FAQs

Can the DPO be an existing employee?

Yes as long as the professional duties of the employee are compatible with the duties of the DPO and do not lead to a conflict of interests, rather than you having to create a new post

Can we contract out the role of the DPO?

Yes you can contract out the role of DPO, based on a service contract with an individual or an organisation The externally-appointed DPO should have the same position, tasks and duties as an internal DPO

Consent – Article 6,7,8

Have you collected and stored the appropriate and necessary consent of the Data Subject?

For data processing

For data storage

To facilitate data-subject rights

To know if a breach has occurred

While ensuring that withdrawal of consent is as easy as giving it.

Control of private data is now clearly vested in the individual – with very few statutory exceptions

Corporations can only use it for purposes that are

pre-defined

explicit

with the full agreement of the individual in advance

Data Subject Rights Articles 13,14,15

Have you informed the Data Subject?

Why we need the data specified

All processing that will be enacted upon it

When we will destroy or re-consent the data

Where we sourced the data

Precisely with whom we will send or 'share' the data

About their rights of access and how to effect that

Do we know EXACTLY what and where all ‘Processing’ is / is taking place?

Even if we [the controller] controls the Processor, we probably need to ask: Article 28

Do we have a ‘written contract’ with the processing organization?

Does the Contract precisely state what the processing consists of?

Do we completely understand the Processors’ data storage arrangements?

Do we have a copy of the Processor’s approved code of conduct?

Do we permit the Processor to make any decisions at all in managing the data?

External Controller

Is the data Controller exercising control from outside EU? Article 26,27

In which country/ies is/are the EU Designated Controller(s)?

What is their relationship with the external Controller?

What is their relationship with the Data Subjects?

Privacy by design and default

Do we have processes, in place, to ensure that: Article 24,25

We can show how we protect the rights of data subjects

We can show that only personal data which are necessary for each specific purpose of the processing are processed

We can show how this applies to the amount of personal data collected, the extent of their processing

We can justify the period of their storage and the data accessibility

Profiling Article 21, 22, 23

Have you informed the Data Subject?

Of their different rights to “object” in various ways to, or to prevent, our different types of processing, and the automated or other methods available to them to exercise these rights

Of the right to be excluded from profiling and how

How to secure human attention to their concerns

If any limitations to their rights apply

Responsibility of the controller – Data protection by design and by default

Do we have processes, in place, to ensure that: Article 24,25

We can show that we have moved our processes in line with IT’s evolution

We can show we have dynamic processes in place to track the state-of-the-art and modify our processing accordingly

We can show that we implement data-protection principles, such as data minimisation, in an effective manner

We can show how we integrate the necessary safeguards into the processing in order to meet the requirements of the GDPR

We can demonstrate an appropriate set of policies

[ok for now but need to revisit – also need to consider duplication with next sub-box?]

Frequently Asked Questions