How to Demonstrate Compliance With GDPR Article 39

Tasks of the Data Protection Officer

Book a demo

top,view,business,people,work,from,home,using,laptop,on

GDPR Article 39 outlines the minimum set of duties that a DPO must carry out in order to be considered effective, including their obligations towards the law and their interaction with governing authorities.

GDPR Article 39 Legal Text

EU GDPR Version

Tasks of the Data Protection Officer

  1. The data protection officer shall have at least the following tasks:
    • (a) to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
    • (b) to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
    • (c) to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
    • (d) to cooperate with the supervisory authority;
    • (e) to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.

  2. The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.

UK GDPR Version

Tasks of the data protection officer

  1. The data protection officer shall have at least the following tasks:
    • (a) to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other domestic law relating to data protection;
    • (b) to monitor compliance with this Regulation, with other domestic law relating to data protection and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
    • (c) to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
    • (d) to cooperate with the the Commissioner;
    • (e) to act as the contact point for the Commissioner on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.

  2. The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.
Simple. Secure. Sustainable.

See our platform in action with a tailored hands-on session based on your needs and goals.

Book your demo
img

Technical Commentary

DPOs should not only inform and advise organisations on processing activities, but also monitor compliance with any prevailing legislation.

An organisation’s designated DPO also has a central role to play whenever the need arises to carry out a the Data Protection Impact Assessment (DPIA).

It’s important to note that whilst the role of a DPO is tightly bound by confidentiality principles, they are still able to seek guidance and advice from regulatory and legal authorities.

ISO 27701 Clause 6.3.1.1 (Information Security Roles and Responsibilities) and EU GDPR Article 39

In this section we talk about GDPR Articles 39 (1)(a), 39 (1)(b), 39 (1)(c), 39 (1)(d), 39 (1)(e), 39 (2)

DPOs should be skilled enough to carry out privacy-related tasks, and should be offered continual support in order to maintain an acceptable level of competency.

ISO acknowledges that each organisation is unique in the way that they process information. The above areas of responsibility should be accompanied by site and facility-specific guidelines that take into account real world factors affecting an organisations PII-processing operation.

Organisations should nominate an individual that customers (and external authorities) can use as a dedicated point of contact for all PII-related matters (see ISO 27701 7.3.2), namely a DPO.

In addition, organisations should delegate responsibility to one or more individuals for building an organisational privacy governance program that bolsters adherence to localised and national PII laws and regulations.

Supporting ISO 27701 Clauses

  • ISO 27701 7.3.2

ISO 27701 Clause 6.4.2.2 (Information Security Awareness, Education and Training) and EU GDPR Article 39 (1)(b)

As a general approach, organisations should implement periodic training programs (including during the onboarding phase) that align specifically with their own general and topic-specific privacy protections policies, and PIMS-related requirements.

Training formats can include:

  • eLearning.
  • One-to-one consultancy.
  • Staff members shadowing one another.
  • Dedicated training seminars conducted by topic-specific or generalised privacy protection specialists.
  • Workplace mentoring.

Staff with a specialised role to play in privacy protection – e.g. ICT maintenance staff – should benefit from specialised training plans that takes into account the integral role they play in safeguarding PII.

Training plans/sessions should conclude with an assessment that provides the organisation with a top-down view of competency levels on an employee-by-employee basis.

To complement workplace training, organisations should also roll-out privacy protection awareness programs that provide staff with a range of materials that act as information points on the topic of PII and organisational privacy protection.

Awareness programs may include:

  • Leaflets.
  • Booklets.
  • Office posters.
  • Dedicated websites.
  • Team briefing sessions.

Awareness efforts should be focused on:

  • How management plans to maintain privacy protection adherence across the organisation, and who the main points of contact are for PII-related matters.
  • What the organisation’s compliance requirements are, taking into account laws, regulatory stipulations, contractual obligations and supplier agreements.
  • Emphasising the need for personal accountability when it comes to protecting PII, and what the consequences are for accidental or purposeful procedural breaches.
  • Fundamental ICT security principles, such as password security and incident reporting.
  • How personnel can inform themselves on the finer aspects of privacy protection (further reading, resource lists etc.).

PII should be treated as its own distinct topic within privacy protection training programmes.

Staff need to be made acutely aware of the specific legal, commercial, reputational and disciplinary consequences that result from the misappropriation and/or mishandling of PII.

Index of Linked EU GDPR Articles and ISO 27701 Clauses

GDPR ArticleISO 27701 ClauseISO 27701 Supporting Clauses
EU GDPR Articles 39 (1)(a) to 39 (2)ISO 27701 6.3.1.1ISO 27701 7.3.2
EU GDPR Article 39 (1)(b)ISO 27701 6.4.2.2None

How ISMS.online Help

Support wider business decisions. By having all your data in one place, designed for collaboration, you will be better equipped to make the right decisions.

Stay ahead of change. Risks are not static, so your tools need to be able to adapt. Effortlessly address threats and opportunities using an integrated and dynamic tool which simplifies identification, evaluation, and treatment of risk on a continual basis.

Find out more by scheduling a demo.

Discover our platform

Book a tailored hands-on session
based on your needs and goals
Book your demo

Trusted by companies everywhere
  • Simple and easy to use
  • Designed for ISO 27001 success
  • Saves you time and money
Book your demo
img

Explore ISMS.online's platform with a self-guided tour - Start Now