CIPPE Module 10 - Accountability

Question 1

What does TOM for protection personal data mean in practical terms?

Answer 1

1. Data protection by design and default
2. Data protection impact assessment
3. Data processing records
4. Data Protection Officer.

Although most of this applies to DC, DPs also have a role. They must support the DCs and help them demonstrate compliance.

Question 2

What does data protection by design and default mean?

Answer 2

DPbyDesign: Orgs have to think about data protection beginning in the design phase of their services and extending throughout the lifecycle. (e.g. designing for use of pseudonymization, data minimization). These practices must continue into the operations phase (i.e. once data processing begins).

DPbyDefault: Most protective setting must apply by default. For example, collect only minimal data as default, and limits its accessibility - like what IAM does (user has no access to anything unless explicitly permitted).

Question 3

What is a DPIA?

Answer 3

• Data Protection Impact Assessment or Privacy Impact Assessment.
• DPIAs help organization incorporate data protection into org planning
  -DPIAs function as tools to manage risks to data subjects.
• Demonstrate compliance to a supervisory authority.

Question 4

When is a DPIA required?

Answer 4

• If there is a high risk to rights and freedoms of natural persons.
• Must also consider nature, scope, purpose, context and new technologies involved in processing.
• If automated processing and profiling based decision with legal effects are in play
• Large scale processing of special category of data or criminal data
• Systematic monitoring of public areas on a large scale.
• SAs must publish lists of activities that require DPIA and those that dont.

Question 5

How do you conduct a DPIA?

Answer 5

1. Initial risk assessment to identify data risks
2. Measures to address identified risks

Question 6

What should the DPIA include?

Answer 6

1. Description of the processing;
2. Legitimate interest being pursued
3. Necessity, proportionality to the purpose
4. Risks of processing
5. Mitigating measures

Essentially the DPbyDesign and DPbyDef controls.

Question 7

When must the DPA/SA be contacted?

Answer 7

• If the DPIA indicates high risk without the mitigating measures.

The information must also supply a) Responsibilities of DC and DP b) purpose and means of processing c) Measures and safeguards and d) DPO contact details e) DPIA

DPA/SA will assess if mitigating measures are sufficient; may block processing (if deemed insufficient).

Question 8

What is the role of a Data Protection Policy?

Answer 8

1. Part of the TOM to protect data; set the organizational tone
2. Part of a larger data protection program
3. Explain to employees what they can and cannot do.
4. Employee training and awareness

Such policies should be clear, concise and accessible to employees.

Question 9

What is a ROPA?

Answer 9

ROPA = Record of Processing Activity
Controllers and processors have to maintain it.
It contains names and contact details of processors
Categories of processing activities
Transfer of personal data to a third country
Description of TOMs.

Question 10

What is purpose of the ROPA?

Answer 10

1. Demonstrating compliance - it is about accountability.

Question 11

Who needs to maintain ROPAs?

Answer 11

1. DC and DPs
2. Any organization with more than 250 employees
3. Any org that processes data frequently
4. Sensitive data or criminal data
5. If the processing can cause risk to the DS.

Question 12

What is the role of the DPO?

Answer 12

The role of the DPO is to ensure and demonstrate compliance with the GDPR. However, they are not personally responsible. Compliance is still the responsibility of the DC & DP.

Both controller and processor may have to designate a DPO in select cases per Article 37:
a) if the controller is a public authority
b) if the DC’s core activity is regularly and systematically monitoring DS on a large scale
c) if the data processing is on a large scale and involve sensitive data

Question 13

What are the tasks & responsibilities of the DPO?

Answer 13

1. Ensure compliance with the regulation
2. Advise Controllers and Processors
3. Manage Risk
4. Be a point of contact
5. Communicate with DS
6. Monitor DPIA
7. Exercise professional secrecy.

Question 14

What are the responsibilities of DC & DPs with respect to the DPO?

Answer 14

Per article 38
1. Ensure DPO is involved properly and in a timely manner on data protection issues
2. Provide resources; access to personal data; resource to maintain expert knowledge
3. DPO reports to highest management
4. No conflict of interest; not penalized for doing their job

Question 15

What does article 27 say about an EU representative?

Answer 15

DCs and DPs must designate a representative in the EU Member states
i.e. IF they are consistently processing personal data.
The Rep will be the point of contact for SAs and DSs.