the data
subjects
Page | 28
This Article specifies what
information is required to be
provided to data subjects when that
information is not obtained by the
controller.
Maintain 6, 7, 8 Article 6 – Lawfulness of processing This privacy management activity addresses the
policies/procedures for different components that makes consent valid
obtaining valid consent This Article provides legal grounds (e.g., freely given, specific and unambiguous)
on which personal data can be and how to update consent forms and
processed including the data subject mechanisms to ensure GDPR compliance.
has given consent to the processing
of his or her personal data for one or Example evidence to demonstrate compliance:
more specific purposes.
1. Evidence that web forms used opt–in
Article 7 – Conditions for Consent consent check boxes or buttons;
2. Copies of signed consent forms (written or
This Article sets out the standard for electronic); or
consent when relying on consent as 3. Call–centre recordings.
a legal basis for processing personal
data (demonstrable consent) and
sensitive personal data (explicit
consent).
Article 8 – Conditions applicable to

child's consent in relation to
information society services
This Article provides that where the

legal basis of consent is being relied
on in relation to offering information
society services to minors under the
age of 16 (or to younger children not
Page | 29
is lowered by Member State law),
verifiable parental consent must be
obtained.
Maintain While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
policies/procedures for management activity may produce additional documentation to help demonstrate compliance with:
secure destruction of  Article 32 – Security of processing
personal data
use of cookies and tracking management activity may produce additional documentation to help demonstrate compliance with:
mechanisms  Article 21– Right to object
Integrate data privacy into 5 Article 5 – Principles relating to This privacy management activity helps the
records retention practices processing of personal data organisation embed data privacy into the
records retention policy and procedure to ensure
This Article sets out the general proper storage of personal data. It helps
principles that all processing organisations put in place policies and
activities must abide by, including: procedures to ensure data is not kept in a form
that permits identification of data subjects for
 Lawfulness, fairness and longer than is necessary for the purposes for
transparency; which it was processed unless the data is being
 Purpose limitation; archived for public interest, scientific, statistical,
 Data minimisation; or historical purposes.
 Accuracy; Example evidence to demonstrate compliance:
limitation; 1. Records retention policy.
and
 Accountability.
Integrate data privacy into Article 21 – Right to object This privacy management activity addresses the
direct marketing practices policies/ procedures that organisations put in
place to ensure that the right of the data subject
Page | 30
This Article addresses the right of to object to direct marketing are honoured in an
data subjects to object to the organisation’s practices respecting direct
processing of his or her personal marketing.
data. The grounds for objecting must
relate to the particular situation of Example evidence to demonstrate compliance:
the data subject and the right to
object only applies to processing, 1. Internal guidance for analysing and
including profiling, that is for: responding to data subject objections to
processing.
 Performance of a task
carried out in the public
interest or in the exercise of
official authority vested in
the data controller;
 Purposes of the legitimate
interests pursued by the
data controller or a third
party;
 Direct marketing purposes;
or
 Scientific or historical
research or
statistical purposes.
e-mail marketing practices management activity may produce additional documentation to help demonstrate compliance with:
 Article 21 – Right to object
telemarketing practices management activity may produce additional documentation to help demonstrate compliance with:
Page | 31
digital advertising practices management activity may produce additional documentation to help demonstrate compliance with:
(e.g., online, mobile)  Article 21 – Right to object
hiring practices management activity may produce additional documentation to help demonstrate compliance with:
 Article 9 – Processing of special categories of personal data
 Article 10 – Processing of personal data relating to criminal convictions and offences
Integrate data privacy into 8 Article 8 – Conditions applicable to This privacy management activity addresses how
the organization’s use of child's consent in relation to the organisation uses social media to collect and
social media practices information society services disseminate information. Policies around social
network use may address the collection and
This Article provides that where the processing of personal data for children and
legal basis of consent is being relied minors to ensure such collection and processing
on in relation to offering information adheres to the GDPR requirement that such
society services to minors under the consent be obtained by the holder of parental
age of 16 (or to younger children not responsibility over the child.
is lowered by Member State law), Example evidence to demonstrate compliance:
consent must be obtained by the
holder of parental responsibility over 1. Online Privacy and Data Use Policy;
the child. 2. Policy for obtaining and documenting
parental consent;
3. Social Media Privacy and Confidentiality
Policy; or
4. Guidelines for authorized social media
users.
Bring Your Own Device management activity may produce additional documentation to help demonstrate compliance with:
(BYOD) policies/procedures  Article 5 – Principles relating to processing of personal data
 Article 32 – Security of processing
Page | 32
health & safety practices management activity may produce additional documentation to help demonstrate compliance with:
practices for monitoring management activity may produce additional documentation to help demonstrate compliance with:
employees  Article 6 – Lawfulness of processing
use of CCTV/video management activity may produce additional documentation to help demonstrate compliance with:
surveillance  Article 6 – Lawfulness of processing
use of geo-location management activity may produce additional documentation to help demonstrate compliance with:
(tracking and or location)  Article 6 – Lawfulness of processing
devices  Article 21 – Right to object
delegated access to management activity may produce additional documentation to help demonstrate compliance with:
employees' company e-mail  Article 6 – Lawfulness of processing
accounts (e.g. vacation,  Article 21 – Right to object
LOA, termination)
e-discovery practices management activity may produce additional documentation to help demonstrate compliance with:
 Article 6 – Lawfulness of processing
conducting internal management activity may produce additional documentation to help demonstrate compliance with:
investigations  Article 6 – Lawfulness of processing
practices for disclosure to management activity may produce additional documentation to help demonstrate compliance with:
 Article 6 – Lawfulness of processing
Page | 33
and for law enforcement  Article 21 – Right to object
purposes
Integrate data privacy into 21, 89 Article 21 – Right to object This privacy management activity generally deals
research practices (e.g., with how an organization maintains procedures
scientific and historical This Article addresses the right of for research practices including processes to
research) data subjects to object to the obtain personal data for research purposes,
processing of his or her personal ensuring valid consents are obtained, de–
data. The grounds for objecting must identifying data where possible, and taking
relate to the particular situation of measures to ensure that research data
the data subject and the right to maintained for scientific, historical or statistical
object only applies to processing, research is safeguarded against improper use.
including profiling that is for
scientific or historical research or
statistical purposes.
Article 89 – Safeguards and

derogations relating to processing
for archiving purposes in the public
interest, scientific or historical
research purposes or statistical
purposes
This Article provides that processing

for archiving purposes in the public
interest, or for scientific or historical
research, or for statistical purposes
is subject to appropriate safeguards,
including data minimisation. Thus,
processing should use
pseudonymised or anonymised data
to the extent possible.
Page | 34
5. Maintain Conduct privacy training 39 Article 39 –Tasks of the data This privacy management addresses the need for
Training and protection officer the DPO to provide awareness–raising and
Awareness training of staff involved in processing
Program This Article sets out the tasks of the operations and implementing such activities
DPO which include the obligation to would produce documentation that could serve
provide awareness–raising and as evidence of compliance with this
training of staff involved in requirement.
processing operations.
1. Documentation showing the content

and delivery of a training and
awareness programme.
Conduct privacy training While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
reflecting job specific management activity may produce additional documentation to help demonstrate compliance with:
content  Article 39 – Tasks of the data protection officer (requiring the DPO to raise awareness and provide
training to staff involved in processing operations)
Conduct regular refresher While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
training management activity may produce additional documentation to help demonstrate compliance with:
 Article 39 – Tasks of the data protection officer (requiring the DPO to raise awareness and provide
Incorporate data privacy While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
into operational training, management activity may produce additional documentation to help demonstrate compliance with:
such as HR, security, call  Article 39 – Tasks of the data protection officer (requiring the DPO to raise awareness and provide
centre training to staff involved in processing operations)
Deliver training/awareness While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
in response to timely management activity may produce additional documentation to help demonstrate compliance with:
issues/topics  Article 39 – Tasks of the data protection officer (requiring the DPO to raise awareness and provide
Deliver a privacy While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
newsletter, or incorporate management activity may produce additional documentation to help demonstrate compliance with:
Page | 35
privacy into existing  Article 39 – Tasks of the data protection officer (requiring the DPO to raise awareness and to staff
corporate communications involved in processing operations)
Provide a repository of While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
privacy information, e.g., an management activity may produce additional documentation to help demonstrate compliance with:
internal data privacy  Article 39 – Tasks of the data protection officer (requiring the DPO to raise awareness and to staff
intranet involved in processing operations)
Maintain privacy awareness While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
material (e.g. posters and management activity may produce additional documentation to help demonstrate compliance with:
videos)  Article 39 – Tasks of the data protection officer (requiring the DPO to raise awareness and to staff
involved in processing operations)
Measure participation in While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
data privacy training management activity may produce additional documentation to help demonstrate compliance with:
activities (e.g. numbers of  Article 39 – Tasks of the data protection officer (requiring the DPO to raise awareness and to staff
participants, scoring) involved in processing operations)
Enforce the Requirement to While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
Complete Privacy Training management activity may produce additional documentation to help demonstrate compliance with:
 Article 39 – Tasks of the data protection officer (requiring the DPO to raise awareness and to staff
Provide ongoing education While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
and training for the Privacy management activity may produce additional documentation to help demonstrate compliance with:
Office and/or DPOs)  Article 39 – Tasks of the data protection officer (requiring the DPO to raise awareness and to staff
Maintain certification for While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
individuals responsible for management activity may produce additional documentation to help demonstrate compliance with:
data privacy, including  Article 39 – Tasks of the data protection officer (requiring the DPO to raise awareness and to staff
continuing professional involved in processing operations)
education
6. Manage Integrate data privacy risk 32 Article 32 – Security of processing This privacy management activity addresses the
Information into security risk role of the privacy officer in ensuring privacy and
Security Risk assessments
Page | 36
This Article states that organisations data protection are taken into account as part of
must implement an “appropriate” security risk assessments.
level of security based on the state
of the art and costs of Example evidence to demonstrate compliance:
implementation, processing
activities, and risk of 1. DPIAs or other form or security risk
varying likelihood and severity to assessment that demonstrates
individuals' rights and freedoms. measures were based on an
assessment of risk.
Integrate data privacy into 5, 32 Article 5 – Principles relating to This privacy management activity helps the
an information security processing of personal data privacy office insert privacy and data protection
policy consideration into the information security
This Article sets out the general policy.
principles that all processing
activities must abide by, including:
transparency; 1. Information security programme
 Purpose limitation; policies and procedures; or
 Data minimisation; 2. Details of security measures that are in
 Accuracy; place.
limitation;
and
 Accountability.
Article 32 – Security of processing
This Article states that organisations

must implement an “appropriate”
Page | 37
level of security based on the state
of the art and costs of
activities, and risk of
varying likelihood and severity to
individuals' rights and freedoms.
Maintain technical security 32 Article 32 – Security of processing This privacy management activity helps the
measures (e.g. intrusion privacy office assess what technical security
detection, firewalls, The GDPR requires organisations to measures are in place to ensure an appropriate
monitoring) implement an “appropriate” level of level of security based on the considerations set
security based on the state of the art out in Article 32.
and costs of
implementation, processing Example evidence to demonstrate compliance:
varying likelihood and severity to 1. Details of security measures that are in
individuals' rights and freedoms. place; or
Examples are provided of measures 2. Policy on review and update of
that might be appropriate depending technical security measures.
on the level of risk including regular
tests of the effectiveness of security
measures.
Maintain measures to 32 Article 32 – Security of processing This privacy management activity helps the
encrypt personal data privacy office put in place encryption practices as
The GDPR requires organisations to an appropriate technical and organisational
implement an “appropriate” level of measure to ensure an appropriate level of
security based on the state of the art security.
and costs of
varying likelihood and severity to
individuals' rights and freedoms.
Examples are provided of measures
Page | 38
.
that might be appropriate depending
on the level of risk including
encryption (32.1.a)
Maintain an acceptable use While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this
of information resources privacy management activity may produce additional documentation to help demonstrate compliance with:
policy  Article 32 – Security of processing
Maintain procedures to 32 Article 32 – Security of processing This privacy management activity helps the
restrict access to personal organisation address how organisations restrict
data (e.g. role-based The GDPR requires organisations to access to personal data to those employees and
access, segregation of implement an “appropriate” level of users who have a legitimate business need to
duties) security based on the state of the art access the data.
and costs of
implementation, processing Example evidence to demonstrate compliance:
varying likelihood and severity to 1. Contracts with employees and
individuals' rights and freedoms. contractors limit the processing of
personal data;
2. Register of employees and contractors
detailing access rights to IT systems and
data; or
3. Audits of access to personal data to
determine if existing procedures are
appropriate based on the purpose for
which the data was collected and the
nature of the access.
Integrate data privacy into a While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
corporate security policy management activity may produce additional documentation to help demonstrate compliance with:
(protection of physical  Article 32 – Security of processing
premises and hard assets)
Maintain human resource While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
security measures (e.g. pre- management activity may produce additional documentation to help demonstrate compliance with:
Page | 39
screening, performance
appraisals)
Maintain backup and While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
business continuity plans management activity may produce additional documentation to help demonstrate compliance with:
Maintain a data-loss While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
prevention strategy management activity may produce additional documentation to help demonstrate compliance with:
Conduct regular testing of 32 Article 32 – Security of processing This privacy management activity helps the
data security posture organisation address the requirement to put in
This Article requires an place a technical or organisational measure to
“appropriate” level of security ensure the security of the processing of personal
including a process for regularly data.
testing, assessing and evaluating the
effectiveness of technical
organisational measures for ensuring
the security of the processing
(32.1.d).
Maintain a security While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
certification (e.g., ISO) management activity may produce additional documentation to help demonstrate compliance with:
7. Manage Maintain data privacy 28, 32 Article 28 – Processor This privacy management activity helps the
Third–Party requirements for third organisation determine what data protection
Risk parties (e.g., clients, This Article creates an obligation on requirements are needed for contracts with
vendors, processors, data controllers to only outsource third–parties who receive and use the personal
affiliates) processing to those entities that data on behalf of the organisation.
have sufficient guarantees to
implement appropriate measures to Example evidence of compliance:
guarantee GDPR compliance and to
have a contract or binding act that 1. Screening questions for potential
governs the relationship. The vendors and other processors;
Page | 40
contents of such a contract are set 2. Privacy and security contractual clauses
out. (inserted data processing agreements);
3. Data protection questionnaire for
The Article also limits the ability of outsourcing personal data processing;
processors to subcontract without 4. Vendor data protection risk assessment
consent of the data controller, and scorecard;
what guarantees need to be in place 5. Contractor data protection
in this arrangement. requirements.
6. Adherence of the processor to an
Article 32 – Security of Processing approved code of conduct or
certification mechanism; or
This Article requires an 7. Agreements with contractors or
“appropriate” level of security vendors that include the standard
and also requires that any person contractual clauses.
with access to personal data only
processes such data in accordance
with instructions from the data
controller.
Maintain procedures to 28, 29 Article 28 – Processor This privacy management activity addresses
execute contracts or steps taken to ensure written or electronic
agreements with all This Article creates an obligation on contracts are in place with processors.
processors data controllers to only outsource
processing to those entities that Example evidence of compliance:
implement appropriate measures to 1. Data processing agreements or
guarantee GDPR compliance and to contracts that show consistency with
have a contract or binding act that legal obligations and privacy risk
governs the relationship. The management activities;
contents of such a contract are set 2. Adherence of the processor to an
out. approved code of conduct or
certification mechanism; or
The Article also limits the ability of
Page | 41
processors to subcontract without 3. Standard contractual clauses between
consent of the data controller, and the controller and processor.
what guarantees need to be in place
in this arrangement.
Article 29 – Processor
This Article indicates that processors
and staff of controllers and
processors must only process
personal data in accordance with
either data controller instructions or
a requirement of Union or Member
State law.
Conduct due diligence 28 Article 28 – Processor This privacy management addresses that
around the data privacy requirement that due diligence is necessary as
and security posture of This Article creates an obligation on part of ensuring that processing is only done by
potential data controllers to only outsource entities with sufficient data protection
vendors/processors processing to those entities that guarantees.
implement appropriate measures to Example evidence of compliance:
guarantee GDPR compliance.
1. Checklist of screening questions for
potential vendors and processors;
2. Vendor privacy questionnaire; or
3. Vendor privacy risk assessment
scorecard.
Conduct due diligence on While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
third party data sources management activity may produce additional documentation to help demonstrate compliance with:
 Article 28 – Processor (requiring data controllers to use only processors providing sufficient
guarantees)
Page | 42
Maintain a vendor data While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
privacy risk assessment management activity may produce additional documentation to help demonstrate compliance with:
process  Article 28 – Processor (requiring data controllers to use only processors providing sufficient
guarantees)
Maintain a policy governing While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
use of cloud providers management activity may produce additional documentation to help demonstrate compliance with:
 Article 28 – Processor (requiring data controllers to use only processors providing sufficient
guarantees)
Maintain procedures to While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
address instances of non– management activity may produce additional documentation to help demonstrate compliance with:
compliance with contracts  Article 28 – Processor (requiring data controllers to use only processors providing sufficient
and agreements guarantees)
Conduct ongoing due While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
diligence around the data management activity may produce additional documentation to help demonstrate compliance with:
privacy and security posture  Article 28 – Processor (requiring data controllers to use only processors providing sufficient
of vendors/processors guarantees)
Review long–term contracts While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
for new or evolving data management activity may produce additional documentation to help demonstrate compliance with:
privacy risks  Article 28 – Processor (requiring data controllers to use only processors providing sufficient
guarantees)
8. Maintain Maintain a data privacy 8, 13, 14 Article 8 provides that where the This privacy management activity ensures that
Notices notice that details the legal basis of consent is being relied controllers put in place policies and procedures
organisation’s personal on in relation to offering information to ensure that the required information is
data handling practices society services to minors under the provided to data subjects when their
age of 16 (or to younger children not information is collected.
is lowered by Member State law), Example evidence to demonstrate compliance:
verifiable parental consent must be
obtained. 1. Copy of the information notice provided
to data subjects; or
Page | 43
Article 13 – Information to be 2. Documentation showing that privacy
provided where personal data are notice is aligned to legal requirements.
collected from the data subject

personal data relating to data
subjects are collected, controllers
must provide certain minimum
Article 14 – Controllers obligations

to provide notice where personal
data have not been obtained from
the data subject
Article 14 specifies what information
is required to be provided to data
subjects when that information is
not obtained by the controller.
Provide data privacy notice 13, 14, 21 Article 13 – Information to be This privacy management activity addresses how
at all points where provided where personal data are an organisation provides an opportunity for data
personal data is collected collected from the data subject subjects to review the organisations privacy
notice at the point of data collection.
personal data relating to data Example evidence to demonstrate compliance:
subjects are collected, controllers 1. Details on the placement and timing of
must provide certain minimum the notice.
Page | 44
Article 14 – Controllers obligations

to provide notice where personal
data have not been obtained from
the data subject
Article 14 specifies what information
is required to be provided to data
subjects when that information is
not obtained by the controller.
Article 21 – Right to object

This Article addresses the right of
data subjects to object to the
processing of his or her personal
data.
Provide notice by means of While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
on–location signage, management activity may produce additional documentation to help demonstrate compliance with:
posters  Article 13 – Information to be provided where personal data are collected from the data subject
data subject
Provide notice in marketing While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
communications (e.g. management activity may produce additional documentation to help demonstrate compliance with:
emails, flyers, offers)  Article 13 – Information to be provided where personal data are collected from the data subject
data subject
Provide notice in contracts While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
and terms management activity may produce additional documentation to help demonstrate compliance with:
Page | 45
 Article 13 – Information to be provided where personal data are collected from the data subject
data subject
Maintain scripts for use by While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
employees to explain or management activity may produce additional documentation to help demonstrate compliance with:
provide the data privacy  Article 13 – Information to be provided where personal data are collected from the data subject
notice  Article 14 – Information to be provided where personal data have not been obtained from the
data subject
Maintain a privacy Seal or While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
Trustmark to increase management activity may produce additional documentation to help demonstrate compliance with:
customer trust  Article 13 – Information to be provided where personal data are collected from the data subject
data subject
address complaints management activity may produce additional documentation to help demonstrate compliance with:
 Article 15 – Right of access by the data subject
 Article 16 – Right to rectification
 Article 17 – Right to erasure (‘right to be forgotten’)
 Article 18 – Right to restriction of processing
 Article 19 – Notification obligation regarding rectification or erasure of personal data or restriction
of processing
 Article 20 – Right to data portability
9. Respond to Maintain procedures to 15 Article 15 – Right of access by the This privacy management activity addresses the
Requests and respond to requests for data subject primary process and procedures needed to
Complaints access to personal data ensure that an organisation can respond to
from This Article addresses the right of access requests in a timely and appropriate
Individuals data subjects to: obtain confirmation manner, providing the data held on the data
of whether their personal is being subject. If implanted this activity may
processed, where it is being demonstrate that the right to access is
processed and have access to the understood and provided for.
Page | 46
data. Additionally it lists further Example evidence to demonstrate compliance:
information that should be supplied: 1. Protocol or procedure for responding to
access requests in a timely manner;
 Purpose of processing; 2. Form for the supply of additional data
 Categories of data; required for access requests; or
 Recipients of data; 3. Log of recording access requests.
 Data storage period;
 Rights to rectification &
complaint;
 Source of data;
 Existence of automated
processing, associated logic
and consequences; and
 Safeguards for transfer to
third countries or
international organisations.
Exception may apply (Article 23)

Maintain procedures to 16, 19 Article 16 – Right to rectification This privacy management activity helps put in
respond to requests and/or place mechanisms to ensure that appropriate
provide a mechanism for This Article addresses the right of corrections to records of personal data are made
individuals to update or data subjects to obtain rectification in a timely and effective manner.
correct their personal data of inaccurate data or completion of
incomplete data. Example evidence to demonstrate compliance:
Article 19 – Notification obligation 1. Protocol or procedure for responding to

regarding rectification or erasure of rectification requests in a timely
personal data or restriction of manner.
processing
Page | 47
This Article creates an obligation to
notify each recipient to whom data
has been disclosed of any
rectification, erasure or restriction of
processing. There is also an
obligation to provide information to
the data subject about these
recipients upon request.

Maintain procedures to 7, 18, 21 Article 7 – Conditions for consent Implementing this privacy management activity
respond to requests to will help organisations put in place processes to
opt–out of, restrict or This Article sets out the standard for ensure that records of personal data are used in
object to processing consent when relying on consent as line with any restrictions as well as, including not
a legal basis for processing personal only uses by the data controller but also any
data (demonstrable consent) and restrictions on use by downstream recipients.
sensitive personal data (explicit
consent). Example evidence to demonstrate compliance:
Article 18 – Right to restriction of 1. Policy or procedure for responding to

processing requests to restrict processing of data in
a timely manner; or
This Article addresses the right of a 2. Guidance for analysing and responding
data subject to obtain a restriction to data subject objections to processing
(i.e., marking stored personal data (e.g. operating procedures or technical
for the purpose of limiting their processes).
processing in the future) on the
processing of personal data in cases
such as pending verification of a
legal ground to process or where
accuracy of the data is disputed.
Page | 48
Inc.
Article 21 – Right to object
This Article addresses the right of

data subjects to object to the
processing of his or her personal
data.

respond to requests for management activity may produce additional documentation to help demonstrate compliance with:
information  Article 24 – Responsibility of the controller
Maintain procedures to 20 Article 20 – Right to data portability This privacy management activity addresses the
respond to requests for concept of data portability and how to
data portability This Article provides data subjects operationalise that concept within the
with a right to, in certain organisation.
circumstances, receive personal data
concerning him or her, in a Example evidence to demonstrate compliance:
structured and commonly used and 1. Procedure or technical process for
machine–readable format, and to handling data portability requests.
transmit such data to another data
controller.
Maintain procedures to 17, 19 Article 17 – Right to erasure (‘right This privacy management activity outlines
respond to requests to be to be forgotten’) possible steps to take when assessing requests
forgotten or for erasure of for erasure, and the subsequent actions
data This Article addresses the right of necessary when a request is granted.
data subjects to obtain from the data
controller the erasure of personal Example evidence to demonstrate compliance:
data based on certain grounds 1. Protocol or procedure for responding to
right to be forgotten / erasure requests.
Article 19 – Notification obligation
regarding rectification or erasure of
Page | 49
personal data or restriction of
processing
This Article creates an obligation to

notify each recipient to whom data
has been disclosed of any
rectification, erasure or restriction of
processing. There is also an
obligation to provide information to
the data subject about these
recipients upon request.

Maintain Frequently Asked While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
Questions to respond to management activity may produce additional documentation to help demonstrate compliance with:
queries from individuals  Article 15 – Right of access by the data subject
of processing
Investigate root causes of While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
data protection complaints management activity may produce additional documentation to help demonstrate compliance with:
 Article 15 – Right of access by the data subject
of processing
Page | 50
Monitor and report metrics While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
for data privacy complaints management activity may produce additional documentation to help demonstrate compliance with:
(e.g. number, root cause)  Article 15 – Right of access by the data subject
of processing
10. Monitor Integrate Privacy by Design 25 Article 25 – Data protection by This privacy management activity addresses
for New into system and product design and by default frameworks to help engineers and application
Operational development developers embed privacy–protective
Practices The GDPR introduces responsibilities mechanisms into the fundamental design of
for the controller and requires data processing activities.
protection by design and by
default. Data controllers must, at the Example evidence to demonstrate compliance:
time of determining the means of
processing as well as when actually 1. Policies and procedures demonstrating
processing, implement appropriate that privacy requirements shall be
technical and organisational included in the technical specifications
measures (e.g., pseudonymisation) of new IT tools
to implement the data protection 2. DPIAs demonstrating that the necessary
principles set out in Article 5 (such as safeguards were integrated into the
data minimisation) and integrate data processing;
necessary safeguards into the 3. Incorporating data protection by design
processing to meet the GDPR principles into: a) IT systems; b)
requirements. accountable business practices; and c)
physical design and networked
Data controllers must also infrastructure; or
implement data protection
by default, i.e. implement
appropriate technical and
Page | 51
organisational measures to ensure 4. Policies, procedures, methodologies,
that, by default, only personal data and other measures for anonymizing or
necessary for each specific purpose pseudonymizing data.
are processed. The concept of
"necessary" informs the amount of
data collected, extent of
processing, and retention and
accessibility of data.
Maintain PIA/DPIA 35 Article 35 – Data protection impact This privacy management activity addresses
guidelines and templates assessment guidelines on how to conduct a DPIA to analyse
the processing of personal data and determine
This Article requires data controllers risks to such personal data. It helps organisations
to assess the impact of processing ask questions during the development of their
operations on the protection of processing programs to take into account the
personal data where the processing available technology, cost of implementation,
is likely to result in a high risk for the nature, scope, context, and purposes of
rights and freedoms of data subjects. processing, and measures that could be applied
When carrying out the DPIA, the to protect the rights of data subjects (e.g.,
controller must seek the advice of pseudonymisation).
the Data Protection Officer (when
designated). DPIAs should contain:
 A description of the
1. DPIA templates covering required
processing activities being
content;
assessed;
2. Guidelines, policies or assessments
 An assessment of the risks around when DPIAs are required;
to data subjects; and 3. Officer’s opinion and advice was sought
 A description of the as part of the DPIA process;
measures the controller will 4. Evidence that consultations were held
take to address these risks, with affected populations or their
including the safeguards, representatives where
security measures and
Page | 52
mechanisms that the appropriate (e.g., advocates,
controller will implement to community groups);
ensure compliance with the 5. Assessments/reviews of processing
GDPR. activities in light of new or changes to
risks; or
If the risks posed by the processing 6. Guidelines and policies on when to
change, a review must be conducted reach out to the data protection
to assess whether processing still authorities to assess risk mitigation.
complies with the DPIA
Conduct PIAs/DPIAs for 5, 6, 25, 35 Article 5 – Principles relating to This privacy management activity addresses
new programs, systems, processing of personal data guidelines on when a DPIA is required as part of
processes the development process for new processing.
This Article sets out the general
principles that all processing
activities must abide by including:
transparency; 1. DPIAs demonstrating that the necessary
 Purpose limitation; safeguards were integrated into the
 Data minimisation; data processing;
 Accuracy; 2. Results from DPIAs showing how
 Storage or retention determinations were made balancing
limitation; the legitimate interests of the data
 Integrity and confidentiality; controller against the interests or
and fundamental rights and freedoms of
 Accountability. data subjects;
3. Guidelines, policies or assessments
around when DPIAs are required;
Article 6 – Lawfulness of processing
4. Evidence that the Data Protection
Officer’s opinion and advice was sought
This Article provides legal grounds
as part of the DPIA process;
on which personal data can be
Page | 53
processed, as well as how to 5. Evidence that consultations were held
determine when further processing with affected populations or their
is compatible with the original representatives where
purposes for processing. appropriate (e.g., advocates,
community groups); or
Article 25 – Data protection by 6. Assessments/reviews of processing
design and by default activities in light of new or changes to
risks.
This Article introduces
responsibilities for the controller and
requires data protection by design
and by default.
Article 35 – Data protection impact

assessment
This Article requires data controllers
to assess the impact of processing
operations on the protection of
personal data where the processing
is likely to result in a high risk for the
rights and freedoms of data subjects.
Conduct PIAs or DPIAs for 5, 6, 25, 35 Article 5 – Principles relating to This privacy management activity addresses
changes to existing processing of personal data having policies and procedures to follow when
programs, systems, or This Article sets out the general there is a change to existing processes, programs
processes principles that all processing or systems to ensure that data protection risks
activities must abide by, including: are measured, analysed and mitigated.
 Lawfulness, fairness and Example evidence to demonstrate compliance:

transparency; DPIA templates covering required content;
 Purpose limitation;
Page | 54
 Data minimisation; 1. Guidelines, policies or assessments
 Accuracy; around when DPIAs are required;
 Storage or retention 2. Evidence that the Data Protection
limitation; Officer’s opinion and advice was sought
 Integrity and confidentiality; as part of the DPIA process;
and 3. Evidence that consultations were held
 Accountability. with affected populations or their
representatives where appropriate
Article 6 – Lawfulness of processing (e.g., advocates, community groups);or
This Article provides legal grounds 4. Assessments/reviews of processing
on which personal data can be activities in light of new or changes to
processed, as well as how to risks. DPIAs demonstrating that the
determine when further processing necessary safeguards were integrated
is compatible with the original into the data processing.
purposes for processing.
Article 25 – Data protection by
design and by default
Engage external 35 Article 35.9 – states that, where This privacy management activity helps the
stakeholders (e.g., appropriate, the controller shall seek organisation develop guidance on how to consult
individuals, privacy the views of data subjects or their with external parties as part of the DPIA process.
advocates) as part of the representatives on the intended
PIA/DPIA process processing, without prejudice to the Example evidence to demonstrate compliance:
protection of commercial or public 1. Evidence that consultations were held
interests or the security of with affected populations or their
processing operations. representatives where
appropriate (e.g., advocates,
community groups).
Track and address data 35 Article 35 – Data protection impact This privacy management activity ensures the
protection issues identified assessment organisation treats similar data protection issues
during PIAs/DPIAs This Article requires data controllers consistently and allows for learning from one
to assess the impact of processing
Page | 55
.
operations on the protection of PIA/DPIA to be applied to subsequent
personal data where the processing PIAs/DPIAs.
is likely to result in a high risk for the
rights and freedoms of data subjects. Example evidence to demonstrate compliance:
Report PIA/DPIA analysis 36 Article 36 – Prior consultation This privacy management activity addresses
and results to regulators when and how to report PIAs/DPIAs to
(where required) and This Article requires data controllers supervisory authorities. Determinations around
external stakeholders (if to consult with the supervisory whether such reporting is required and
appropriate) authority when a PIA indicates that documentation that consultations were
processing would result in a high risk executed would demonstrate compliance with
to data subjects and lists the the GDPR.
minimum information the data
controller needs to provide to the Example evidence to demonstrate compliance:
supervisory authority.
1. DPIAs identifying high risk processing;
or
2. Correspondence with the supervisory
authority seeking advice regarding the
intended processing.
Responses from the supervisory authority

providing advice regarding the processing.
11. Maintain Maintain a data privacy 33, 34 Article 33 – Notification of a This privacy management activity helps
Data Privacy incident/breach response personal data breach to the organisations create a breach response
Breach plan supervisory authority infrastructure that will facilitate compliance with
Management the specific requirements under Article 33
Program This Article makes it mandatory to respecting timing requirements for notification
notify supervisory authorities in the and the content of a notification letter. It further
event of a data breach that poses a ensures that recordkeeping requirements are
"risk of harm". The notification is captured.
expected without undue delay and
Page | 56
where feasible within 72 hours. As Example evidence to demonstrate compliance:
well, detailed content requirements 1. Incident and breach response protocol;
are set out for the notification letter. 2. Contact list for breach response team;
The circumstances of the data 3. Breach notification letters;
breaches must also be documented. 4. Log for recording data protection
incidents and breaches;
Article 34 – Communication of a 5. Incident summary form; or
personal data breach to the data 6. Information loss report and
subject management form.
This Article requires notification to

data subjects of breaches that result
in a "high risk" for the rights and
freedoms of individuals.
Maintain a breach 12, 33, 34 Article 12 – Transparent This privacy management activity helps the
notification (to affected information, communication and organisation identify items that need to be
individuals) and reporting modalities for the exercise of the addressed in determining timing and content of
(to regulators, credit rights of the data subject notifications to DPAs.
agencies, law enforcement) This Article requires that when data
protocol controllers are providing information Example evidence to demonstrate compliance:
to data subjects as part of breach
notifications, the communication 1. Contact list for breach response team;
must be in a concise, transparent, 2. Breach notification letters; or
intelligible, and easily accessible 3. Notification protocols that provide for
form, use clear and plain language. notification to DPAs and individuals in
Information may be provided in the event a high risk of harm is found to
writing, electronically (where exist.
appropriate), or orally (as long as
identity of the data subject is
verified).
Page | 57
Article 33 – Notification of a
personal data breach to the
supervisory authority
This Article makes it mandatory to

notify supervisory authorities in the
event of a data breach that poses a
"risk of harm". The notification is
expected without undue delay and
where feasible within 72 hours. As
well, detailed content requirements
are set out for the notification letter.
The circumstances of the data
breaches must also be documented.
Article 34 – Communication of a
personal data breach to the data
subject
This Article requires notification to

data subjects of breaches that result
in a “high risk” for the rights and
freedoms of individuals.
Template letters.
Maintain a log to track data 33 Article 33.5 – States that the This privacy management activity helps the
privacy incidents/breaches controller shall document any organisation address the specific requirement
personal data breaches, comprising under Article 33.5 requiring that a controller
the facts relating to the personal document personal data breaches.
data breach, its effects and the Example evidence to demonstrate compliance:
remedial action taken. That 1. Log for recording data protection
documentation shall enable the incidents and breaches;
2. Incident summary form; or
Page | 58
supervisory authority to verify 3. Information loss report and
compliance with this Article. management form.
Conduct periodic testing of While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
data privacy management activity may produce additional documentation to help demonstrate compliance with:
incident/breach plan  Article 33 – Notification of a personal data breach to the supervisory authority
Engage a breach response While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
remediation provider management activity may produce additional documentation to help demonstrate compliance with:
 Article 33 – Notification of a personal data breach to the supervisory authority
Engage a forensic While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
investigation team management activity may produce additional documentation to help demonstrate compliance with:
 Article 33 – Notification of a personal data breach to the supervisory authority
Obtain data privacy breach
insurance coverage
12. Monitor Conduct self–assessments 24, 39 Article 24 –Responsibility of the This privacy management activity helps the
Data Handling of privacy management controller privacy office establish a procedure to ensure
Practices This Article requires the data the ability to demonstrate that appropriate
controller to implement appropriate technical and organisational measures have
technical and organisational been put in place for compliance with the GDPR.
demonstrate compliance with the Example evidence to demonstrate compliance:
GDPR.
1. Readiness Assessments; or
Article 39 – Tasks of the DPO 2. Data Privacy Accountability Scorecard.
This Article sets out the tasks of the
DPO including: advise the Controller
or Processor and its employees of
data protection obligations; monitor
compliance, including assigning
responsibilities, training and audits;
advising on & monitoring DP impact
assessments, cooperating and
contacting the supervisory authority
Page | 59
as required, and reviewing
processing risk.
Conduct Internal Audits of While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
the privacy program (i.e., management activity may produce additional documentation to help demonstrate compliance with:
operational audit of the  Article 5 – Principles relating to processing of personal data
Privacy Office)  Article 24 – Responsibility of the controller
Conduct ad–hoc walk- While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
throughs management activity may produce additional documentation to help demonstrate compliance with:
 Article 24 – Responsibility of the controller
Conduct ad–hoc While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
assessments based on management activity may produce additional documentation to help demonstrate compliance with:
external events, such as  Article 5 – Principles relating to processing of personal data
complaints/breaches  Article 24 – Responsibility of the controller
Engage a third–party to While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
conduct audits/assessments management activity may produce additional documentation to help demonstrate compliance with:
Monitor and report privacy While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
management metrics management activity may produce additional documentation to help demonstrate compliance with:
Maintain documentation as 5, 24 Article 5 – Principles relating to This privacy management activity supports the
evidence to demonstrate processing of personal data organisation creating a process for maintaining
compliance and/or documentation of the technical and
accountability This Article sets out the general organisational measures it has put in place in
principles that all processing order to demonstrate compliance with the
activities must abide by, including: GDPR.
Page | 60
 Lawfulness, fairness and 1. Register of all data processing

transparency; operations within the organisation,
 Purpose limitation; including underlying decisions on
 Data minimisation; interpretation of the relevant legal
 Accuracy; provisions and grounds for processing.
limitation;
and
 Accountability.
The accountability principle states

that data controllers are responsible
for and able to demonstrate
compliance with the data processing
principles.
Article 24 – Responsibility of the

data controller
This Article requires the data

controller to implement appropriate
demonstrate compliance with the
GDPR.
Maintain certifications, While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
accreditations, or data management activity may produce additional documentation to help demonstrate compliance with:
protection seals for  Article 5 – Principles relating to processing of personal data
Page | 61
demonstrating compliance
to regulators
13. Track Identify ongoing privacy 39 Article 39 –Tasks of the DPO This privacy management activity addresses how
External compliance requirements, the DPO conducts research regularly to maintain
Criteria e.g., law, case law, codes, This Article sets out the tasks of the expert knowledge with respect to privacy and
etc. DPO which include an obligation to data protection law and practices and to
monitor compliance with the GDPR determine what, if any, changes to the privacy
and with other Union or Member program need to be made as a result of any
State data protection provisions. legal or regulatory developments.
1. Subscriptions (free or paid) to privacy

law research reporting services;
2. Certification of attendance at privacy
and data protection conferences; or
3. Evidence of consultations with law
firms.
Maintain subscriptions to While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
compliance reporting management activity may produce additional documentation to help demonstrate compliance with:
service/law firm updates to  Article 39 –Tasks of the DPO
stay informed of new
developments
Attend/participate in While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
privacy conferences, management activity may produce additional documentation to help demonstrate compliance with:
industry associations, or  Article 39 –Tasks of the DPO
think–tank events
Record/report on the While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
tracking of new laws, management activity may produce additional documentation to help demonstrate compliance with:
regulations, amendments or  Article 39 –Tasks of the DPO
other rule sources
Page | 62
Seek legal opinions While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
regarding recent management activity may produce additional documentation to help demonstrate compliance with:
developments in law  Article 39 –Tasks of the DPO
Document decisions around If implemented, this privacy management activity may produce additional documentation to help
new requirements, demonstrate compliance with the following Articles:
including their  Article 39 –Tasks of the DPO
implementation or any  Article 35 – Data protection impact assessment
rationale behind decisions  Article 5 – Principles relating to processing of personal data
not to implement changes  Article 24 – Responsibility of the controller
Identify and manage  Article 39 –Tasks of the DPO
conflicts in law
Page | 63

Accountability Roadmap For Demonstrable GDPR Compliance

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Accountability Roadmap For Demonstrable GDPR Compliance

Uploaded by

Copyright:

Available Formats

Accountability Roadmap

To get started using this document:

Integrate data privacy into an information security policy 5, 32

Conduct ad–hoc assessments based on external events, such as complaints/breaches

In some cases the privacy

Additionally the appointment may Example evidence to demonstrate compliance:

Article 39 – Tasks of the data

This Article sets out the tasks of the

This Article states that in cases

This Article outlines derogations for

 With explicit consent of the

Article 47 – Binding corporate rules

This Article provides the

Article 49 – Derogations for specific

This Article enumerates derogations

One of the most notable changes

Article 24 – Responsibility of the

This Article requires the data

The appropriateness of these

Article 91 – Existing data protection

This Article provides that churches

This Article provides the legal basis

This Article requires that when data

 Lawfulness, fairness and Example evidence to demonstrate compliance:

This Article provides that processing

Article 13 – Information to be Example evidence to demonstrate compliance:

Article 8 – Conditions applicable to

This Article provides that where the

Article 89 – Safeguards and

This Article provides that processing

1. Documentation showing the content

Article 32 – Security of processing

This Article states that organisations

This Article provides that where

Article 14 – Controllers obligations

Article 14 – Controllers obligations

Article 21 – Right to object

Exception may apply (Article 23)

Article 19 – Notification obligation 1. Protocol or procedure for responding to

Exception may apply (Article 23)

Article 18 – Right to restriction of 1. Policy or procedure for responding to

This Article addresses the right of

Exception may apply (Article 23)

This Article creates an obligation to

Exception may apply (Article 23)

Article 35 – Data protection impact

 Lawfulness, fairness and Example evidence to demonstrate compliance:

Responses from the supervisory authority

This Article requires notification to

This Article makes it mandatory to

This Article requires notification to

Example evidence to demonstrate compliance:

 Lawfulness, fairness and 1. Register of all data processing

The accountability principle states

Article 24 – Responsibility of the

This Article requires the data

Example evidence to demonstrate compliance:

1. Subscriptions (free or paid) to privacy

You might also like