DPO Toolkit

DPO Toolkit

Are you a data protection officer? Are you trying to staff your DPO position? You’ve come to the right place. This DPO Toolkit has a number of resources that should be instrumental in performing what will be a vital role at many organizations inside and outside of the European Union, come May 2018, when the General Data Protection Regulation comes into force. 

From a sample job description to research on how much training is required of a DPO to get a baseline of GDPR knowledge, the following set of resources is free for IAPP members and is constantly being updated by Emily Leach, IAPP Content Manager. Looking for something in particular? Email her directly. This toolset will continue to grow and expand.

You may also want to avail yourself of one of the more valuable IAPP member benefits: The IAPP Privacy List. This listserv may deliver a lot of email to your inbox, but that email will be filled with valuable advice from your peers in the privacy and data protection community. See what questions other DPOs are asking and tap into the vast knowledge base that exists amongst the IAPP membership around the globe. 


JUST RELEASED! DPO Handbook: Data Protection Officers Under the GDPR


DPO Handbook: Data Protection Officers Under the GDPR provides a comprehensive view of all aspects of the role of Data Protection Officers under the EU’s new General Data Protection Regulation, starting with a look at how organizations determine whether they need a DPO, defining the skills required for the role, and discussing how to source this skillset. The book then describes in detail the various tasks a DPO performs starting from their first day and month on the job and concludes with examples of DPOs performing their role in different types of organizations. 
Purchase Now

Who needs a DPO?

First, determine whether your organization is required to appoint a DPO under the GDPR.

DPO Decision Tree

Should you organization hire a data protection officer under the EU General Data Protection Regulation? DPO Network Europe offers this decision tree to help you decide. (Click to view pdf.)   ... Read More

What is a DPO?

Does the GDPR say you need a DPO? Do you appoint someone from within your organization? Hire a new employee or outsource the job? Find out what the role of the DPO looks like, and what skills and expertise they need so you can get the right fit for your organization.

The DPO role: A quick survey

In my recent Privacy Advisor articles on the essential job skills and the appropriate professions of Data Protection Officers (DPOs) under the General Data Protection Regulation (GDPR), I discussed the statutory language of the GDPR and my interpretation of it. I also wanted to understand how others are viewing the DPO role under the GDPR, especially those who are currently in the roles responsible for compliance with this upcoming law. To achieve this, I reached out to a national association o... Read More

DPO Job Description

Cobbling together information from the GDPR and Article 29 Working Party guidance, the IAPP has developed this sample DPO job description. This description is intended to be a jumping off point for you to create one that fits the needs of your organization. Read More

WP29 guidelines on the Data Protection Officer requirement in the GDPR

The aim of these guidelines from the Article 29 Working Party is to clarify the relevant provisions in the GDPR in order to help organizations comply with the the GDPR's requirement for certain controllers and processors to designate a DPO, but also to assist DPOs in their role. The guidelines also provide best practice recommendations, building on the experience gained in some EU member states. The WP29 will monitor the implementation of these guidelines and may complement them with further det... Read More

Outsourcing your DPO: Questions to ask

As the deadline for the implementation of the GDPR nears, many if not most companies outside those early starters have not yet filled their DPO role as required under the new regulation. There are essential job skills and appropriated profession to fill such roles, as discussed in earlier articles on the topic. With the limited quantities of qualified and experienced DPOs insufficient to meet the market demand, there will be a hurried rush to reserve any available resources for dedicated use. Fo... Read More

How to contract with your outsourced DPO

Organizations that find themselves in need of a data protection officer under the EU General Data Protection Regulation will need to decide on whether to staff it internally or outsource it, whether it is a full-time or part-time position, and whether the DPO will handle their responsibilities hands-on or by mentoring, overseeing, or training others. If an organization has decided on outsourcing the DPO role and selected its DPO based on their skills for the role, an agreement must be reached on... Read More

Outsourcing your DPO: real-life scenarios

If you're contracting with an outsourced DPO, there are plenty of boxes to check during the hiring process. But once completed, the DPO will have a list of their own to conquer. Here are some things to consider. Once the necessary data protection officer skills are identified, the specific DPO is chosen, and the DPO services contract agreed upon with the controller/processor, the DPO can begin to undertake the tasks specified under Article 39 of the GDPR. In performing the outsourced DPO role, ... Read More

Ask the DPO Web Conference Series

As most privacy professionals know by now, the GDPR will come into force in May of 2018. The list of data governance issues to be tackled is large, with many new requirements for anyone doing business with EU citizens. Many organizations, in fact, will have to appoint a data protection officer with specific tasks and responsibilities. Given these new demands, the IAPP has arranged for DPOs and privacy leaders who run some of the world’s leading privacy programs at organizations in the EU and aro... Read More

Two pros weigh in: Should the DPO be a lawyer? Perhaps an auditor?

In January, Thomas Shaw wrote an article for The Privacy Advisor on the essential job skills of data protection officers under the General Data Protection Regulation. Having read it, Emma Butler responded online with her views, and, after some back-and-forth, the two decided to write an article together highlighting the many areas they agreed upon and further analyzing where their perspectives and insights differed. To Shaw, the DPO must be a lawyer. Specifically, a privacy- and technology-focused lawyer. Butler strongly disagrees. She says, “there are many examples of successful DPOs and CPOs who are not lawyers.” In this point-counterpoint, the two square off. Read More

Announcing: DPO Confessional

In January 2017, Rita Heimes, CIPP/US, began serving as the IAPP’s new data protection officer. Like many IAPP members, she has been tasked with bringing her employer up to speed on the implementation of the European Union’s General Data Protection Regulation, now just one year away from coming into force. Over the next 12 months, this new blog — we’re calling it "DPO Confessional" — will reflect that journey. We hope you’ll learn from it, or at least enjoy knowing you’re not alone, and that you... Read More

Here's what it takes to be a certified DPO in Spain

The Spanish data protection authority is the first in Europe to set up regulations for data protection officer certification schemes. The rules explain in detail what someone will need to demonstrate and do in order to become a DPO in the country. The EU General Data Protection Regulation, which will come into effect in May next year, mandates that companies engaging in large-scale monitoring of people, or handling a significant amount of sensitive personal data, will need to appoint a DPO. The... Read More

Why should a data protection officer be global?

The General Data Protection Regulation introduces a general EU-wide obligation to appoint a formal data protection officers. This role is responsible for overseeing the data protection (or privacy) management programs within data controllers or data processors' companies in order to satisfy regulators and assure that organizations remain in compliance with GDPR over time. Even though varying jurisdictions around the world don't mandate a DPO, it can only play well for your companies' DPO role t... Read More

How do the DPO and EU representative interplay?

The GDPR applies to controllers and processors that process personal data of individuals in the EU, regardless of where the organization is established in the world. Those organizations that are not established inside the EU are required to appoint a representative who is established in the EU for purposes of GDPR compliance. The GDPR also requires a data protection officer under some circumstances, and makes the role voluntary otherwise, and the Article 29 Working Party recommends the DPO be lo... Read More

Data protection officers: ICO guidance

This document from the U.K. Information Commissioner's Office provides guidance on what a data protection officer is, what tasks they undertake and whether a company needs to appoint one.View PDF (209 KB)... Read More

Train to be a DPO

Get DPO Ready with IAPP training, certifications and conferences.

The CIPP/E encompasses pan-European and national data protection laws, key privacy terminology and practical concepts concerning the protection of personal data and trans-border data flows.

The CIPM is the world’s first and only certification in privacy program management. When you earn a CIPM, it shows that you don’t just know privacy regulations—you know how to make it work for your organization. In other words, you’re the go-to person for day-to-day operations when it comes to privacy. 

The GDPR Comprehensive 2016 – New York City
Recorded conference available for purchase

Now, bone up on the GDPR with these in-depth resources from the IAPP available in  web conference, e-book or article formats. 

Knowing and Implementing the GDPR Web Conference Series

Spanning hundreds of sections – and with vast territorial scope – the EU General Data Protection Regulation is clearly the most important privacy regulation the world has seen in decades. It asks a great deal of organizations all over the world who collect and process data about European individuals. It imposes hefty fines on those who fail to comply. What do you need to know to get started? What are the initial steps that every organization needs to take to implement the GDPR? In this three-pa... Read More

Top 10 operational impacts of the GDPR

The new General Data Protection Regulation (GDPR), put forth by the European Commission in 2012 and finally generally agreed upon by the European Parliament and Council in December 2016, is set to replace the Data Protection Directive 95/46/ec. Although many companies have already adopted privacy processes and procedures consistent with the Directive, the GDPR contains a number of new protections for EU data subjects and threatens significant fines and penalties for non-compliant data controller... Read More

Top 10 operational impacts of the GDPR – ebook

This ebook from the IAPP comprises the series Top 10 operational impacts of the GDPR from The Privacy Advisor. Written by IAPP Research Director Rita Heimes, CIPP/US, and Westin Fellows Gabriel Maldoff, CIPP/US, and Anna Myers, CIPP/US, the series outlines specific provisions of the regulation from consent to breach obligations to enforcement and more. Get ebook now ... Read More

Top 10 Operational Impacts of the GDPR - Web conference

The General Data Protection Regulation, set to come into force in May of 2018, is a massive, 200-page document that not only creates many new obligations, but also extends the jurisdiction of the European Union to anyone collecting the data of European citizens. Understanding how to comply can be daunting. That's why the IAPP has pulled out the top 10 largest operational impacts so that you can begin tackling the most important issues right now. Hear from an expert panel, featuring current and f... Read More

Ask the DPO Web Conference Series

As most privacy professionals know by now, the GDPR will come into force in May of 2018. The list of data governance issues to be tackled is large, with many new requirements for anyone doing business with EU citizens. Many organizations, in fact, will have to appoint a data protection officer with specific tasks and responsibilities. Given these new demands, the IAPP has arranged for DPOs and privacy leaders who run some of the world’s leading privacy programs at organizations in the EU and aro... Read More

Get Your Program Up-to-Speed

While the responsibility for compliance with the GDPR rests on the shoulders of the organization, some of the major responsibilities of the DPO involve assisting in the implementation of the principles of the GDPR. As such, assessing the current data handling practices against the GDPR and helping to build a framework for a consistent approach will be important to the role. 

IAPP GDPR Readiness Assessment

Powered by TRUSTe.

The IAPP and TRUSTe have partnered to provide a comprehensive online tool to help companies assess their readiness to meet the requirements of the GDPR. The assessment is available via a special single-user version of TRUSTe Assessment Manager created for IAPP members and consists of more than 60 questions mapped to key requirements of the GDPR. After you answer the questions, you will receive a report summarizing responses along with recommended remediation steps for any items that are not consistent with the regulation.

Read More

How To Build a Privacy Program

Like navigating your way through the plethora of privacy-related laws and regulations, creating or further developing a privacy program is no simple thing. Many people in your organization will not have encountered the concept of a privacy program before. Some may be curious, others dubious. So it’s not unusual for the work of a privacy program team to include extensive outreach, education and even beyond that, evangelism. An effective and successful privacy program is built not just on knowledg... Read More

Data Protection Impact Assessment Tools

The GDPR strongly emphasizes the importance of conducting DPIAs, and even sets up triggers for when companies are required to do one. The IAPP has got you covered with DPIA tools from AvePoint and OneTrust, plus plenty of guidance on how to do it.

AvePoint Privacy Impact Assessment System - Free Download

The AvePoint Privacy Impact Assessment (APIA) System can help you automate the process of evaluating, assessing and reporting on the privacy implications of your enterprise IT systems. Exclusively available through the IAPP, the APIA System allows you to select questions from the prepopulated bank of PIA questions or create your own, meaning you can build and save PIA templates to be reused and reported out.

Read More

IAPP-OneTrust PIA & DPIA Automation

The IAPP and OneTrust have partnered to help organizations across the globe simplify their privacy impact assessments. Through enterprise-grade automation, flexibility and customization, this tool provides a seamless experience to both the privacy office and business users throughout your organization.

Read More

PIAs and Data Mapping – Operationalizing GDPR and Privacy by Design

Sponsored by OneTrust Given the new and challenging requirements of the GDPR that will be enacted soon, companies and organizations doing business globally need to think hard about how to best implement efficient and effective data handling practices that are replicable and consistent. Beyond that, taking good care of your customers' data is simply a necessary business practice in a competitive world, and the right thing to do. As a privacy professional responsible for overseeing these operati... Read More

Privacy Impact Assessment

Privacy impact assessments (PIAs) are a valuable tool to gauge the ways projects, systems, programs, products or services impact the data an organization holds. Having a good understanding of what PIAs are, how to implement them and who needs to be involved can be the key to determining the true effect a new project will have on your organization. This practice guide from the IAPP Westin Research Center will help give you the basics and offers resources to gain more in-depth knowledge. Read More

Vendor Management

The GDPR clearly delineates responsibilities between controllers and processors and contains detailed requirements for controller-processor contracts. Made very clear is that the controllers are responsible for ensuring that any processing activities are performed in compliance with the Regulation, whether or not they carry them out. Among other responsibilities, controllers must:

  • Carry out DPIAs when the type of processing is “likely to result in a high risk to the rights and freedoms of natural persons” and implement appropriate technical safeguards;
  • Assure the protection of data subject rights, such as erasure, reporting and notice requirements, and maintaining records of processing activities;
  • Carry out duties to the supervisory authority, such as data breach notification and consultation prior to processing. 

Processors mainly have responsibilities to the controller. For example, they must:

  •  Process data only as instructed by controllers;
  • Use appropriate technical and organizational measures to comply with the GDPR;
  • Delete or return data to the controller once processing is complete; and
  • Submit to specific conditions for engaging other processors.

Check back soon for more on selecting the right processor for you.

Third-Party Vendor Management Means Managing Your Own Risk

This series presents nine elements of a successful vendor-management program and a checklist to help you, the privacy pro, to manage an effective program. Sometimes themes can help us remember information, so for that reason, we’ll use the solar system to guide us through this series: Picture your company as the star around which all vendors revolve—outer space was so much more appealing than an oceanic theme where sharks circle. 1. Mercury—Why Have a Vendor Management Program?As the messenger ... Read More


The GDPR sets out new rules for obtaining consent. This chart offers a high-level overview of what type of consent is need for what data or type of processing.

Data Transfer Mechanisms

Transferring EU personal data across borders has always come with strong protections, and the GDPR sticks with that tradition. 

IAPP-OneTrust EU Data Transfer Kit

The IAPP and OneTrust have partnered to provide a complimentary online platform to help organizations assess their readiness to meet the requirements of the GDPR, Privacy Shield, and Binding Corporate Rules for Processors and Controllers (BCR). Read More

EU-U.S. Privacy Shield

This press release from the European Commission offers an overview of the new data transfer agreement between the U.S. Department of Commerce and the European Commission, including links to the Annexes, a Q&A and a fact sheet.Read Now... Read More

EU-U.S. Privacy Shield - Full Text

This pdf comprises the full EU-U.S. Privacy Shield package, including two Arbitral Models (Annex 1 and 2) the EU-U.S. Privacy Shield Principles, the EU-U.S. Privacy Shield Ombudsperson Mechanism, the FTC’s Privacy & Data Security Update: 2015, and letters from Under Secretary for International Trade Stefan Selig; U.S. Secretary of State John Kerry; Federal Trade Commission Chairwoman Edith Ramirez, U.S. Secretary of Transportation Anthony Foxx; General Counsel Robert Litt, Office of the Dire... Read More

Binding Corporate Rules

Legally binding internal corporate privacy rules for transferring personal information within a corporate group. BCRs are typically used by corporations that operate in multiple jurisdictions, and they are alternatives to the EU-U.S. Privacy Shield and Model Contract Clauses. BCRs must be approved by the EU data protection authorities of the member states in which the corporation operates. Acronym(s): BCRs... Read More

Standard Model Clauses

With the understanding that not all countries and businesses will meet the stringent standards set forth by the European Data Protection Directive, Article 26 of the Directive provides European Data Controllers the ability to contract around the inadequacies of a third party’s data protection policy. Section 4 of Article 26 allows the European Commission to issue standard language contract clauses which can be inserted into contracts with third party controllers/processors who do not meet Europe... Read More

Breach Notification

Notifying the supervisory authority

In the event of a personal data breach, data controllers must notify the appropriate supervisory authority, most likely the supervisory authority of the member state where the controller has its main establishment, within 72 hours. The notification must: 

  1. Describe the nature of the personal data breach, including the number and categories of data subjects and personal data records affected;
  2. Provide the data protection officer’s contact information;
  3. “Describe the likely consequences of the personal data breach”; and
  4. Describe how the controller proposes to address the breach, including any mitigation efforts. If not all information is available at once, it may be provided in phases. The IAPP’s DPA directory will help you find the contact information and websites of DPAs from around the world.

Check back soon for tools to help you figure out which DPA to notify. 

Data Protection Authorities

This webpage includes interactive, color-coded maps indicating countries that have implemented an omnibus data protection law, are in the process of creating an omnibus law and those that have no law or sectoral coverage. The countries on the maps then link to information on their data protection authorities with, when possible, links to the applicable laws and summaries of the laws. There is also a map of the EU indicating the countries that have implemented the EU e-Privacy Directive. Read More

Notifying affected individuals

Under the GDPR, a “personal data breach” is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”  If an organization determines a breach “is likely to result in a high risk to the rights and freedoms of individuals,” it must notify affected individuals of the breach. There are some exceptions to this, however, as follows: (1) the controller has “implemented appropriate technical and organizational protection measures” that “render the data unintelligible to any person who is not authorized to access it, such as encryption”; (2) the controller takes actions subsequent to the personal data breach to “ensure that the high risk for the rights and freedoms of data subjects” is unlikely to materialize; or (3) when notification to each data subject would “involve disproportionate effort,” in which case alternative communication measures may be used.