Following on from Article 37 that deals with the appointment of a DPO, GDPR Article 38 outlines the scope of their duties, their position with the organisation, and some specific tasks and duties.
Position of the Data Protection Officer
- The controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.
- The controller and processor shall support the data protection officer in performing the tasks referred to in Article 39 by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge.
- The controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. He or she shall not be dismissed or penalised by the controller or the processor for performing his tasks. The data protection officer shall directly report to the highest management level of the controller or the processor.
- Data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights under this Regulation.
- The data protection officer shall be bound by secrecy or confidentiality concerning the performance of his or her tasks, in accordance with Union or Member State law.
- The data protection officer may fulfil other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests.
Position of the Data Protection Officer
- The controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.
- The controller and processor shall support the data protection officer in performing the tasks referred to in Article 39 by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge.
- The controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. He or she shall not be dismissed or penalised by the controller or the processor for performing his tasks. The data protection officer shall directly report to the highest management level of the controller or the processor.
- Data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights under this Regulation.
- The data protection officer shall be bound by secrecy or confidentiality concerning the performance of his or her tasks, in accordance with domestic law.
- The data protection officer may fulfil other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests.
GDPR Article 38 deals with three main areas of operation that concern the scope of a Data Protection Officers duties within the organisation:
In this section we talk about GDPR Articles 38 (1), 38 (2), 38 (3), 38 (4), 38 (5), 38 (6)
Organisations should define roles and responsibilities that are specific to individual functions contained within their privacy protection policy – both their general policy and topic-specific policies.
Individuals with specific responsibilities should be skilled enough to carry out privacy-related tasks, and should be offered continual support that maintains an acceptable level of competency.
Areas of responsibility should include:
ISO acknowledges that each organisation is unique in the way that they process information. The above areas of responsibility should be accompanied by site and facility-specific guidelines that take into account real world factors affecting an organisations PII-processing operation.
All of the above responsibilities and security areas should be clearly documented and made available to all relevant staff members.
Organisations should nominate an individual that customers (and external authorities) can use as a dedicated point of contact for all PII-related matters (see ISO 27701 Clause 7.3.2).
In addition, organisations should delegate responsibility to one or more individuals for building an organisational privacy governance program that bolsters adherence to localised and national PII laws and regulations.
When drafting, implementing and maintaining NDAs, organisations should:
Confidentiality laws vary from jurisdiction to jurisdiction, and organisations should consider their own legal and regulatory obligations when drafting NDAs and confidentiality agreements (see ISO 27002 controls 5.31, 5.32, 5.33 and 5.34).
| GDPR Article | ISO 27701 Clause | ISO 27002 Controls |
|---|---|---|
| EU GDPR Articles 38 (1) to 38 (6) | ISO 27701 6.3.1.1 ISO 27701 7.3.2 | None |
| EU GDPR Article 38 (5) | ISO 27701 6.10.2.4 | ISO 27002 5.31 ISO 27002 5.32 ISO 27002 5.33 ISO 27002 5.34 |
GDPR compliance with ISMS.online
Our ‘Adopt, Adapt, Add’ implementation approach on the ISMS.online platform makes it easy to demonstrate your GDPR compliance approach. In addition, you’ll benefit from powerful time-saving features.
In the event of the worst happening, you will be prepared. By documenting and learning from every incident, we make it easy for you to plan and communicate your breach workflow.
Find out more by booking a demo.
It helps drive our behaviour in a positive way that works for us
& our culture.
Request a quote
