Professional Documents
Culture Documents
Accountability Roadmap For Demonstrable GDPR Compliance
Accountability Roadmap For Demonstrable GDPR Compliance
for Demonstrable
GDPR Compliance
A mapping of the NT's Privacy Management Accountability
Framework™ to GDPR Compliance Obligations
Accountability Roadmap for Demonstrable GDPR Compliance
Overview
The new accountability principle in Article 5(2) of the GDPR requires organisations to demonstrate compliance with the principles of the GDPR.
Article 24 sets out how organisations can do this by requiring the implementation of appropriate technical and organisational measures to
ensure that organisations can demonstrate that the processing of personal data is performed in accordance with the GDPR. NT's Research has
identified 39 Articles under the GDPR that require evidence of a technical or organisational measure to demonstrate compliance and has
mapped these to the NT's Privacy Management Accountability Framework™. The result is the identification of 55 “mandatory” privacy
management activities that, if implemented, may produce documentation that will help demonstrate ongoing compliance with your GDPR
compliance obligations (some activities may not apply to your organisation). The document also identifies additional privacy management
activities that, while not considered mandatory for demonstrating compliance with the GDPR, if implemented, may produce additional
documentation to help demonstrate compliance.
1. Begin by reviewing Part 1,”Overview of NT's Privacy Management Framework mapped to the Articles in the GDPR that Require
Evidence to Demonstrate Compliance. “This will provide you with an outline of the 55 “mandatory” privacy management activities that
map to the 39 Articles in the GDPR that require evidence to demonstrate compliance.
2. In Part 2, review all mandatory privacy management activities listed in Column 2.
3. For each mandatory privacy management activity, refer to the relevant Article listed in Column 3 and then read the GDPR Article
description in Column 4 to determine if the activity applies to your organisation.
4. If the privacy management activity applies to your organisation, refer to Column 5 to read how this activity may help your organisation
comply with the obligation set out in the Article and see a list of sample evidence to demonstrate compliance.
5. After determining your organisation’s “mandatory” privacy management activities and creating your initial “Roadmap” for compliance,
refer to the additional privacy management activities identified that if implemented may produce additional documentation to help
demonstrate compliance.
Page | 2
Accountability Roadmap for Demonstrable GDPR Compliance
Part 1: Overview of NT's Privacy Management Framework mapped to the Articles in the GDPR that
Require Evidence To Demonstrate Compliance
Privacy
Management Privacy Management Activities GDPR Article Reference
Categories
1. Maintain Assign responsibility for data privacy to an individual (e.g. Privacy Officer, Privacy Counsel, CPO,) 27
Governance Representative
Structure Engage senior management in data privacy (e.g. at the Board of Directors, Executive Committee)
Appoint a Data Protection Officer/Official (DPO) in an independent oversight role 37, 38
Assign responsibility for data privacy throughout the organization (e.g. Privacy Network)
Maintain roles and responsibilities for individuals responsible for data privacy (e.g. Job descriptions) 39
Conduct regular communication between the privacy office, privacy network and others 38
responsible/accountable for data privacy
Engage stakeholders throughout the organization on data privacy matters (e.g., information security,
marketing, etc.)
Report to internal stakeholders on the status of privacy management (e.g. board of directors,
management)
Report to external stakeholders on the status of privacy management (e.g., regulators, third–parties,
clients)
Conduct an Enterprise Privacy Risk Assessment 24, 39
Integrate data privacy into business risk assessments/reporting
Maintain a privacy strategy
Maintain a privacy program charter/mission statement
Require employees to acknowledge and agree to adhere to the data privacy policies
2. Maintain Maintain an inventory of personal data holdings (what personal data is held and where) 30
Personal Data Classify personal data holdings by type (e.g. sensitive, confidential, public)
Inventory and Obtain regulator approval for data processing (where prior approval is required)
Data Transfer Register databases with regulators (where registration is required)
Mechanisms
Maintain flow charts for data flows (e.g. between systems, between processes, between countries)
Page | 3
Accountability Roadmap for Demonstrable GDPR Compliance
Privacy
Management Privacy Management Activities GDPR Article Reference
Categories
Maintain records of the transfer mechanism used for cross–border data flows (e.g., standard 45, 46, 49
contractual clauses, binding corporate rules, approvals from regulators)
Use Binding Corporate Rules as a data transfer mechanism 46, 47
Use contracts as a data transfer mechanism (e.g., Standard Contractual Clauses) 46
Use APEC Cross Border Privacy Rules as a data transfer mechanism
Use regulator approval as a data transfer mechanism 46
Use adequacy or one of the derogations from adequacy (e.g. consent, performance of a contract, public 45, 49, 48
interest) as a data transfer mechanism
Use the EU–US Privacy Shield as a data transfer mechanism 46
3. Maintain Maintain a data privacy policy 5, 24, 91
Internal Data Maintain an employee data privacy policy
Privacy Policy Document legal basis for processing personal data 6, 9, 10
Integrate ethics into data processing (Codes of Conduct, policies and other measures)
Maintain an organizational code of conduct that includes privacy
4. Embed Maintain policies/procedures for collection and use of sensitive personal data (including biometric data) 9
Data Privacy Maintain policies/procedures for collection and use of children and minors’ personal data 8, 12
Into Maintain policies/procedures for maintaining data quality 5
Operations Maintain policies/procedures for the de–identification of personal data 89
Maintain policies/procedures to review processing conducted wholly or partially by automated means 12, 22
Maintain policies/procedures for secondary uses of personal data 6, 13, 14
Maintain policies/procedures for obtaining valid consent 6, 7, 8
Maintain policies/procedures for secure destruction of personal data
Integrate data privacy into use of cookies and tracking mechanisms
Integrate data privacy into records retention practices 5
Integrate data privacy into direct marketing practices 21
Integrate data privacy into e–mail marketing practices
Integrate data privacy into telemarketing practices
Integrate data privacy into digital advertising practices (e.g., online, mobile)
Integrate data privacy into hiring practices
Page | 4
Accountability Roadmap for Demonstrable GDPR Compliance
Privacy
Management Privacy Management Activities GDPR Article Reference
Categories
Integrate data privacy into the organization’s use of social media practices 8
Integrate data privacy into Bring Your Own Device (BYOD) policies/procedures
Integrate data privacy into health & safety practices
Integrate data privacy into interactions with works councils
Integrate data privacy into practices for monitoring employees
Integrate data privacy into use of CCTV/video surveillance
Integrate data privacy into use of geo–location (tracking and or location) devices
Integrate data privacy into delegate access to employees' company e–mail accounts (e.g. vacation, LOA,
termination)
Integrate data privacy into e–discovery practices
Integrate data privacy into conducting internal investigations
Integrate data privacy into practices for disclosure to and for law enforcement purposes
Integrate data privacy into research practices (e.g., scientific and historical research) 21, 89
5. Maintain Conduct privacy training 39
Training and Conduct privacy training reflecting job specific content
Awareness Conduct regular refresher training
Program Incorporate data privacy into operational training, such as HR, security, call centre
Deliver training/awareness in response to timely issues/topics
Deliver a privacy newsletter, or incorporate privacy into existing corporate communications
Provide a repository of privacy information, e.g., an internal data privacy intranet
Maintain privacy awareness material (e.g. posters and videos)
Conduct privacy awareness events (e.g., an annual data privacy day/week)
Measure participation in data privacy training activities (e.g. numbers of participants, scoring)
Enforce the Requirement to Complete Privacy Training
Provide ongoing education and training for the Privacy Office and/or DPOs
Maintain certification for individuals responsible for data privacy, including continuing professional
education
Integrate data privacy risk into security risk assessments 32
Page | 5
Accountability Roadmap for Demonstrable GDPR Compliance
Privacy
Management Privacy Management Activities GDPR Article Reference
Categories
Privacy
Management Privacy Management Activities GDPR Article Reference
Categories
Complaints Maintain procedures to respond to requests and/or provide a mechanism for individuals to update or 16, 19
from correct their personal data
Individuals Maintain procedures to respond to requests to opt–out of, restrict or object to processing 7, 18, 21
Maintain procedures to respond to requests for information
Maintain procedures to respond to requests for data portability 20
Maintain procedures to respond to requests to be forgotten or for erasure of data 17, 19
Maintain Frequently Asked Questions to respond to queries from individuals
Investigate root causes of data protection complaints
Monitor and report metrics for data privacy complaints (e.g. number, root cause)
10. Monitor Integrate Privacy by Design into system and product development 25
for New Maintain PIA/DPIA guidelines and templates 35
Operational Conduct PIAs/DPIAs for new programs, systems, processes 5, 6, 25, 35
Practices Conduct PIAs or DPIAs for changes to existing programs, systems, or processes 5, 6, 25, 35
Engage external stakeholders (e.g., individuals, privacy advocates) as part of the PIA/DPIA process 35
Track and address data protection issues identified during PIAs/DPIAs 35
Report PIA/DPIA analysis and results to regulators (where required) and external stakeholders (if 36
appropriate)
11. Maintain Maintain a data privacy incident/breach response plan 33, 34
Data Privacy Maintain a breach notification (to affected individuals) and reporting (to regulators, credit agencies, law 12, 33, 34
Breach enforcement) protocol
Management Maintain a log to track data privacy incidents/breaches 33
Program Monitor and Report data privacy incident/breach metrics (e.g. nature of breach, risk, root cause)
Conduct periodic testing of data privacy incident/breach plan
Engage a breach response remediation provider
Engage a forensic investigation team
Obtain data privacy breach insurance coverage
12. Monitor Conduct self–assessments of privacy management 25, 39
Data Handling Conduct Internal Audits of the privacy program (i.e., operational audit of the Privacy Office)
Practices Conduct ad–hoc walk-throughs
Page | 7
Accountability Roadmap for Demonstrable GDPR Compliance
Privacy
Management Privacy Management Activities GDPR Article Reference
Categories
Page | 8
Accountability Roadmap for Demonstrable GDPR Compliance
Part 2 – Accountability Roadmap for Demonstrable GDPR Compliance – Detailed Mapping of Nymity’s Privacy Management
Framework mapped to the Articles in the GDPR that Require Evidence to Demonstrate Compliance
Explanation of the Accountability Roadmap Table:
Privacy Privacy Management Relevant GDPR Article Description How the Mandatory Privacy Management
Management Activities (Mandatory Article(s) Activity may help achieve compliance with
Categories Privacy management GDPR obligations
Activities are highlighted)
Identifies the A list of privacy A list of GDPR A brief annotation explaining the A description of how the privacy management
Privacy management activities in Article(s) that meaning and impact of the Article. activity may help organisations demonstrate
Management the NT Privacy require compliance with the obligations set out in the
Category in Management Accountability evidence to related Article(s) and a list of sample evidence to
the NT Framework. “Mandatory” demonstrate demonstrate compliance.
Framework privacy management compliance,
e.g. Maintain activities are highlighted mapped to the
Governance and represent those specific privacy
Structure activities that that once management
implemented may help: activity.
1. Achieve ongoing
compliance with the
GDPR
2. Produce
documentation that
will help demonstrate
compliance
Privacy Privacy Management Relevant GDPR Article Description How the Mandatory Privacy Management
Management Activities (Mandatory Article(s) Activity may help achieve compliance with
Categories Privacy management GDPR obligations
Activities are highlighted)
1. Maintain Assign Responsibility for 27 Article 27 – Representatives of This privacy management activity addresses how
Governance data privacy to an controllers or processors not organisations assign responsibility for the
Structure individual (e.g. Privacy established in the Union operational aspects of a privacy programme to
Officer, Privacy Counsel, an individual.
CPO, Representative) This Article states that in cases Example evidence to demonstrate compliance:
where a non–EU data controller or
data processor is offering goods or 1. Written mandate for the Representative
services (paid or free) to EU data to act on behalf of the controller or
subjects, or is monitoring the processor; or
behaviour of data subjects within the 2. Evidence of communication of the
EU, the data controller or Representative, e.g. within a privacy
processor must designate in notice or via a website.
writing a representative in the
EU. Exceptions apply.
Engage senior management While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
in data privacy (e.g. at the management activity may produce additional documentation to help demonstrate compliance with:
Board of Directors, Article 5 – Principles relating to processing of personal data.
Executive Committee)
Appoint a Data Protection 37, 38 Article 37 – Designation of the data This privacy management activity addresses the
Officer/Official (DPO) in an protection officer appointment of a Data Protection Officer,
independent oversight role including assignment of tasks. In order to
This Article provides that the data achieve GDPR compliance, the assignment of
controller or the data processor shall responsibility for privacy includes the broader
designate a data protection officer organisation, guaranteeing the independence of
("DPO") in three circumstances. If the office, funding and resourcing the office,
they: addressing the resolution of conflicts of interest,
and stressing the DPO’s responsibility for
1. Are a public sector body; oversight of all processing activities.
Page | 10
Accountability Roadmap for Demonstrable GDPR Compliance
Privacy Privacy Management Relevant GDPR Article Description How the Mandatory Privacy Management
Management Activities (Mandatory Article(s) Activity may help achieve compliance with
Categories Privacy management GDPR obligations
Activities are highlighted)
2. Are a body which processes
large amounts of special
data (Articles 9 & 10); or
3. Undertake large scale,
regular & systematic.
Privacy Privacy Management Relevant GDPR Article Description How the Mandatory Privacy Management
Management Activities (Mandatory Article(s) Activity may help achieve compliance with
Categories Privacy management GDPR obligations
Activities are highlighted)
Maintain roles and 39 Article 39 – Tasks of the data This privacy management activity addresses
responsibilities for protection officer defining the privacy roles in an organisation
individuals responsible for through job descriptions, by contract or other
data privacy (e.g. Job This Article sets out the tasks of the methods.
descriptions) DPO: advise the Controller or
Processor and its employees of data A job description or mandate for the DPO role
protection obligations; monitor addressing the specific tasks set out by Article
compliance, including assigning 39.
responsibilities, training and audits;
advising on & monitoring DP impact
assessments; cooperating and
contacting the supervisory authority
as required; and reviewing
processing risk.
Conduct regular 38 Article 38 – Position of the data This privacy management activity addresses how
communication between protection officer individuals who are accountable and responsible
the privacy office, privacy for data privacy regularly communicate with
network and others Article 38 positions the DPO within each other. This communication is essential for
responsible/accountable the organisation, requiring the DPO to be involved in all issues relating to
for data privacy involvement in all issues relating to the processing of personal data.
processing personal data, with
sufficient resources, acting in an Example evidence to demonstrate compliance:
independent manner, and with
direct reporting to the highest 1. Provide evidence of regular communication
management level. They shall between the DPO and stakeholders in the
also be available to be contacted by privacy office and throughout the
data subjects. organisation;
2. Meeting agendas and minutes;
3. Membership on committees, boards or
working groups; or
4. Workflows or procedures indicating the
requirement for DPO involvement in certain
Page | 12
Accountability Roadmap for Demonstrable GDPR Compliance
Privacy Privacy Management Relevant GDPR Article Description How the Mandatory Privacy Management
Management Activities (Mandatory Article(s) Activity may help achieve compliance with
Categories Privacy management GDPR obligations
Activities are highlighted)
processing activities (e.g. DPIAs, vendor
selection, complaints).
Engage stakeholders While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
throughout the management activity may produce additional documentation to help demonstrate compliance with:
organisation on data Article 5 – Principles relating to processing of personal data
privacy matters (e.g., Article 24 – Responsibility of the controller
information security,
marketing, etc.)
Report to internal While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
stakeholders on the status management activity may produce additional documentation to help demonstrate compliance with:
of privacy management Article 5 – Principles relating to processing of personal data
(e.g. board of directors, Article 24 – Responsibility of the controller
management)
Report to external While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
stakeholders on the status management activity may produce additional documentation to help demonstrate compliance with:
of privacy management Article 5 – Principles relating to processing of personal data
(e.g., regulators, third- Article 24 – Responsibility of the controller
parties, clients)
Conduct an Enterprise 24, 39 Article 24 – Responsibility of the This privacy management activity enables the
Privacy Risk Assessment controller privacy office to identify issues and risks and
determine, based on the likelihood and impact,
This Article requires the data where to prioritise resources to mitigate the
controller to implement appropriate risks.
technical and organisational
measures to ensure and be able to Note that this privacy management activity
demonstrate compliance with the refers to high level risk assessments, not project
GDPR. or initiative based risk assessments which are
addressed in privacy management category 10.
The appropriateness of these Monitor for New Operational Practices.
measures is based on a risk
assessment that takes into account Example evidence to demonstrate compliance:
the nature, scope, context, and
Page | 13
Accountability Roadmap for Demonstrable GDPR Compliance
Privacy Privacy Management Relevant GDPR Article Description How the Mandatory Privacy Management
Management Activities (Mandatory Article(s) Activity may help achieve compliance with
Categories Privacy management GDPR obligations
Activities are highlighted)
purposes of the processing as well as
the risks of varying likelihood and 1. Enterprise Risk Assessment which
severity for the rights and freedoms includes data privacy; or
of individuals. There is a specific 2. Privacy Risk Assessment and mitigation
reference that, where proportionate plan.
in relation to the processing
activities, data protection policies
shall be implemented.
Privacy Privacy Management Relevant GDPR Article Description How the Mandatory Privacy Management
Management Activities (Mandatory Article(s) Activity may help achieve compliance with
Categories Privacy management GDPR obligations
Activities are highlighted)
adhere to the data privacy Article 24 – Responsibility of the controller
policies
2.Maintain Maintain an inventory of 30 The obligation applies to both This privacy management activity will help the
Personal Data personal data holdings controllers and processors. privacy office develop an inventory of processing
Inventory and (what personal data is held activities that addresses the information
Data Transfer and where) Article 30 – Records of processing required to be maintained.
Mechanisms activities
1. A listing of categories of data and data
This Article sets out a detailed list of subjects, the purposes for which the
information that must be maintained data was collected, categories of
as records of processing activities recipients and the country they are
carried out by and on behalf of the located in, retention periods, and other
controller, as well as the details set out in Article 30.
requirement to make the records
available to data subjects and
Supervisory Authorities upon
request.
Exceptions apply.
Classify personal data While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
holdings by type (e.g. management activity may produce additional documentation to help demonstrate compliance with:
sensitive, confidential, Article 9 – Processing of special categories of personal data
public)
Obtain regulator approval
for data processing (where
prior approval is required)
Register databases with
regulators (where
registration is required)
Maintain flow charts for While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
data flows (e.g. between management activity may produce additional documentation to help demonstrate compliance with:
systems, between Article 46 – Transfers subject to appropriate safeguards
Page | 15
Accountability Roadmap for Demonstrable GDPR Compliance
Privacy Privacy Management Relevant GDPR Article Description How the Mandatory Privacy Management
Management Activities (Mandatory Article(s) Activity may help achieve compliance with
Categories Privacy management GDPR obligations
Activities are highlighted)
processes, between
countries)
Maintain records of the 45, 46, 49 Article 45 – Transfers on the basis of This privacy management activity supports the
transfer mechanism used an adequacy decision privacy office managing international data flows
for cross-border data flows and tracking their use of cross–border transfer
(e.g., standard contractual This Article provides that personal mechanisms.
clauses, binding corporate data may not be transferred to a
rules, approvals from third country or international Example evidence to demonstrate compliance:
regulators) organisation without a specific
authorization where the Commission 1. A personal data inventory which
has decided the country or identifies international data transfers
organisation ensures an adequate and indicates the basis for each
level of protection. transfer; or
2. Evidence of the assessment of non–
Exceptions apply. adequate third countries prior to a
transfer.
Article 46 – Transfers subject to
appropriate safeguards.
Page | 16
Accountability Roadmap for Demonstrable GDPR Compliance
Privacy Privacy Management Relevant GDPR Article Description How the Mandatory Privacy Management
Management Activities (Mandatory Article(s) Activity may help achieve compliance with
Categories Privacy management GDPR obligations
Activities are highlighted)
Article 49 – Derogations for specific
situations
Page | 17
Accountability Roadmap for Demonstrable GDPR Compliance
Privacy Privacy Management Relevant GDPR Article Description How the Mandatory Privacy Management
Management Activities (Mandatory Article(s) Activity may help achieve compliance with
Categories Privacy management GDPR obligations
Activities are highlighted)
Use Binding Corporate 46, 47 Article 46 – Transfers subject to This privacy management activity addresses the
Rules as a data transfer appropriate safeguards implementation, approval and monitoring of
mechanism binding corporate rules, which govern data
This Article states that in cases transfers among members of a corporate group
where a third country has not been and can be used as a legal mechanism for
assessed as providing an adequate international data transfers.
level of data protection by the
European Commission, the data Example evidence to demonstrate compliance:
controller or processor may transfer
personal data to a third country 1. Approved binding corporate rules;
provided there are in place 2. Results of BCR monitoring activities (e.g.
appropriate safeguards including Data Privacy Accountability Scorecard,
binding corporate rules. Audits); or
3. Up to date listing of the scope and
coverage of the BCR.
Privacy Privacy Management Relevant GDPR Article Description How the Mandatory Privacy Management
Management Activities (Mandatory Article(s) Activity may help achieve compliance with
Categories Privacy management GDPR obligations
Activities are highlighted)
provided there are appropriate
safeguards in place such as standard
data protection clauses.
Use APEC Cross Border
Privacy Rules as a data
transfer mechanism
Use regulator approval as a 46 Article 46 – Transfers subject to This privacy management activity addresses the
data transfer mechanism appropriate safeguards. use of regulator approval to facilitate the
transfer of personal data to a third country.
This Article states that in cases
where a third country has not been Example evidence to demonstrate compliance:
assessed as providing an adequate
level of data protection by the 1. Decisions of the supervisory authority
European Commission, the data approving the transfer (e.g. approving
controller or processor may transfer contractual safeguards in contracts with
personal data to a third country data importers/ exporters).
provided there are appropriate
safeguards in place such as
authorisation by a Member State or
supervisory authority.
Use adequacy or one of the 45, 48, 49 Article 45 – Transfers on the basis of This privacy management activity addresses
derogations from adequacy an adequacy decision relying on derogations to the requirement to
(e.g. consent, performance send personal data to third countries which
of a contract, public This Article provides that personal provide an “adequate” level of protection for
interest) as a data transfer data may not be transferred to a personal data.
mechanism third country or international
organisation without a specific Example evidence to demonstrate compliance:
authorization where the Commission
has decided the country or 1. A personal data inventory which
organisation ensures an adequate identifies international data transfers
level of protection. and indicates the basis for each
transfer;
Page | 19
Accountability Roadmap for Demonstrable GDPR Compliance
Privacy Privacy Management Relevant GDPR Article Description How the Mandatory Privacy Management
Management Activities (Mandatory Article(s) Activity may help achieve compliance with
Categories Privacy management GDPR obligations
Activities are highlighted)
Exceptions apply. 2. Consent forms from data subjects,
including an explanation of the possible
Article 48 – Transfers or disclosures risk posed by a lack of appropriate
not authorised by Union law safeguards); and
3. An assessment balancing the legitimate
This Article addresses when data interests of the data controller against
controllers or processors may rely on the rights and freedoms of the data
a court judgment or tribunal decision subjects.
in order to transfer personal data to
a third country.
Privacy Privacy Management Relevant GDPR Article Description How the Mandatory Privacy Management
Management Activities (Mandatory Article(s) Activity may help achieve compliance with
Categories Privacy management GDPR obligations
Activities are highlighted)
controllers or processor may transfer contains the relevant contact details
personal data to a third country and refer to an independent recourse
provided there are in place mechanism; or
appropriate safeguards, enforceable 2. Ensure annual renewal of the self–
data subject rights and legal certification to the Privacy Shield
remedies. principles.
3.Maintain Maintain a data privacy 5, 24, 91 Article 5 – Principles relating to This privacy management helps the organisation
Internal Data policy processing of personal data create and maintain an organisational–level
Privacy Policy This Article sets out the general privacy policy to provide guidance to employees
principles that all processing regarding the processing and protection of
activities must abide by, including: personal data to ensure that such processing
aligns with the obligations of the GDPR.
Lawfulness, fairness and
transparency; Where relevant (Article 91) it will also address
Purpose limitation; specific data processing obligations that apply to
Data minimisation; organisations such as churches and other
Accuracy; religious associations.
Storage or retention
limitation; Example evidence to demonstrate compliance:
Integrity and confidentiality;
and
Accountability. 1. Privacy policy setting out how the
organisation processes personal data;
and
The accountability principle states
2. Where applicable, a copy of the church
that data controllers are responsible
or religious association’s data
for and able to demonstrate
protection rules or policy.
compliance with the data processing
principles.
Page | 21
Accountability Roadmap for Demonstrable GDPR Compliance
Privacy Privacy Management Relevant GDPR Article Description How the Mandatory Privacy Management
Management Activities (Mandatory Article(s) Activity may help achieve compliance with
Categories Privacy management GDPR obligations
Activities are highlighted)
is the explicit requirement to make
organisations more accountable for
their data practices.
Page | 22
Accountability Roadmap for Demonstrable GDPR Compliance
Privacy Privacy Management Relevant GDPR Article Description How the Mandatory Privacy Management
Management Activities (Mandatory Article(s) Activity may help achieve compliance with
Categories Privacy management GDPR obligations
Activities are highlighted)
Page | 23
Accountability Roadmap for Demonstrable GDPR Compliance
Privacy Privacy Management Relevant GDPR Article Description How the Mandatory Privacy Management
Management Activities (Mandatory Article(s) Activity may help achieve compliance with
Categories Privacy management GDPR obligations
Activities are highlighted)
Article 10 – Processing of personal
data relating to criminal convictions
and offences
Page | 24
Accountability Roadmap for Demonstrable GDPR Compliance
Privacy Privacy Management Relevant GDPR Article Description How the Mandatory Privacy Management
Management Activities (Mandatory Article(s) Activity may help achieve compliance with
Categories Privacy management GDPR obligations
Activities are highlighted)
5. Details or proof that special categories
of personal data were obtained from a
publicly available source; or
6. Privacy policy language covering the
processing of special categories of
personal data.
Maintain 8, 12 Article 8 – Conditions applicable to This privacy management activity helps the
policies/procedures for child’s consent in relation to organisation put in place certain policies and
collection and use of information society services procedures to ensure that consent is given or
children and minors’ This article states that where the authorised by the holder of parental
personal data legal basis of consent is being relied responsibility over the child when information
on in relation to offering information services are offered directly to a child.
society services to minors under the
age of 16 (or to younger children not Example evidence to demonstrate compliance:
younger than 13, if the age threshold
is lowered by Member State law), 1. Policy for obtaining parental consent; or
verifiable parental consent must be 2. Evidence of technological method used
obtained. to obtain parental consent.
Article 12 – Transparent
information, communication and
modalities for the exercise of the
rights of the data subject
Privacy Privacy Management Relevant GDPR Article Description How the Mandatory Privacy Management
Management Activities (Mandatory Article(s) Activity may help achieve compliance with
Categories Privacy management GDPR obligations
Activities are highlighted)
transparent, intelligible, and easily
accessible form, use clear and plain
language.
Maintain 5 Article 5 – Principles relating to This privacy management activity relates to
policies/procedures for processing of personal data putting in place policies and procedures to
maintaining data quality ensure data is accurate and, where necessary,
This Article sets out the general kept up–to–date, and for data that is inaccurate
principles that all processing in light of the purposes for which they are
activities must abide by, including: processed, the data is erased or rectified.
Privacy Privacy Management Relevant GDPR Article Description How the Mandatory Privacy Management
Management Activities (Mandatory Article(s) Activity may help achieve compliance with
Categories Privacy management GDPR obligations
Activities are highlighted)
is subject to appropriate safeguards,
including data minimisation. Thus, 1. Policies and procedures around data
processing should use minimisation, pseudonymisation, or
pseudonymised or anonymised data anonymisation of data;
to the extent possible. 2. Research Ethics Board approvals that
address data minimisation and privacy
protections; and
3. Technical solutions that result in the
pseudonymisation or anonymisation of
personal data.
Maintain policies/ 12, 22 Article 22 – Automated individual This privacy management activity supports
procedures to review decision–making, including profiling determining whether processing activities are
processing conducted captured by the restriction on automated
wholly or partially by This Article addresses the right of decision–making and presents options for
automated means data subjects to not be subject to a achieving compliance. As part of this activity,
decision based solely on automated data controllers must implement measures to
processing, where such decision safeguard the data subject's rights and freedoms
would have a legal or significant and legitimate interests. These measures (e.g.,
effect concerning him or her. providing a right to express a point of view and
contest the decision) would need to adhere to
Article 12 – Transparent Article 12's requirements around clarity of
information, communication and communication, time frames and appropriate
modalities for the exercise of the responses.
rights of the data subject
Example evidence to demonstrate compliance:
This Article requires that when data
controllers are providing information 1. Policy or procedures related to
to data subjects, whether through automated decision–making;
privacy notices, in communications 2. Data inventory identifying automated
regarding access, rectification, processing and stating a legal basis for
correction, and objection rights, or such processing; and
as part of breach notifications, the
Page | 27
Accountability Roadmap for Demonstrable GDPR Compliance
Privacy Privacy Management Relevant GDPR Article Description How the Mandatory Privacy Management
Management Activities (Mandatory Article(s) Activity may help achieve compliance with
Categories Privacy management GDPR obligations
Activities are highlighted)
communication must be in a concise, 3. Evidence of a manual
transparent, intelligible and easily intervention/human check in decision
accessible form, use clear and plain making processes.
language.
Maintain 6, 13, 14 Article 6 – Lawfulness of processing This privacy management activity addresses
policies/procedures for having policies and procedures that define how
secondary uses of personal This Article provides for the legal to handle situations when the organisation
data grounds upon which personal data wishes to use personal data beyond the primary
can be processed, as well as how to purpose.
determine when further processing
is compatible with the original Secondary uses of data must be disclosed in
purposes for processing. information notices under Article 13 and 14.
Article 14 – Information to be
provided where personal data have
not been obtained from the data
subjects
Page | 28
Accountability Roadmap for Demonstrable GDPR Compliance
Privacy Privacy Management Relevant GDPR Article Description How the Mandatory Privacy Management
Management Activities (Mandatory Article(s) Activity may help achieve compliance with
Categories Privacy management GDPR obligations
Activities are highlighted)
This Article specifies what
information is required to be
provided to data subjects when that
information is not obtained by the
controller.
Maintain 6, 7, 8 Article 6 – Lawfulness of processing This privacy management activity addresses the
policies/procedures for different components that makes consent valid
obtaining valid consent This Article provides legal grounds (e.g., freely given, specific and unambiguous)
on which personal data can be and how to update consent forms and
processed including the data subject mechanisms to ensure GDPR compliance.
has given consent to the processing
of his or her personal data for one or Example evidence to demonstrate compliance:
more specific purposes.
1. Evidence that web forms used opt–in
Article 7 – Conditions for Consent consent check boxes or buttons;
2. Copies of signed consent forms (written or
This Article sets out the standard for electronic); or
consent when relying on consent as 3. Call–centre recordings.
a legal basis for processing personal
data (demonstrable consent) and
sensitive personal data (explicit
consent).
Privacy Privacy Management Relevant GDPR Article Description How the Mandatory Privacy Management
Management Activities (Mandatory Article(s) Activity may help achieve compliance with
Categories Privacy management GDPR obligations
Activities are highlighted)
younger than 13, if the age threshold
is lowered by Member State law),
verifiable parental consent must be
obtained.
Maintain While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
policies/procedures for management activity may produce additional documentation to help demonstrate compliance with:
secure destruction of Article 32 – Security of processing
personal data
Integrate data privacy into While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
use of cookies and tracking management activity may produce additional documentation to help demonstrate compliance with:
mechanisms Article 21– Right to object
Integrate data privacy into 5 Article 5 – Principles relating to This privacy management activity helps the
records retention practices processing of personal data organisation embed data privacy into the
records retention policy and procedure to ensure
This Article sets out the general proper storage of personal data. It helps
principles that all processing organisations put in place policies and
activities must abide by, including: procedures to ensure data is not kept in a form
that permits identification of data subjects for
Lawfulness, fairness and longer than is necessary for the purposes for
transparency; which it was processed unless the data is being
Purpose limitation; archived for public interest, scientific, statistical,
Data minimisation; or historical purposes.
Accuracy; Example evidence to demonstrate compliance:
Storage or retention
limitation; 1. Records retention policy.
Integrity and confidentiality;
and
Accountability.
Integrate data privacy into Article 21 – Right to object This privacy management activity addresses the
direct marketing practices policies/ procedures that organisations put in
place to ensure that the right of the data subject
Page | 30
Accountability Roadmap for Demonstrable GDPR Compliance
Privacy Privacy Management Relevant GDPR Article Description How the Mandatory Privacy Management
Management Activities (Mandatory Article(s) Activity may help achieve compliance with
Categories Privacy management GDPR obligations
Activities are highlighted)
This Article addresses the right of to object to direct marketing are honoured in an
data subjects to object to the organisation’s practices respecting direct
processing of his or her personal marketing.
data. The grounds for objecting must
relate to the particular situation of Example evidence to demonstrate compliance:
the data subject and the right to
object only applies to processing, 1. Internal guidance for analysing and
including profiling, that is for: responding to data subject objections to
processing.
Performance of a task
carried out in the public
interest or in the exercise of
official authority vested in
the data controller;
Purposes of the legitimate
interests pursued by the
data controller or a third
party;
Direct marketing purposes;
or
Scientific or historical
research or
statistical purposes.
Integrate data privacy into While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
e-mail marketing practices management activity may produce additional documentation to help demonstrate compliance with:
Article 21 – Right to object
Integrate data privacy into While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
telemarketing practices management activity may produce additional documentation to help demonstrate compliance with:
Article 21 – Right to object
Page | 31
Accountability Roadmap for Demonstrable GDPR Compliance
Privacy Privacy Management Relevant GDPR Article Description How the Mandatory Privacy Management
Management Activities (Mandatory Article(s) Activity may help achieve compliance with
Categories Privacy management GDPR obligations
Activities are highlighted)
Integrate data privacy into While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
digital advertising practices management activity may produce additional documentation to help demonstrate compliance with:
(e.g., online, mobile) Article 21 – Right to object
Integrate data privacy into While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
hiring practices management activity may produce additional documentation to help demonstrate compliance with:
Article 9 – Processing of special categories of personal data
Article 10 – Processing of personal data relating to criminal convictions and offences
Integrate data privacy into 8 Article 8 – Conditions applicable to This privacy management activity addresses how
the organization’s use of child's consent in relation to the organisation uses social media to collect and
social media practices information society services disseminate information. Policies around social
network use may address the collection and
This Article provides that where the processing of personal data for children and
legal basis of consent is being relied minors to ensure such collection and processing
on in relation to offering information adheres to the GDPR requirement that such
society services to minors under the consent be obtained by the holder of parental
age of 16 (or to younger children not responsibility over the child.
younger than 13, if the age threshold
is lowered by Member State law), Example evidence to demonstrate compliance:
consent must be obtained by the
holder of parental responsibility over 1. Online Privacy and Data Use Policy;
the child. 2. Policy for obtaining and documenting
parental consent;
3. Social Media Privacy and Confidentiality
Policy; or
4. Guidelines for authorized social media
users.
Integrate data privacy into While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
Bring Your Own Device management activity may produce additional documentation to help demonstrate compliance with:
(BYOD) policies/procedures Article 5 – Principles relating to processing of personal data
Article 21 – Right to object
Article 32 – Security of processing
Page | 32
Accountability Roadmap for Demonstrable GDPR Compliance
Privacy Privacy Management Relevant GDPR Article Description How the Mandatory Privacy Management
Management Activities (Mandatory Article(s) Activity may help achieve compliance with
Categories Privacy management GDPR obligations
Activities are highlighted)
Integrate data privacy into While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
health & safety practices management activity may produce additional documentation to help demonstrate compliance with:
Article 5 – Principles relating to processing of personal data
Integrate data privacy into While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
practices for monitoring management activity may produce additional documentation to help demonstrate compliance with:
employees Article 6 – Lawfulness of processing
Article 21 – Right to object
Integrate data privacy into While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
use of CCTV/video management activity may produce additional documentation to help demonstrate compliance with:
surveillance Article 6 – Lawfulness of processing
Article 21 – Right to object
Integrate data privacy into While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
use of geo-location management activity may produce additional documentation to help demonstrate compliance with:
(tracking and or location) Article 6 – Lawfulness of processing
devices Article 21 – Right to object
Integrate data privacy into While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
delegated access to management activity may produce additional documentation to help demonstrate compliance with:
employees' company e-mail Article 6 – Lawfulness of processing
accounts (e.g. vacation, Article 21 – Right to object
LOA, termination)
Integrate data privacy into While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
e-discovery practices management activity may produce additional documentation to help demonstrate compliance with:
Article 6 – Lawfulness of processing
Article 21 – Right to object
Integrate data privacy into While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
conducting internal management activity may produce additional documentation to help demonstrate compliance with:
investigations Article 6 – Lawfulness of processing
Article 21 – Right to object
Integrate data privacy into While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
practices for disclosure to management activity may produce additional documentation to help demonstrate compliance with:
Article 6 – Lawfulness of processing
Page | 33
Accountability Roadmap for Demonstrable GDPR Compliance
Privacy Privacy Management Relevant GDPR Article Description How the Mandatory Privacy Management
Management Activities (Mandatory Article(s) Activity may help achieve compliance with
Categories Privacy management GDPR obligations
Activities are highlighted)
and for law enforcement Article 21 – Right to object
purposes
Integrate data privacy into 21, 89 Article 21 – Right to object This privacy management activity generally deals
research practices (e.g., with how an organization maintains procedures
scientific and historical This Article addresses the right of for research practices including processes to
research) data subjects to object to the obtain personal data for research purposes,
processing of his or her personal ensuring valid consents are obtained, de–
data. The grounds for objecting must identifying data where possible, and taking
relate to the particular situation of measures to ensure that research data
the data subject and the right to maintained for scientific, historical or statistical
object only applies to processing, research is safeguarded against improper use.
including profiling that is for
scientific or historical research or
statistical purposes.
Page | 34
Accountability Roadmap for Demonstrable GDPR Compliance
Privacy Privacy Management Relevant GDPR Article Description How the Mandatory Privacy Management
Management Activities (Mandatory Article(s) Activity may help achieve compliance with
Categories Privacy management GDPR obligations
Activities are highlighted)
5. Maintain Conduct privacy training 39 Article 39 –Tasks of the data This privacy management addresses the need for
Training and protection officer the DPO to provide awareness–raising and
Awareness training of staff involved in processing
Program This Article sets out the tasks of the operations and implementing such activities
DPO which include the obligation to would produce documentation that could serve
provide awareness–raising and as evidence of compliance with this
training of staff involved in requirement.
processing operations.
Example evidence to demonstrate compliance:
Page | 35
Accountability Roadmap for Demonstrable GDPR Compliance
Privacy Privacy Management Relevant GDPR Article Description How the Mandatory Privacy Management
Management Activities (Mandatory Article(s) Activity may help achieve compliance with
Categories Privacy management GDPR obligations
Activities are highlighted)
privacy into existing Article 39 – Tasks of the data protection officer (requiring the DPO to raise awareness and to staff
corporate communications involved in processing operations)
Provide a repository of While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
privacy information, e.g., an management activity may produce additional documentation to help demonstrate compliance with:
internal data privacy Article 39 – Tasks of the data protection officer (requiring the DPO to raise awareness and to staff
intranet involved in processing operations)
Maintain privacy awareness While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
material (e.g. posters and management activity may produce additional documentation to help demonstrate compliance with:
videos) Article 39 – Tasks of the data protection officer (requiring the DPO to raise awareness and to staff
involved in processing operations)
Measure participation in While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
data privacy training management activity may produce additional documentation to help demonstrate compliance with:
activities (e.g. numbers of Article 39 – Tasks of the data protection officer (requiring the DPO to raise awareness and to staff
participants, scoring) involved in processing operations)
Enforce the Requirement to While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
Complete Privacy Training management activity may produce additional documentation to help demonstrate compliance with:
Article 39 – Tasks of the data protection officer (requiring the DPO to raise awareness and to staff
involved in processing operations)
Provide ongoing education While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
and training for the Privacy management activity may produce additional documentation to help demonstrate compliance with:
Office and/or DPOs) Article 39 – Tasks of the data protection officer (requiring the DPO to raise awareness and to staff
involved in processing operations)
Maintain certification for While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
individuals responsible for management activity may produce additional documentation to help demonstrate compliance with:
data privacy, including Article 39 – Tasks of the data protection officer (requiring the DPO to raise awareness and to staff
continuing professional involved in processing operations)
education
6. Manage Integrate data privacy risk 32 Article 32 – Security of processing This privacy management activity addresses the
Information into security risk role of the privacy officer in ensuring privacy and
Security Risk assessments
Page | 36
Accountability Roadmap for Demonstrable GDPR Compliance
Privacy Privacy Management Relevant GDPR Article Description How the Mandatory Privacy Management
Management Activities (Mandatory Article(s) Activity may help achieve compliance with
Categories Privacy management GDPR obligations
Activities are highlighted)
This Article states that organisations data protection are taken into account as part of
must implement an “appropriate” security risk assessments.
level of security based on the state
of the art and costs of Example evidence to demonstrate compliance:
implementation, processing
activities, and risk of 1. DPIAs or other form or security risk
varying likelihood and severity to assessment that demonstrates
individuals' rights and freedoms. measures were based on an
assessment of risk.
Integrate data privacy into 5, 32 Article 5 – Principles relating to This privacy management activity helps the
an information security processing of personal data privacy office insert privacy and data protection
policy consideration into the information security
This Article sets out the general policy.
principles that all processing
activities must abide by, including:
Example evidence to demonstrate compliance:
Lawfulness, fairness and
transparency; 1. Information security programme
Purpose limitation; policies and procedures; or
Data minimisation; 2. Details of security measures that are in
Accuracy; place.
Storage or retention
limitation;
Integrity and confidentiality;
and
Accountability.
Page | 37
Accountability Roadmap for Demonstrable GDPR Compliance
Privacy Privacy Management Relevant GDPR Article Description How the Mandatory Privacy Management
Management Activities (Mandatory Article(s) Activity may help achieve compliance with
Categories Privacy management GDPR obligations
Activities are highlighted)
level of security based on the state
of the art and costs of
implementation, processing
activities, and risk of
varying likelihood and severity to
individuals' rights and freedoms.
Maintain technical security 32 Article 32 – Security of processing This privacy management activity helps the
measures (e.g. intrusion privacy office assess what technical security
detection, firewalls, The GDPR requires organisations to measures are in place to ensure an appropriate
monitoring) implement an “appropriate” level of level of security based on the considerations set
security based on the state of the art out in Article 32.
and costs of
implementation, processing Example evidence to demonstrate compliance:
activities, and risk of
varying likelihood and severity to 1. Details of security measures that are in
individuals' rights and freedoms. place; or
Examples are provided of measures 2. Policy on review and update of
that might be appropriate depending technical security measures.
on the level of risk including regular
tests of the effectiveness of security
measures.
Maintain measures to 32 Article 32 – Security of processing This privacy management activity helps the
encrypt personal data privacy office put in place encryption practices as
The GDPR requires organisations to an appropriate technical and organisational
implement an “appropriate” level of measure to ensure an appropriate level of
security based on the state of the art security.
and costs of
implementation, processing
activities, and risk of
varying likelihood and severity to
individuals' rights and freedoms.
Examples are provided of measures
Page | 38
.
Accountability Roadmap for Demonstrable GDPR Compliance
Privacy Privacy Management Relevant GDPR Article Description How the Mandatory Privacy Management
Management Activities (Mandatory Article(s) Activity may help achieve compliance with
Categories Privacy management GDPR obligations
Activities are highlighted)
that might be appropriate depending
on the level of risk including
encryption (32.1.a)
Maintain an acceptable use While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this
of information resources privacy management activity may produce additional documentation to help demonstrate compliance with:
policy Article 32 – Security of processing
Maintain procedures to 32 Article 32 – Security of processing This privacy management activity helps the
restrict access to personal organisation address how organisations restrict
data (e.g. role-based The GDPR requires organisations to access to personal data to those employees and
access, segregation of implement an “appropriate” level of users who have a legitimate business need to
duties) security based on the state of the art access the data.
and costs of
implementation, processing Example evidence to demonstrate compliance:
activities, and risk of
varying likelihood and severity to 1. Contracts with employees and
individuals' rights and freedoms. contractors limit the processing of
personal data;
2. Register of employees and contractors
detailing access rights to IT systems and
data; or
3. Audits of access to personal data to
determine if existing procedures are
appropriate based on the purpose for
which the data was collected and the
nature of the access.
Integrate data privacy into a While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
corporate security policy management activity may produce additional documentation to help demonstrate compliance with:
(protection of physical Article 32 – Security of processing
premises and hard assets)
Maintain human resource While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
security measures (e.g. pre- management activity may produce additional documentation to help demonstrate compliance with:
Article 32 – Security of processing
Page | 39
Accountability Roadmap for Demonstrable GDPR Compliance
Privacy Privacy Management Relevant GDPR Article Description How the Mandatory Privacy Management
Management Activities (Mandatory Article(s) Activity may help achieve compliance with
Categories Privacy management GDPR obligations
Activities are highlighted)
screening, performance
appraisals)
Maintain backup and While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
business continuity plans management activity may produce additional documentation to help demonstrate compliance with:
Article 32 – Security of processing
Maintain a data-loss While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
prevention strategy management activity may produce additional documentation to help demonstrate compliance with:
Article 32 – Security of processing
Conduct regular testing of 32 Article 32 – Security of processing This privacy management activity helps the
data security posture organisation address the requirement to put in
This Article requires an place a technical or organisational measure to
“appropriate” level of security ensure the security of the processing of personal
including a process for regularly data.
testing, assessing and evaluating the
effectiveness of technical
organisational measures for ensuring
the security of the processing
(32.1.d).
Maintain a security While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
certification (e.g., ISO) management activity may produce additional documentation to help demonstrate compliance with:
Article 32 – Security of processing
7. Manage Maintain data privacy 28, 32 Article 28 – Processor This privacy management activity helps the
Third–Party requirements for third organisation determine what data protection
Risk parties (e.g., clients, This Article creates an obligation on requirements are needed for contracts with
vendors, processors, data controllers to only outsource third–parties who receive and use the personal
affiliates) processing to those entities that data on behalf of the organisation.
have sufficient guarantees to
implement appropriate measures to Example evidence of compliance:
guarantee GDPR compliance and to
have a contract or binding act that 1. Screening questions for potential
governs the relationship. The vendors and other processors;
Page | 40
Accountability Roadmap for Demonstrable GDPR Compliance
Privacy Privacy Management Relevant GDPR Article Description How the Mandatory Privacy Management
Management Activities (Mandatory Article(s) Activity may help achieve compliance with
Categories Privacy management GDPR obligations
Activities are highlighted)
contents of such a contract are set 2. Privacy and security contractual clauses
out. (inserted data processing agreements);
3. Data protection questionnaire for
The Article also limits the ability of outsourcing personal data processing;
processors to subcontract without 4. Vendor data protection risk assessment
consent of the data controller, and scorecard;
what guarantees need to be in place 5. Contractor data protection
in this arrangement. requirements.
6. Adherence of the processor to an
Article 32 – Security of Processing approved code of conduct or
certification mechanism; or
This Article requires an 7. Agreements with contractors or
“appropriate” level of security vendors that include the standard
and also requires that any person contractual clauses.
with access to personal data only
processes such data in accordance
with instructions from the data
controller.
Maintain procedures to 28, 29 Article 28 – Processor This privacy management activity addresses
execute contracts or steps taken to ensure written or electronic
agreements with all This Article creates an obligation on contracts are in place with processors.
processors data controllers to only outsource
processing to those entities that Example evidence of compliance:
have sufficient guarantees to
implement appropriate measures to 1. Data processing agreements or
guarantee GDPR compliance and to contracts that show consistency with
have a contract or binding act that legal obligations and privacy risk
governs the relationship. The management activities;
contents of such a contract are set 2. Adherence of the processor to an
out. approved code of conduct or
certification mechanism; or
The Article also limits the ability of
Page | 41
Accountability Roadmap for Demonstrable GDPR Compliance
Privacy Privacy Management Relevant GDPR Article Description How the Mandatory Privacy Management
Management Activities (Mandatory Article(s) Activity may help achieve compliance with
Categories Privacy management GDPR obligations
Activities are highlighted)
processors to subcontract without 3. Standard contractual clauses between
consent of the data controller, and the controller and processor.
what guarantees need to be in place
in this arrangement.
Article 29 – Processor
This Article indicates that processors
and staff of controllers and
processors must only process
personal data in accordance with
either data controller instructions or
a requirement of Union or Member
State law.
Conduct due diligence 28 Article 28 – Processor This privacy management addresses that
around the data privacy requirement that due diligence is necessary as
and security posture of This Article creates an obligation on part of ensuring that processing is only done by
potential data controllers to only outsource entities with sufficient data protection
vendors/processors processing to those entities that guarantees.
have sufficient guarantees to
implement appropriate measures to Example evidence of compliance:
guarantee GDPR compliance.
1. Checklist of screening questions for
potential vendors and processors;
2. Vendor privacy questionnaire; or
3. Vendor privacy risk assessment
scorecard.
Conduct due diligence on While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
third party data sources management activity may produce additional documentation to help demonstrate compliance with:
Article 28 – Processor (requiring data controllers to use only processors providing sufficient
guarantees)
Page | 42
Accountability Roadmap for Demonstrable GDPR Compliance
Privacy Privacy Management Relevant GDPR Article Description How the Mandatory Privacy Management
Management Activities (Mandatory Article(s) Activity may help achieve compliance with
Categories Privacy management GDPR obligations
Activities are highlighted)
Maintain a vendor data While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
privacy risk assessment management activity may produce additional documentation to help demonstrate compliance with:
process Article 28 – Processor (requiring data controllers to use only processors providing sufficient
guarantees)
Maintain a policy governing While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
use of cloud providers management activity may produce additional documentation to help demonstrate compliance with:
Article 28 – Processor (requiring data controllers to use only processors providing sufficient
guarantees)
Maintain procedures to While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
address instances of non– management activity may produce additional documentation to help demonstrate compliance with:
compliance with contracts Article 28 – Processor (requiring data controllers to use only processors providing sufficient
and agreements guarantees)
Conduct ongoing due While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
diligence around the data management activity may produce additional documentation to help demonstrate compliance with:
privacy and security posture Article 28 – Processor (requiring data controllers to use only processors providing sufficient
of vendors/processors guarantees)
Review long–term contracts While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
for new or evolving data management activity may produce additional documentation to help demonstrate compliance with:
privacy risks Article 28 – Processor (requiring data controllers to use only processors providing sufficient
guarantees)
8. Maintain Maintain a data privacy 8, 13, 14 Article 8 provides that where the This privacy management activity ensures that
Notices notice that details the legal basis of consent is being relied controllers put in place policies and procedures
organisation’s personal on in relation to offering information to ensure that the required information is
data handling practices society services to minors under the provided to data subjects when their
age of 16 (or to younger children not information is collected.
younger than 13, if the age threshold
is lowered by Member State law), Example evidence to demonstrate compliance:
verifiable parental consent must be
obtained. 1. Copy of the information notice provided
to data subjects; or
Page | 43
Accountability Roadmap for Demonstrable GDPR Compliance
Privacy Privacy Management Relevant GDPR Article Description How the Mandatory Privacy Management
Management Activities (Mandatory Article(s) Activity may help achieve compliance with
Categories Privacy management GDPR obligations
Activities are highlighted)
Article 13 – Information to be 2. Documentation showing that privacy
provided where personal data are notice is aligned to legal requirements.
collected from the data subject
Page | 44
Accountability Roadmap for Demonstrable GDPR Compliance
Privacy Privacy Management Relevant GDPR Article Description How the Mandatory Privacy Management
Management Activities (Mandatory Article(s) Activity may help achieve compliance with
Categories Privacy management GDPR obligations
Activities are highlighted)
through an information notice. It
also sets out requirements for timing
of the notice and identifies when
exemptions may apply.
Page | 45
Accountability Roadmap for Demonstrable GDPR Compliance
Privacy Privacy Management Relevant GDPR Article Description How the Mandatory Privacy Management
Management Activities (Mandatory Article(s) Activity may help achieve compliance with
Categories Privacy management GDPR obligations
Activities are highlighted)
Article 13 – Information to be provided where personal data are collected from the data subject
Article 14 – Information to be provided where personal data have not been obtained from the
data subject
Maintain scripts for use by While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
employees to explain or management activity may produce additional documentation to help demonstrate compliance with:
provide the data privacy Article 13 – Information to be provided where personal data are collected from the data subject
notice Article 14 – Information to be provided where personal data have not been obtained from the
data subject
Maintain a privacy Seal or While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
Trustmark to increase management activity may produce additional documentation to help demonstrate compliance with:
customer trust Article 13 – Information to be provided where personal data are collected from the data subject
Article 14 – Information to be provided where personal data have not been obtained from the
data subject
Maintain procedures to While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
address complaints management activity may produce additional documentation to help demonstrate compliance with:
Article 15 – Right of access by the data subject
Article 16 – Right to rectification
Article 17 – Right to erasure (‘right to be forgotten’)
Article 18 – Right to restriction of processing
Article 19 – Notification obligation regarding rectification or erasure of personal data or restriction
of processing
Article 20 – Right to data portability
9. Respond to Maintain procedures to 15 Article 15 – Right of access by the This privacy management activity addresses the
Requests and respond to requests for data subject primary process and procedures needed to
Complaints access to personal data ensure that an organisation can respond to
from This Article addresses the right of access requests in a timely and appropriate
Individuals data subjects to: obtain confirmation manner, providing the data held on the data
of whether their personal is being subject. If implanted this activity may
processed, where it is being demonstrate that the right to access is
processed and have access to the understood and provided for.
Page | 46
Accountability Roadmap for Demonstrable GDPR Compliance
Privacy Privacy Management Relevant GDPR Article Description How the Mandatory Privacy Management
Management Activities (Mandatory Article(s) Activity may help achieve compliance with
Categories Privacy management GDPR obligations
Activities are highlighted)
data. Additionally it lists further Example evidence to demonstrate compliance:
information that should be supplied: 1. Protocol or procedure for responding to
access requests in a timely manner;
Purpose of processing; 2. Form for the supply of additional data
Categories of data; required for access requests; or
Recipients of data; 3. Log of recording access requests.
Data storage period;
Rights to rectification &
complaint;
Source of data;
Existence of automated
processing, associated logic
and consequences; and
Safeguards for transfer to
third countries or
international organisations.
Page | 47
Accountability Roadmap for Demonstrable GDPR Compliance
Privacy Privacy Management Relevant GDPR Article Description How the Mandatory Privacy Management
Management Activities (Mandatory Article(s) Activity may help achieve compliance with
Categories Privacy management GDPR obligations
Activities are highlighted)
This Article creates an obligation to
notify each recipient to whom data
has been disclosed of any
rectification, erasure or restriction of
processing. There is also an
obligation to provide information to
the data subject about these
recipients upon request.
Page | 48
Inc.
Accountability Roadmap for Demonstrable GDPR Compliance
Privacy Privacy Management Relevant GDPR Article Description How the Mandatory Privacy Management
Management Activities (Mandatory Article(s) Activity may help achieve compliance with
Categories Privacy management GDPR obligations
Activities are highlighted)
Article 21 – Right to object
Page | 49
Accountability Roadmap for Demonstrable GDPR Compliance
Privacy Privacy Management Relevant GDPR Article Description How the Mandatory Privacy Management
Management Activities (Mandatory Article(s) Activity may help achieve compliance with
Categories Privacy management GDPR obligations
Activities are highlighted)
personal data or restriction of
processing
Page | 50
Accountability Roadmap for Demonstrable GDPR Compliance
Privacy Privacy Management Relevant GDPR Article Description How the Mandatory Privacy Management
Management Activities (Mandatory Article(s) Activity may help achieve compliance with
Categories Privacy management GDPR obligations
Activities are highlighted)
Monitor and report metrics While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
for data privacy complaints management activity may produce additional documentation to help demonstrate compliance with:
(e.g. number, root cause) Article 15 – Right of access by the data subject
Article 16 – Right to rectification
Article 17 – Right to erasure (‘right to be forgotten’)
Article 18 – Right to restriction of processing
Article 19 – Notification obligation regarding rectification or erasure of personal data or restriction
of processing
Article 20 – Right to data portability
10. Monitor Integrate Privacy by Design 25 Article 25 – Data protection by This privacy management activity addresses
for New into system and product design and by default frameworks to help engineers and application
Operational development developers embed privacy–protective
Practices The GDPR introduces responsibilities mechanisms into the fundamental design of
for the controller and requires data processing activities.
protection by design and by
default. Data controllers must, at the Example evidence to demonstrate compliance:
time of determining the means of
processing as well as when actually 1. Policies and procedures demonstrating
processing, implement appropriate that privacy requirements shall be
technical and organisational included in the technical specifications
measures (e.g., pseudonymisation) of new IT tools
to implement the data protection 2. DPIAs demonstrating that the necessary
principles set out in Article 5 (such as safeguards were integrated into the
data minimisation) and integrate data processing;
necessary safeguards into the 3. Incorporating data protection by design
processing to meet the GDPR principles into: a) IT systems; b)
requirements. accountable business practices; and c)
physical design and networked
Data controllers must also infrastructure; or
implement data protection
by default, i.e. implement
appropriate technical and
Page | 51
Accountability Roadmap for Demonstrable GDPR Compliance
Privacy Privacy Management Relevant GDPR Article Description How the Mandatory Privacy Management
Management Activities (Mandatory Article(s) Activity may help achieve compliance with
Categories Privacy management GDPR obligations
Activities are highlighted)
organisational measures to ensure 4. Policies, procedures, methodologies,
that, by default, only personal data and other measures for anonymizing or
necessary for each specific purpose pseudonymizing data.
are processed. The concept of
"necessary" informs the amount of
data collected, extent of
processing, and retention and
accessibility of data.
Maintain PIA/DPIA 35 Article 35 – Data protection impact This privacy management activity addresses
guidelines and templates assessment guidelines on how to conduct a DPIA to analyse
the processing of personal data and determine
This Article requires data controllers risks to such personal data. It helps organisations
to assess the impact of processing ask questions during the development of their
operations on the protection of processing programs to take into account the
personal data where the processing available technology, cost of implementation,
is likely to result in a high risk for the nature, scope, context, and purposes of
rights and freedoms of data subjects. processing, and measures that could be applied
When carrying out the DPIA, the to protect the rights of data subjects (e.g.,
controller must seek the advice of pseudonymisation).
the Data Protection Officer (when
designated). DPIAs should contain:
Example evidence to demonstrate compliance:
A description of the
1. DPIA templates covering required
processing activities being
content;
assessed;
2. Guidelines, policies or assessments
An assessment of the risks around when DPIAs are required;
to data subjects; and 3. Officer’s opinion and advice was sought
A description of the as part of the DPIA process;
measures the controller will 4. Evidence that consultations were held
take to address these risks, with affected populations or their
including the safeguards, representatives where
security measures and
Page | 52
Accountability Roadmap for Demonstrable GDPR Compliance
Privacy Privacy Management Relevant GDPR Article Description How the Mandatory Privacy Management
Management Activities (Mandatory Article(s) Activity may help achieve compliance with
Categories Privacy management GDPR obligations
Activities are highlighted)
mechanisms that the appropriate (e.g., advocates,
controller will implement to community groups);
ensure compliance with the 5. Assessments/reviews of processing
GDPR. activities in light of new or changes to
risks; or
If the risks posed by the processing 6. Guidelines and policies on when to
change, a review must be conducted reach out to the data protection
to assess whether processing still authorities to assess risk mitigation.
complies with the DPIA
Conduct PIAs/DPIAs for 5, 6, 25, 35 Article 5 – Principles relating to This privacy management activity addresses
new programs, systems, processing of personal data guidelines on when a DPIA is required as part of
processes the development process for new processing.
This Article sets out the general
principles that all processing
activities must abide by including:
Example evidence to demonstrate compliance:
Lawfulness, fairness and
transparency; 1. DPIAs demonstrating that the necessary
Purpose limitation; safeguards were integrated into the
Data minimisation; data processing;
Accuracy; 2. Results from DPIAs showing how
Storage or retention determinations were made balancing
limitation; the legitimate interests of the data
Integrity and confidentiality; controller against the interests or
and fundamental rights and freedoms of
Accountability. data subjects;
3. Guidelines, policies or assessments
around when DPIAs are required;
Article 6 – Lawfulness of processing
4. Evidence that the Data Protection
Officer’s opinion and advice was sought
This Article provides legal grounds
as part of the DPIA process;
on which personal data can be
Page | 53
Accountability Roadmap for Demonstrable GDPR Compliance
Privacy Privacy Management Relevant GDPR Article Description How the Mandatory Privacy Management
Management Activities (Mandatory Article(s) Activity may help achieve compliance with
Categories Privacy management GDPR obligations
Activities are highlighted)
processed, as well as how to 5. Evidence that consultations were held
determine when further processing with affected populations or their
is compatible with the original representatives where
purposes for processing. appropriate (e.g., advocates,
community groups); or
Article 25 – Data protection by 6. Assessments/reviews of processing
design and by default activities in light of new or changes to
risks.
This Article introduces
responsibilities for the controller and
requires data protection by design
and by default.
Conduct PIAs or DPIAs for 5, 6, 25, 35 Article 5 – Principles relating to This privacy management activity addresses
changes to existing processing of personal data having policies and procedures to follow when
programs, systems, or This Article sets out the general there is a change to existing processes, programs
processes principles that all processing or systems to ensure that data protection risks
activities must abide by, including: are measured, analysed and mitigated.
Page | 54
Accountability Roadmap for Demonstrable GDPR Compliance
Privacy Privacy Management Relevant GDPR Article Description How the Mandatory Privacy Management
Management Activities (Mandatory Article(s) Activity may help achieve compliance with
Categories Privacy management GDPR obligations
Activities are highlighted)
Data minimisation; 1. Guidelines, policies or assessments
Accuracy; around when DPIAs are required;
Storage or retention 2. Evidence that the Data Protection
limitation; Officer’s opinion and advice was sought
Integrity and confidentiality; as part of the DPIA process;
and 3. Evidence that consultations were held
Accountability. with affected populations or their
representatives where appropriate
Article 6 – Lawfulness of processing (e.g., advocates, community groups);or
This Article provides legal grounds 4. Assessments/reviews of processing
on which personal data can be activities in light of new or changes to
processed, as well as how to risks. DPIAs demonstrating that the
determine when further processing necessary safeguards were integrated
is compatible with the original into the data processing.
purposes for processing.
Article 25 – Data protection by
design and by default
Engage external 35 Article 35.9 – states that, where This privacy management activity helps the
stakeholders (e.g., appropriate, the controller shall seek organisation develop guidance on how to consult
individuals, privacy the views of data subjects or their with external parties as part of the DPIA process.
advocates) as part of the representatives on the intended
PIA/DPIA process processing, without prejudice to the Example evidence to demonstrate compliance:
protection of commercial or public 1. Evidence that consultations were held
interests or the security of with affected populations or their
processing operations. representatives where
appropriate (e.g., advocates,
community groups).
Track and address data 35 Article 35 – Data protection impact This privacy management activity ensures the
protection issues identified assessment organisation treats similar data protection issues
during PIAs/DPIAs This Article requires data controllers consistently and allows for learning from one
to assess the impact of processing
Page | 55
.
Accountability Roadmap for Demonstrable GDPR Compliance
Privacy Privacy Management Relevant GDPR Article Description How the Mandatory Privacy Management
Management Activities (Mandatory Article(s) Activity may help achieve compliance with
Categories Privacy management GDPR obligations
Activities are highlighted)
operations on the protection of PIA/DPIA to be applied to subsequent
personal data where the processing PIAs/DPIAs.
is likely to result in a high risk for the
rights and freedoms of data subjects. Example evidence to demonstrate compliance:
Report PIA/DPIA analysis 36 Article 36 – Prior consultation This privacy management activity addresses
and results to regulators when and how to report PIAs/DPIAs to
(where required) and This Article requires data controllers supervisory authorities. Determinations around
external stakeholders (if to consult with the supervisory whether such reporting is required and
appropriate) authority when a PIA indicates that documentation that consultations were
processing would result in a high risk executed would demonstrate compliance with
to data subjects and lists the the GDPR.
minimum information the data
controller needs to provide to the Example evidence to demonstrate compliance:
supervisory authority.
1. DPIAs identifying high risk processing;
or
2. Correspondence with the supervisory
authority seeking advice regarding the
intended processing.
11. Maintain Maintain a data privacy 33, 34 Article 33 – Notification of a This privacy management activity helps
Data Privacy incident/breach response personal data breach to the organisations create a breach response
Breach plan supervisory authority infrastructure that will facilitate compliance with
Management the specific requirements under Article 33
Program This Article makes it mandatory to respecting timing requirements for notification
notify supervisory authorities in the and the content of a notification letter. It further
event of a data breach that poses a ensures that recordkeeping requirements are
"risk of harm". The notification is captured.
expected without undue delay and
Page | 56
Accountability Roadmap for Demonstrable GDPR Compliance
Privacy Privacy Management Relevant GDPR Article Description How the Mandatory Privacy Management
Management Activities (Mandatory Article(s) Activity may help achieve compliance with
Categories Privacy management GDPR obligations
Activities are highlighted)
where feasible within 72 hours. As Example evidence to demonstrate compliance:
well, detailed content requirements 1. Incident and breach response protocol;
are set out for the notification letter. 2. Contact list for breach response team;
The circumstances of the data 3. Breach notification letters;
breaches must also be documented. 4. Log for recording data protection
incidents and breaches;
Article 34 – Communication of a 5. Incident summary form; or
personal data breach to the data 6. Information loss report and
subject management form.
Page | 57
Accountability Roadmap for Demonstrable GDPR Compliance
Privacy Privacy Management Relevant GDPR Article Description How the Mandatory Privacy Management
Management Activities (Mandatory Article(s) Activity may help achieve compliance with
Categories Privacy management GDPR obligations
Activities are highlighted)
Article 33 – Notification of a
personal data breach to the
supervisory authority
Article 34 – Communication of a
personal data breach to the data
subject
Privacy Privacy Management Relevant GDPR Article Description How the Mandatory Privacy Management
Management Activities (Mandatory Article(s) Activity may help achieve compliance with
Categories Privacy management GDPR obligations
Activities are highlighted)
supervisory authority to verify 3. Information loss report and
compliance with this Article. management form.
Conduct periodic testing of While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
data privacy management activity may produce additional documentation to help demonstrate compliance with:
incident/breach plan Article 33 – Notification of a personal data breach to the supervisory authority
Engage a breach response While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
remediation provider management activity may produce additional documentation to help demonstrate compliance with:
Article 33 – Notification of a personal data breach to the supervisory authority
Engage a forensic While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
investigation team management activity may produce additional documentation to help demonstrate compliance with:
Article 33 – Notification of a personal data breach to the supervisory authority
Obtain data privacy breach
insurance coverage
12. Monitor Conduct self–assessments 24, 39 Article 24 –Responsibility of the This privacy management activity helps the
Data Handling of privacy management controller privacy office establish a procedure to ensure
Practices This Article requires the data the ability to demonstrate that appropriate
controller to implement appropriate technical and organisational measures have
technical and organisational been put in place for compliance with the GDPR.
measures to ensure and be able to
demonstrate compliance with the Example evidence to demonstrate compliance:
GDPR.
1. Readiness Assessments; or
Article 39 – Tasks of the DPO 2. Data Privacy Accountability Scorecard.
This Article sets out the tasks of the
DPO including: advise the Controller
or Processor and its employees of
data protection obligations; monitor
compliance, including assigning
responsibilities, training and audits;
advising on & monitoring DP impact
assessments, cooperating and
contacting the supervisory authority
Page | 59
Accountability Roadmap for Demonstrable GDPR Compliance
Privacy Privacy Management Relevant GDPR Article Description How the Mandatory Privacy Management
Management Activities (Mandatory Article(s) Activity may help achieve compliance with
Categories Privacy management GDPR obligations
Activities are highlighted)
as required, and reviewing
processing risk.
Conduct Internal Audits of While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
the privacy program (i.e., management activity may produce additional documentation to help demonstrate compliance with:
operational audit of the Article 5 – Principles relating to processing of personal data
Privacy Office) Article 24 – Responsibility of the controller
Conduct ad–hoc walk- While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
throughs management activity may produce additional documentation to help demonstrate compliance with:
Article 5 – Principles relating to processing of personal data
Article 24 – Responsibility of the controller
Conduct ad–hoc While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
assessments based on management activity may produce additional documentation to help demonstrate compliance with:
external events, such as Article 5 – Principles relating to processing of personal data
complaints/breaches Article 24 – Responsibility of the controller
Engage a third–party to While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
conduct audits/assessments management activity may produce additional documentation to help demonstrate compliance with:
Article 5 – Principles relating to processing of personal data
Article 24 – Responsibility of the controller
Monitor and report privacy While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
management metrics management activity may produce additional documentation to help demonstrate compliance with:
Article 5 – Principles relating to processing of personal data
Article 24 – Responsibility of the controller
Maintain documentation as 5, 24 Article 5 – Principles relating to This privacy management activity supports the
evidence to demonstrate processing of personal data organisation creating a process for maintaining
compliance and/or documentation of the technical and
accountability This Article sets out the general organisational measures it has put in place in
principles that all processing order to demonstrate compliance with the
activities must abide by, including: GDPR.
Page | 60
Accountability Roadmap for Demonstrable GDPR Compliance
Privacy Privacy Management Relevant GDPR Article Description How the Mandatory Privacy Management
Management Activities (Mandatory Article(s) Activity may help achieve compliance with
Categories Privacy management GDPR obligations
Activities are highlighted)
Page | 61
Accountability Roadmap for Demonstrable GDPR Compliance
Privacy Privacy Management Relevant GDPR Article Description How the Mandatory Privacy Management
Management Activities (Mandatory Article(s) Activity may help achieve compliance with
Categories Privacy management GDPR obligations
Activities are highlighted)
demonstrating compliance
to regulators
13. Track Identify ongoing privacy 39 Article 39 –Tasks of the DPO This privacy management activity addresses how
External compliance requirements, the DPO conducts research regularly to maintain
Criteria e.g., law, case law, codes, This Article sets out the tasks of the expert knowledge with respect to privacy and
etc. DPO which include an obligation to data protection law and practices and to
monitor compliance with the GDPR determine what, if any, changes to the privacy
and with other Union or Member program need to be made as a result of any
State data protection provisions. legal or regulatory developments.
Maintain subscriptions to While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
compliance reporting management activity may produce additional documentation to help demonstrate compliance with:
service/law firm updates to Article 39 –Tasks of the DPO
stay informed of new
developments
Attend/participate in While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
privacy conferences, management activity may produce additional documentation to help demonstrate compliance with:
industry associations, or Article 39 –Tasks of the DPO
think–tank events
Record/report on the While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
tracking of new laws, management activity may produce additional documentation to help demonstrate compliance with:
regulations, amendments or Article 39 –Tasks of the DPO
other rule sources
Page | 62
Accountability Roadmap for Demonstrable GDPR Compliance
Privacy Privacy Management Relevant GDPR Article Description How the Mandatory Privacy Management
Management Activities (Mandatory Article(s) Activity may help achieve compliance with
Categories Privacy management GDPR obligations
Activities are highlighted)
Seek legal opinions While not considered mandatory for demonstrating compliance with the GDPR, if implemented, this privacy
regarding recent management activity may produce additional documentation to help demonstrate compliance with:
developments in law Article 39 –Tasks of the DPO
Document decisions around If implemented, this privacy management activity may produce additional documentation to help
new requirements, demonstrate compliance with the following Articles:
including their Article 39 –Tasks of the DPO
implementation or any Article 35 – Data protection impact assessment
rationale behind decisions Article 5 – Principles relating to processing of personal data
not to implement changes Article 24 – Responsibility of the controller
Identify and manage Article 39 –Tasks of the DPO
conflicts in law
Page | 63