EU GDPR - DPO, DPIA & other questions
I was wondering if you could help me with some GDPR related questions:
1. How does an organization establish if it needs a DPO or no?
2. Does the DPO need to be an employee or it can be outsourced as well?
3. What would be the position of the DPO in the company organizational chart?
4. What would be the job description applicable to the DPO?
5. Is there any easy way to establish the duration of a GDPR compliance project?
6. What is the difference between a DPIA and a PIA?
7. When one needs to perform a DPIA?
8. Are there any specific requirements in terms of encryption?
Assign topic to the user
1. How does an organization establish if it needs a DPO or no?
Appointing a DPO is mandatory if (a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; or (b) the core activities of the legal entity consist of processing operations which, by their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or (c) the core activities of the legal entity of processing on a large scale of special categories of data pursuant to Article 9 of the EU GDPR and personal data relating to criminal convictions and offenses referred to in Article 10 of the EU GDPR.
2. Does the DPO need to be an employee or it can be outsourced as well?
Both options work. The DPO can be an employee or it can be outsourced. The most important thing is that it is independent and given adequate resources.
3. What would be the position of the DPO in the company organizational chart?
According to art. 37 of the GDPR the DPO should directly report to the highest management level of the controller or the processor. If you want to find out more about the tasks of the DPO check out this free webinar Role of the DPO according to EU GDPR (https://advisera.com/eugdpracademy/webinar/role-of-the-dpo-according-to-eu-gdpr-free-webinar-on-demand/).
4. What would be the job description applicable to the DPO?
Article 39 of the GDPR describes the main tasks of the DPO. However, you can find a more detailed Task description in our EU GDPR Documentation Toolkit (https://advisera.com/eugdpracademy/eu-gdpr-premium-documentation-toolkit/).
5. Is there any easy way to establish the duration of a GDPR compliance project?
The duration is closely linked to the size of the company as well as the processing activities. We have developed a duration calculator that might give you an idea of the time needed. You can it at https://advisera.com/eugdpracademy/eu-gdpr-compliance-duration-calculator/
6. What is the difference between a DPIA and a PIA?
They are basically the same thing. Before the GDPR it was used to be called Privacy Impact Assessment and after the GDPR it was called Data Protection Impact assessment. If you want to find out more about DPIAs check out this webinar Seven steps of Data Protection Impact Assessment (DPIA) according to EU GDPR (https://advisera.com/eugdpracademy/webinar/seven-steps-of-data-protection-impact-assessment-dpia-according-to-eu-gdpr-free-webinar-on-demand/).
7. When one needs to perform a DPIA?
A DPIA needs to be performed whenever a specific processing activity is considered as being a high risk to the rights and freedom if the individuals.
8. Are there any specific requirements in terms of encryption?
Encryption is just a method to protect the personal data and the GDPR does not impose a specific type of encryption however it does mention that it needs to be state of the art.
Comment as guest or Sign in
Jan 14, 2020