Key Requirements of GDPR Article 38: What Businesses Need to Know
Following on from Article 37 that deals with the appointment of a DPO, GDPR Article 38 outlines the scope of their duties, their position with the organisation, and some specific tasks and duties.
GDPR Article 38 Legal Text
EU GDPR Version
Position of the Data Protection Officer
- The controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.
- The controller and processor shall support the data protection officer in performing the tasks referred to in Article 39 by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge.
- The controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. He or she shall not be dismissed or penalised by the controller or the processor for performing his tasks. The data protection officer shall directly report to the highest management level of the controller or the processor.
- Data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights under this Regulation.
- The data protection officer shall be bound by secrecy or confidentiality concerning the performance of his or her tasks, in accordance with Union or Member State law.
- The data protection officer may fulfil other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests.
UK GDPR Version
Position of the Data Protection Officer
- The controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.
- The controller and processor shall support the data protection officer in performing the tasks referred to in Article 39 by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge.
- The controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. He or she shall not be dismissed or penalised by the controller or the processor for performing his tasks. The data protection officer shall directly report to the highest management level of the controller or the processor.
- Data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights under this Regulation.
- The data protection officer shall be bound by secrecy or confidentiality concerning the performance of his or her tasks, in accordance with domestic law.
- The data protection officer may fulfil other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests.
Manage all your compliance in one place
ISMS.online supports over 100 standards
and regulations, giving you a single
platform for all your compliance needs.
Technical Commentary
GDPR Article 38 deals with three main areas of operation that concern the scope of a Data Protection Officers duties within the organisation:
- The specific role of the DPO within the organisation, and how they are involved in the protection of an individual’s data.
- The importance of maintaining impartiality and confidentiality, when carrying out their duties, free from undue scrutiny or interference by organisational management.
- The need to avoid any conflicts of interest, if the DPO carries out any other role within the organisation, either connected or not connected to their obligations as a DPO.
ISO 27701 Clause 6.3.1.1 (Information Security Roles and Responsibilities) and EU GDPR Article 38
In this section we talk about GDPR Articles 38 (1), 38 (2), 38 (3), 38 (4), 38 (5), 38 (6)
Organisations should define roles and responsibilities that are specific to individual functions contained within their privacy protection policy – both their general policy and topic-specific policies.
Individuals with specific responsibilities should be skilled enough to carry out privacy-related tasks, and should be offered continual support that maintains an acceptable level of competency.
Areas of responsibility should include:
- The protection of PII and any privacy-related assets.
- Executing privacy protection procedures.
- PII-related risk management activities, including remedial actions.
- Anyone who uses the organisations information and data, including the use of ICT assets.
- Individuals with top-level responsibility for privacy protection delegating tasks to others.
ISO acknowledges that each organisation is unique in the way that they process information. The above areas of responsibility should be accompanied by site and facility-specific guidelines that take into account real world factors affecting an organisations PII-processing operation.
All of the above responsibilities and security areas should be clearly documented and made available to all relevant staff members.
Organisations should nominate an individual that customers (and external authorities) can use as a dedicated point of contact for all PII-related matters (see ISO 27701 Clause 7.3.2).
In addition, organisations should delegate responsibility to one or more individuals for building an organisational privacy governance program that bolsters adherence to localised and national PII laws and regulations.
Supporting ISO 27701 Clauses
- ISO 27701 7.3.2
Compliance doesn't have to be complicated.
We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.
ISO 27701 Clause 6.10.2.4 (Confidentiality or Non-disclosure Agreements) and EU GDPR Article 38 (5)
When drafting, implementing and maintaining NDAs, organisations should:
- Offer a definition for the information that is to be protected.
- Clearly outline the expected duration of the agreement.
- Clearly state any required actions, once an agreement has been terminated.
- Any responsibilities that are agreed by confirmed signatories.
- Ownership of information (including IP and trade secrets).
- How signatories are allowed to use the information.
- Clearly outline the organisation’s right to monitor confidential information.
- Any repercussions that will arise from non-compliance.
- Regularly reviews their confidentiality needs, and adjust any future agreements accordingly.
Confidentiality laws vary from jurisdiction to jurisdiction, and organisations should consider their own legal and regulatory obligations when drafting NDAs and confidentiality agreements (see ISO 27002 controls 5.31, 5.32, 5.33 and 5.34).
Supporting ISO 27002 Controls
- ISO 27002 5.31
- ISO 27002 5.32
- ISO 27002 5.33
- ISO 27002 5.34
Index of Linked EU GDPR Articles, ISO 27701 Clauses and ISO 27002 Controls
| GDPR Article | ISO 27701 Clause | ISO 27002 Controls |
|---|---|---|
| EU GDPR Articles 38 (1) to 38 (6) |
ISO 27701 6.3.1.1 ISO 27701 7.3.2 |
None |
| EU GDPR Article 38 (5) | ISO 27701 6.10.2.4 |
ISO 27002 5.31 ISO 27002 5.32 ISO 27002 5.33 ISO 27002 5.34 |
How ISMS.online Help
GDPR compliance with ISMS.online
Our ‘Adopt, Adapt, Add’ implementation approach on the ISMS.online platform makes it easy to demonstrate your GDPR compliance approach. In addition, you’ll benefit from powerful time-saving features.
In the event of the worst happening, you will be prepared. By documenting and learning from every incident, we make it easy for you to plan and communicate your breach workflow.
Find out more by booking a demo.
Jump to topic
