ICT organizational GDPR roles - DPIA

The scope of this section is to introduce the reader to the organisation roles that are necessary and in some cases mandatory, for the proper implementation of the GDPR within a stakeholder’s activities, be it a data controller or a data processor. Since most ICT scientists and practitioners are accustomed to Information Security, the similarities and differences between Information Security and Data Protection is explained.

At the end of the study, the reader is expected to:

• Understand the qualifications, the obligations, the role and functioning of the DPO within any organization that processes personal data.
• Be able to distinguish the role of the DPO from the role of the CISO.
• Be able to understand the different approach of data protection in Risk Analysis, in comparison to “traditional”Information Security Risk Analysis.
• Be able to identify Data Protection Risks and mitigating measures.
• Understand the significance of the DPIA and what such an assessment should contain.

Key Messages

• The GDPR establishes the position of the data protection officer (DPO).

  • The role of a DPO is to ensure that the organisation processes personal data of any individuals (data subjects) in compliance with the applicable data protection rules.
  • Appointment of a DPO is mandatory in some cases.
  • The DPO acts as an internal consultant and auditor and reports to the top management.
• The Chief Information Security Officer (CISO) is part of an organization’s management team and is responsible for the actual implementation and functioning of security measures, taking decisions and representing the organisation in relation to Information Security.
• It is highly likely that the role of CISO is incompatible with the role of the DPO, unless the organization can prove that the role of the CISO is purely advisory.
• An organization should not rely only on the DPO for any privacy related issue. The establishment of a privacy team, comprising of employees with the necessary skills and expertise is crucial.

See relevant slides

Key Messages

• Information security is an integral part of the GDPR, but constitutes only one of the data protection legislation principles.
• The GDPR adopts a risk based approach for data protection and information security.
• The notion definition of “Risk” in Data Protection is different from Information Security.

  • The GDPR risk is in respect to any rights and freedoms of individuals that may result from personal data processing.
• In Data Protection Unlinkability, Transparency and Intervenability are added to the well known CIA triad (confidentiality, integrity and availability).

Key Messages

• The Data Protection Impact Assessment (DPIA) is a method to identify and mitigate any data protection related risks arising from a new project.

  • Conducting a proper DPIA is, probably, the most complete accountability tool.
  • Through the DPIA process a data controller can mitigate risks throughout the lifecycle of a product.
• The DPO provides advice to the team conducting the DPIA but should not be the person responsible for that assessment.

1. WP29 - Guidelines on Data Protection Officers (‘DPOs’) (wp243rev.01) - endorsed by the EDPB
2. Hellenic DPA - FAQ on the role of the DPO
3. Hellenic DPA - Announcement on the certification of DPOs
4. Hellenic DPA - Announcement on the representation of data controllers/processors before the HDPA
5. Belgian DPA - Decision 141/2021 -incompatibility of the roles of DPO and CISO
6. The DPO Handbook - T4DATA Project - Guidance for data protection officers in the public and quasi‐public sectors on how to ensure compliance with the European Union General Data Protection Regulation
7. WP29 - on Data Protection Impact Assessment (DPIA) (wp248rev.01) - endorsed by the EDPB
8. EDPS - Accountability on the ground: Guidance on documenting processing operations for EU institutions, bodies and agencies
9. Irish Data Protection Commissioner - Data Protection Impact Assessments