How to Demonstrate Compliance With GDPR Article 38

Position of the Data Protection Officer

Book a demo

group,of,happy,coworkers,discussing,in,conference,room

Following on from Article 37 that deals with the appointment of a DPO, GDPR Article 38 outlines the scope of their duties, their position with the organisation, and some specific tasks and duties.

GDPR Article 38 Legal Text

EU GDPR Version

Position of the Data Protection Officer

  1. The controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.
  2. The controller and processor shall support the data protection officer in performing the tasks referred to in Article 39 by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge.
  3. The controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. He or she shall not be dismissed or penalised by the controller or the processor for performing his tasks. The data protection officer shall directly report to the highest management level of the controller or the processor.
  4. Data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights under this Regulation.
  5. The data protection officer shall be bound by secrecy or confidentiality concerning the performance of his or her tasks, in accordance with Union or Member State law.
  6. The data protection officer may fulfil other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests.

UK GDPR Version

Position of the Data Protection Officer

  1. The controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.
  2. The controller and processor shall support the data protection officer in performing the tasks referred to in Article 39 by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge.
  3. The controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. He or she shall not be dismissed or penalised by the controller or the processor for performing his tasks. The data protection officer shall directly report to the highest management level of the controller or the processor.
  4. Data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights under this Regulation.
  5. The data protection officer shall be bound by secrecy or confidentiality concerning the performance of his or her tasks, in accordance with domestic law.
  6. The data protection officer may fulfil other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests.

We’re cost-effective and quick

Discover how that will boost your ROI
Get your quote

Technical Commentary

GDPR Article 38 deals with three main areas of operation that concern the scope of a Data Protection Officers duties within the organisation:

  1. The specific role of the DPO within the organisation, and how they are involved in the protection of an individual’s data.
  2. The importance of maintaining impartiality and confidentiality, when carrying out their duties, free from undue scrutiny or interference by organisational management.
  3. The need to avoid any conflicts of interest, if the DPO carries out any other role within the organisation, either connected or not connected to their obligations as a DPO.

ISO 27701 Clause 6.3.1.1 (Information Security Roles and Responsibilities) and EU GDPR Article 38

In this section we talk about GDPR Articles 38 (1), 38 (2), 38 (3), 38 (4), 38 (5), 38 (6)

Organisations should define roles and responsibilities that are specific to individual functions contained within their privacy protection policy – both their general policy and topic-specific policies.

Individuals with specific responsibilities should be skilled enough to carry out privacy-related tasks, and should be offered continual support that maintains an acceptable level of competency.

Areas of responsibility should include:

  • The protection of PII and any privacy-related assets.
  • Executing privacy protection procedures.
  • PII-related risk management activities, including remedial actions.
  • Anyone who uses the organisations information and data, including the use of ICT assets.
  • Individuals with top-level responsibility for privacy protection delegating tasks to others.

ISO acknowledges that each organisation is unique in the way that they process information. The above areas of responsibility should be accompanied by site and facility-specific guidelines that take into account real world factors affecting an organisations PII-processing operation.

All of the above responsibilities and security areas should be clearly documented and made available to all relevant staff members.

Organisations should nominate an individual that customers (and external authorities) can use as a dedicated point of contact for all PII-related matters (see ISO 27701 Clause 7.3.2).

In addition, organisations should delegate responsibility to one or more individuals for building an organisational privacy governance program that bolsters adherence to localised and national PII laws and regulations.

Supporting ISO 27701 Clauses

  • ISO 27701 7.3.2

Discover our platform

Book a tailored hands-on session
based on your needs and goals
Book your demo

Simple. Secure. Sustainable.

See our platform in action with a tailored hands-on session based on your needs and goals.

Book your demo
img

ISO 27701 Clause 6.10.2.4 (Confidentiality or Non-disclosure Agreements) and EU GDPR Article 38 (5)

When drafting, implementing and maintaining NDAs, organisations should:

  • Offer a definition for the information that is to be protected.
  • Clearly outline the expected duration of the agreement.
  • Clearly state any required actions, once an agreement has been terminated.
  • Any responsibilities that are agreed by confirmed signatories.
  • Ownership of information (including IP and trade secrets).
  • How signatories are allowed to use the information.
  • Clearly outline the organisation’s right to monitor confidential information.
  • Any repercussions that will arise from non-compliance.
  • Regularly reviews their confidentiality needs, and adjust any future agreements accordingly.

Confidentiality laws vary from jurisdiction to jurisdiction, and organisations should consider their own legal and regulatory obligations when drafting NDAs and confidentiality agreements (see ISO 27002 controls 5.31, 5.32, 5.33 and 5.34).

Supporting ISO 27002 Controls

  • ISO 27002 5.31
  • ISO 27002 5.32
  • ISO 27002 5.33
  • ISO 27002 5.34

Index of Linked EU GDPR Articles and ISO 27701 Clauses

GDPR ArticleISO 27701 ClauseISO 27002 Controls
EU GDPR Articles 38 (1) to 38 (6)ISO 27701 6.3.1.1
ISO 27701 7.3.2
None
EU GDPR Article 38 (5)ISO 27701 6.10.2.4ISO 27002 5.31
ISO 27002 5.32
ISO 27002 5.33
ISO 27002 5.34

How ISMS.online Help

GDPR compliance with ISMS.online

Our ‘Adopt, Adapt, Add’ implementation approach on the ISMS.online platform makes it easy to demonstrate your GDPR compliance approach. In addition, you’ll benefit from powerful time-saving features.

In the event of the worst happening, you will be prepared. By documenting and learning from every incident, we make it easy for you to plan and communicate your breach workflow.

Find out more by booking a demo.

It helps drive our behaviour in a positive way that works for us
& our culture.

Emmie Cooney
Operations Manager, Amigo

Book your demo

Streamline your workflow with our new Jira integration! Learn more here.