ICT organizational GDPR roles - DPIA



The scope of this section is to introduce the reader to the organisation roles that are necessary and in some cases mandatory, for the proper implementation of the GDPR within a stakeholder’s activities, be it a data controller or a data processor. Since most ICT scientists and practitioners are accustomed to Information Security, the similarities and differences between Information Security and Data Protection is explained.

At the end of the study, the reader is expected to:

  • Understand the qualifications, the obligations, the role and functioning of the DPO within any organization that processes personal data.
  • Be able to distinguish the role of the DPO from the role of the CISO.
  • Be able to understand the different approach of data protection in Risk Analysis, in comparison to “traditional”Information Security Risk Analysis.
  • Be able to identify Data Protection Risks and mitigating measures.
  • Understand the significance of the DPIA and what such an assessment should contain.


Data Protection Officer (DPO) - CISO - Privacy Team


Key Messages

  • The GDPR establishes the position of the data protection officer (DPO).
    • The role of a DPO is to ensure that the organisation processes personal data of any individuals (data subjects) in compliance with the applicable data protection rules.
    • Appointment of a DPO is mandatory in some cases.
    • The DPO acts as an internal consultant and auditor and reports to the top management.
  • The Chief Information Security Officer (CISO) is part of an organization’s management team and is responsible for the actual implementation and functioning of security measures, taking decisions and representing the organisation in relation to Information Security.
  • It is highly likely that the role of CISO is incompatible with the role of the DPO, unless the organization can prove that the role of the CISO is purely advisory.
  • An organization should not rely only on the DPO for any privacy related issue. The establishment of a privacy team, comprising of employees with the necessary skills and expertise is crucial.

See relevant slides


Relationship between Personal Data Protection and Information Security


Key Messages

  • Information security is an integral part of the GDPR, but constitutes only one of the data protection legislation principles.
  • The GDPR adopts a risk based approach for data protection and information security.
  • The notion definition of “Risk” in Data Protection is different from Information Security.
    • The GDPR risk is in respect to any rights and freedoms of individuals that may result from personal data processing.
  • In Data Protection Unlinkability, Transparency and Intervenability are added to the well known CIA triad (confidentiality, integrity and availability).
See relevant slides


The DPIA as an accountability tool


Key Messages

  • The Data Protection Impact Assessment (DPIA) is a method to identify and mitigate any data protection related risks arising from a new project.
    • Conducting a proper DPIA is, probably, the most complete accountability tool.
    • Through the DPIA process a data controller can mitigate risks throughout the lifecycle of a product.
  • The DPO provides advice to the team conducting the DPIA but should not be the person responsible for that assessment.
See relevant slides


General References



Λογότυπο byDesign toolkit & Europe

This online toolkit was funded by the European Union’s Rights, Equality and Citizenship Programme (2014-2020).

Disclaimer: The content of this online toolkit represents the views of the authors only and is their sole responsibility. The European Commission does not accept any responsibility for use that may be made of the information it contains.