The controller shall implement appropriate measures (Plan-Do), review them (-Check) and, where necessary, update (-Act) measures taken.
In blog two and three of this series we touched upon the Inspector and Policymaker roles. The Inspector’s initial task was mostly about getting to know the controller (as defined in Article 4(7) GDPR), and starting the process of identifying processings. The Policymaker’s task was to set the GDPR parameters, i.e. to have the controller define an Article 5 GDPR-based privacy mission, create a set of FIP-based rules of conduct and create an initial GDPR planning based on Article 24(1) GDPR (last sentence).
In this blog the Planner role comes in to play. It is the Planner’s job to install a privacy team, to allocate the execution of at least the mandatory GDPR privacy activities to the individual team members, and to provide the team with the necessary information on how to prove that the privacy activities allocated to them have been completed in a GDPR-compliant manner.
The privacy team
Selecting a privacy team is one of the most important tasks of the GDPR Compliance Officer. The team itself consists of:
- the board member responsible for the GDPR compliance portfolio and as such representing the CEO/Chairman of the Board;
- the GDPR Compliance Officer, an employee or a consultant responsible for implementing the GDPR within the controller’s organisation;
- the Data Protection Officer, an employee/consultant (optional/mandatory) to be appointed in accordance with Article 37 GDPR;
- the privacy activity task owners, employees selected to execute specific privacy activities, including the delivery of the necessary means of proof.
Unlike the one-off meetings held during the Inspector and Policymaker phases, inviting privacy team members represents the first instance of the GDPR claiming real FTE capacity on a continuous basis. As a result, resistance from within the organisation, specifically from middle management, is often inevitable. The second instance will be the moment when privacy team members are confronted with the task at hand and realise what kind of effort will be involved. The third instance is when they have to deliver the proof demonstrating that the allocated tasks have been completed.
Privacy activity planning
Once the privacy team is operational, the next step consists of ‘allocating’ the GDPR privacy activities. In total, the GDPR entails 50+ mandatory tasks to be carried out. Per privacy activity the following decisions will have to be made:
- who is the most appropriate team member to perform the task;
- with which intervals does the task need to be executed;
- when does execution need to start;
- which processings are involved; and
- what type of proof of execution needs to be supplied.
The final outcome is a detailed privacy activity planning. Execution of this planning, although this may not be fully understood from the get-go, represents a management challenge in terms of timely performing the privacy activities, properly documenting, per privacy activity, the means of proof supplied, and most of all, creating and maintaining of the mandatory registers. A 24/7 GDPR accountability challenge that will quickly outgrow a spreadsheet solution, and not only where the processing of personal data is the controller’s core business. This is the case for all organisations who want to adhere to the spirit of the GDPR i.e. to 24/7 ability to prove compliance with the GDPR in terms of correct processing of the personal data the organisation holds on data subjects.