""

 

DPO Toolkit

DPO Toolkit

Are you a data protection officer? Are you trying to staff your DPO position? You’ve come to the right place. This DPO Toolkit has a number of resources that should be instrumental in performing this vital role mandated by the General Data Protection Regulation. 

From a sample job description to research on how much training is required of a DPO to get baseline GDPR knowledge, the following set of resources is free for IAPP members and is constantly being updated by Emily Leach, IAPP Content Manager. Looking for something in particular? Email her directly. This toolset will continue to grow and expand.

You may also want to avail yourself of one of the more valuable IAPP member benefits: The IAPP Privacy List. This listserv may deliver a lot of email to your inbox, but that email will be filled with valuable advice from your peers in the privacy and data protection community. See what questions other DPOs are asking, and tap into the vast knowledge base that exists among the IAPP’s membership around the globe. 

""

NEW! DPO Handbook: Data Protection Officers Under the GDPR

IAPP_DPO_Handbook

DPO Handbook: Data Protection Officers Under the GDPR provides a comprehensive view of all aspects of the role of Data Protection Officers under the EU’s new General Data Protection Regulation, starting with a look at how organizations determine whether they need a DPO, defining the skills required for the role, and discussing how to source this skillset. The book then describes in detail the various tasks a DPO performs starting from their first day and month on the job and concludes with examples of DPOs performing their role in different types of organizations. 
Purchase Now

Who needs a DPO?

First, determine whether your organization is required to appoint a DPO under the GDPR.

DPO Decision Tree

Should you organization hire a data protection officer under the EU General Data Protection Regulation? DPO Network Europe offers this decision tree to help you decide. (Click to view pdf.)   ... Read More

What is a DPO?

Does the GDPR say you need a DPO? Do you appoint someone from within your organization? Hire a new employee or outsource the job? Find out what the role of the DPO looks like, and what skills and expertise they need so you can get the right fit for your organization.

The DPO role: A quick survey

In my recent Privacy Advisor articles on the essential job skills and the appropriate professions of Data Protection Officers (DPOs) under the General Data Protection Regulation (GDPR), I discussed the statutory language of the GDPR and my interpretation of it. I also wanted to understand how others are viewing the DPO role under the GDPR, especially those who are currently in the roles responsible for compliance with this upcoming law. To achieve this, I reached out to a national association o... Read More

DPO Job Description

Cobbling together information from the GDPR and Article 29 Working Party guidance, the IAPP has developed this sample DPO job description. This description is intended to be a jumping off point for you to create one that fits the needs of your organization. Read More

WP29 guidelines on the Data Protection Officer requirement in the GDPR

The aim of these guidelines from the Article 29 Working Party is to clarify the relevant provisions in the GDPR in order to help organizations comply with the the GDPR's requirement for certain controllers and processors to designate a DPO, but also to assist DPOs in their role. The guidelines also provide best practice recommendations, building on the experience gained in some EU member states. The WP29 will monitor the implementation of these guidelines and may complement them with further det... Read More

Data protection officers: ICO guidance

This document from the U.K. Information Commissioner's Office provides guidance on what a data protection officer is, what tasks they undertake and whether a company needs to appoint one.View PDF (209 KB)... Read More

Ask the DPO Web Conference Series

As most privacy professionals know by now, the GDPR will come into force in May of 2018. The list of data governance issues to be tackled is large, with many new requirements for anyone doing business with EU citizens. Many organizations, in fact, will have to appoint a data protection officer with specific tasks and responsibilities. Given these new demands, the IAPP has arranged for DPOs and privacy leaders who run some of the world’s leading privacy programs at organizations in the EU and aro... Read More

Two pros weigh in: Should the DPO be a lawyer? Perhaps an auditor?

In January, Thomas Shaw wrote an article for The Privacy Advisor on the essential job skills of data protection officers under the General Data Protection Regulation. Having read it, Emma Butler responded online with her views, and, after some back-and-forth, the two decided to write an article together highlighting the many areas they agreed upon and further analyzing where their perspectives and insights differed. To Shaw, the DPO must be a lawyer. Specifically, a privacy- and technology-focused lawyer. Butler strongly disagrees. She says, “there are many examples of successful DPOs and CPOs who are not lawyers.” In this point-counterpoint, the two square off. Read More

DPOs: What's your liability?

The data protection officer role is a new feature for many organizations now subject to the EU General Data Protection Regulation. Critically, for many companies, designating a DPO is not optional. The Article 29 Working Party (now the European Data Protection Board) further suggests that it may be in the interest of companies not legally required to designate a DPO to do so anyway, whether “internal” or “external.” Considering that data protection officers — whether inside or outside of the org... Read More

Here's what it takes to be a certified DPO in Spain

The Spanish data protection authority is the first in Europe to set up regulations for data protection officer certification schemes. The rules explain in detail what someone will need to demonstrate and do in order to become a DPO in the country. The EU General Data Protection Regulation, which will come into effect in May next year, mandates that companies engaging in large-scale monitoring of people, or handling a significant amount of sensitive personal data, will need to appoint a DPO. The... Read More

Why should a data protection officer be global?

The General Data Protection Regulation introduces a general EU-wide obligation to appoint a formal data protection officers. This role is responsible for overseeing the data protection (or privacy) management programs within data controllers or data processors' companies in order to satisfy regulators and assure that organizations remain in compliance with GDPR over time. Even though varying jurisdictions around the world don't mandate a DPO, it can only play well for your companies' DPO role t... Read More

How do the DPO and EU representative interplay?

The GDPR applies to controllers and processors that process personal data of individuals in the EU, regardless of where the organization is established in the world. Those organizations that are not established inside the EU are required to appoint a representative who is established in the EU for purposes of GDPR compliance. The GDPR also requires a data protection officer under some circumstances, and makes the role voluntary otherwise, and the Article 29 Working Party recommends the DPO be lo... Read More

DPO Handbook: Data Protection Officers Under the GDPR

DPO Handbook: Data Protection Officers Under the GDPR by Thomas Shaw, CIPP/E, CIPP/US, provides a comprehensive view of all aspects of the role of Data Protection Officers (DPOs) under the EU’s new General Data Protection Regulation (GDPR), starting with a look at how organizations determine whether they need a DPO, defining the skills required for the role, and discussing how to source this skillset. The book then describes in detail the various tasks a DPO performs starting from their first ... Read More

The legal risks for the DPO

While the role of data protection officer has come into the spotlight given the impending General Data Protection Regulation in the EU, with that prominence may come personal liability. As the titular head of the data protection and privacy program, the DPO may be interpreted as the final decision maker surrounding the use of personal data, and in some jurisdictions that role can come with personal civil and criminal liability. In this white paper overview, IAPP Legal Extern Carissa Hanratty, CI... Read More

Hiring a DPO

Here’s some information to help both organizations and potential DPOs know what to look for, what a DPO contract should include, a sample job description and more. Plus, click on the IAPP Privacy Vendor list to find organizations that offer DPO services.

Sample DPO Service Agreement

Now that the GDPR is in effect, many organizations need data protection officers. However, not all organizations can or need to staff the DPO role in-house — and the regulation does not require organizations to do so; Article 37(6) allows for the data protection officer role to be filled using a service contract. But what should a DPO service contract look like? The IAPP offers this sample document as a starting point for organizations considering the engagement of an external DPO.Read Sample Ag... Read More

DPO Job Description

Cobbling together information from the GDPR and Article 29 Working Party guidance, the IAPP has developed this sample DPO job description. This description is intended to be a jumping off point for you to create one that fits the needs of your organization. Read More

DPO Contract Provisions

The following are a minimum set of provisions an outsourced DPO contract should have. It must be emphasized that no contract should be drafted without undergoing legal review, especially as it relates to provisions impacted by local laws. There will also be a set of legal provisions common to any contract that is not shown below. Parties: The controller’s or processor’s legal entity is one party, and the DPO firm or individual is the other party. DPO’s services: At a minimum, this should list ... Read More

Series: Outsourcing your DPO

As the deadline for the implementation of the GDPR nears, many if not most companies outside those early starters have not yet filled their DPO role as required under the new regulation. There are essential job skills and appropriated profession to fill such roles, as discussed in earlier articles on the topic. With the limited quantities of qualified and experienced DPOs insufficient to meet the market demand, there will be a hurried rush to reserve any available resources for dedicated use. Fo... Read More

Personal Data “Appointing a Privacy Officer Was the Right Decision for Us”

In this paper from the AFCDP, 10 leaders of French companies outline why they appointed a data protection officer. Representatives from insurance, education, government and health care, among others, offer insights into what the DPO role looks like at their organizations, why they feel it's important and what their experiences have been.Read Now (PDF 384K)... Read More

The IAPP Privacy Vendor List

Find a vendor to meet your needs based on services provided and location. An interactive map helps you determine the best vendor for your specific needs. The list includes IT services, consumer services, cyberinsurance providers, legal services, DPO as a service vendors, recruiters and more. Read More

Five questions every DPO should ask before being hired

With about 75,000 data protection officers needed worldwide because of the EU General Data Protection Regulation (and probably more), many organizations are still looking for one. Much is said about the tasks of the DPO and its position under the GDPR, but what should the DPO be looking for in a job? 1.) Why me? Probably the most important thing for a DPO to understand is why the organization wants him or her as a DPO? Why were you selected? Which strengths (or weaknesses) were attractive to t... Read More

Determining the reporting line of the DPO: One organization’s challenge

The role attributed to the data protection officer is one manifestation of the accountability principle of the EU General Data Protection Regulation. As such, the GDPR requires that the DPO exercises their functions independently and that he or she "shall directly report to the highest management level," according to Article 38. The regulation does not provide any guidance on the type of reporting line that needs to be established in order to satisfy this requirement, however. Nor have the Artic... Read More

Train to be a DPO

Get DPO Ready with IAPP training, certifications and conferences.

The CIPP/E encompasses pan-European and national data protection laws, key privacy terminology and practical concepts concerning the protection of personal data and trans-border data flows.

The CIPM is the world’s first and only certification in privacy program management. When you earn a CIPM, it shows that you don’t just know privacy regulations—you know how to make it work for your organization. In other words, you’re the go-to person for day-to-day operations when it comes to privacy. 

The GDPR Comprehensive 2016 – New York City
Recorded conference available for purchase

Now, bone up on the GDPR with these in-depth resources from the IAPP available in  web conference, e-book or article formats. 

Knowing and Implementing the GDPR Web Conference Series

Spanning hundreds of sections – and with vast territorial scope – the EU General Data Protection Regulation is clearly the most important privacy regulation the world has seen in decades. It asks a great deal of organizations all over the world who collect and process data about European individuals. It imposes hefty fines on those who fail to comply. What do you need to know to get started? What are the initial steps that every organization needs to take to implement the GDPR? In this three-pa... Read More

Top 10 operational responses to the GDPR

In 2016, the Westin Research Center published a series of articles identifying our analysis of the top 10 operational impacts of the EU General Data Protection Regulation. Now, with the May 25, 2018, GDPR-implementation deadline looming, the IAPP is releasing a companion series to present common practical organizational responses that our members report undertaking in anticipation of GDPR implementation. Find the e-book comprising the following posts here. Part 1: Data inventory and mappingBy ... Read More

Top 10 operational impacts of the GDPR

The new General Data Protection Regulation (GDPR), put forth by the European Commission in 2012 and finally generally agreed upon by the European Parliament and Council in December 2016, is set to replace the Data Protection Directive 95/46/ec. Although many companies have already adopted privacy processes and procedures consistent with the Directive, the GDPR contains a number of new protections for EU data subjects and threatens significant fines and penalties for non-compliant data controller... Read More

Top 10 operational impacts of the GDPR – ebook

This ebook from the IAPP comprises the series Top 10 operational impacts of the GDPR from The Privacy Advisor. Written by IAPP Research Director Rita Heimes, CIPP/US, and Westin Fellows Gabriel Maldoff, CIPP/US, and Anna Myers, CIPP/US, the series outlines specific provisions of the regulation from consent to breach obligations to enforcement and more. Get ebook now ... Read More

Top 10 Operational Impacts of the GDPR - Web conference

The General Data Protection Regulation, set to come into force in May of 2018, is a massive, 200-page document that not only creates many new obligations, but also extends the jurisdiction of the European Union to anyone collecting the data of European citizens. Understanding how to comply can be daunting. That's why the IAPP has pulled out the top 10 largest operational impacts so that you can begin tackling the most important issues right now. Hear from an expert panel, featuring current and f... Read More

Ask the DPO Web Conference Series

As most privacy professionals know by now, the GDPR will come into force in May of 2018. The list of data governance issues to be tackled is large, with many new requirements for anyone doing business with EU citizens. Many organizations, in fact, will have to appoint a data protection officer with specific tasks and responsibilities. Given these new demands, the IAPP has arranged for DPOs and privacy leaders who run some of the world’s leading privacy programs at organizations in the EU and aro... Read More

About the job

The GDPR sets out some clear rules about the reporting structure and independence of the role, but questions remain. Get some insight on the things potential DPOs and the organizations hiring them need to consider here.

DPO liability and potential insurance coverage

The data protection officer role is a new feature for many organizations now subject to the EU General Data Protection Regulation, which specifies the criteria for designating a DPO, describes the position, and enumerates its responsibilities. Critically, for many companies, designating a DPO is not optional. In any case, the Article 29 Working Party’s guidance makes it clear that, once chosen, both mandatorily and voluntarily designated DPOs have the same responsibilities. The Working Party (no... Read More

Determining the reporting line of the DPO

The role attributed to the data protection officer is one manifestation of the accountability principle of the General Data Protection Regulation. As such, the GDPR requires that the DPO exercises its functions independently and that he or she “shall directly report to the highest management level,” (Art. 38(3)). The regulation does not provide any guidance on the type of reporting line that needs to be established in order to satisfy this requirement. Nor have the Article 29 Working Party or d... Read More

ICO releases guidance on hiring, supporting DPOs

The U.K. Information Commissioner’s Office released a resource organizations can follow on data protection officers ahead of the EU General Data Protection Regulation. The resource has a checklist on appointing a DPO, where the DPO is positioned within an organization, and the tasks DPOs may perform within an enterprise. The ICO also lists out the requirements for whether a company needs to appoint a DPO, the definition of a public authority, the professional qualifications a DPO should have, wh... Read More

Ask the DPO Web Conference Series

As most privacy professionals know by now, the GDPR will come into force in May of 2018. The list of data governance issues to be tackled is large, with many new requirements for anyone doing business with EU citizens. Many organizations, in fact, will have to appoint a data protection officer with specific tasks and responsibilities. Given these new demands, the IAPP has arranged for DPOs and privacy leaders who run some of the world’s leading privacy programs at organizations in the EU and aro... Read More

Get Your Program Up-to-Speed

While the responsibility for compliance with the GDPR rests on the shoulders of the organization, some of the major responsibilities of the DPO involve assisting in the implementation of the principles of the GDPR. As such, assessing the current data handling practices against the GDPR and helping to build a framework for a consistent approach will be important to the role. 

How to Provide DPO Contact Information to Your DPA

Article 37(7) of the European Union’s new General Data Protection Regulation requires that “the controller or the processor shall publish the contact details of the data protection officer and communicate them to the supervisory authority.” But how does one go about communicating this information to relevant authority? Is there a formal process, or can companies simply send an email with a DPO’s name, phone number and email address? As it turns out, different jurisdictions have settled on differ... Read More

IAPP GDPR Readiness Assessment

Powered by TrustArc.

The IAPP and TrustArc have partnered to provide a comprehensive online tool to help companies assess their readiness to meet the requirements of the GDPR. The assessment is available via a special single-user version of the TrustArc Assessment Manager created for IAPP members and consists of more than 60 questions mapped to key requirements of the GDPR. After you answer the questions, you will receive a report summarizing responses along with recommended remediation steps for any items that are not consistent with the regulation.

Read More

How To Build a Privacy Program

Like navigating your way through the plethora of privacy-related laws and regulations, creating or further developing a privacy program is no simple thing. Many people in your organization will not have encountered the concept of a privacy program before. Some may be curious, others dubious. So it’s not unusual for the work of a privacy program team to include extensive outreach, education and even beyond that, evangelism. An effective and successful privacy program is built not just on knowledg... Read More

Data Protection Impact Assessment Tools

The GDPR strongly emphasizes the importance of conducting DPIAs, and even sets up triggers for when companies are required to do one. The IAPP has got you covered with DPIA tools from AvePoint and OneTrust, plus plenty of guidance on how to do it.

AvePoint Privacy Impact Assessment System - Free Download

The AvePoint Privacy Impact Assessment (APIA) System can help you automate the process of evaluating, assessing and reporting on the privacy implications of your enterprise IT systems. Exclusively available through the IAPP, the APIA System allows you to select questions from the prepopulated bank of PIA questions or create your own, meaning you can build and save PIA templates to be reused and reported out.

Read More

IAPP-OneTrust PIA & DPIA Automation

The IAPP and OneTrust have partnered to help organizations across the globe simplify their privacy impact assessments. Through enterprise-grade automation, flexibility and customization, this tool provides a seamless experience to both the privacy office and business users throughout your organization.

Read More

PIAs and Data Mapping – Operationalizing GDPR and Privacy by Design

Sponsored by OneTrust Given the new and challenging requirements of the GDPR that will be enacted soon, companies and organizations doing business globally need to think hard about how to best implement efficient and effective data handling practices that are replicable and consistent. Beyond that, taking good care of your customers' data is simply a necessary business practice in a competitive world, and the right thing to do. As a privacy professional responsible for overseeing these operati... Read More

Privacy Impact Assessment

Privacy impact assessments (PIAs) are a valuable tool to gauge the ways projects, systems, programs, products or services impact the data an organization holds. Having a good understanding of what PIAs are, how to implement them and who needs to be involved can be the key to determining the true effect a new project will have on your organization. This practice guide from the IAPP Westin Research Center will help give you the basics and offers resources to gain more in-depth knowledge. Read More

Vendor Management

The GDPR clearly delineates responsibilities between controllers and processors and contains detailed requirements for controller-processor contracts. Made very clear is that the controllers are responsible for ensuring that any processing activities are performed in compliance with the Regulation, whether or not they carry them out. Among other responsibilities, controllers must:

  • Carry out DPIAs when the type of processing is “likely to result in a high risk to the rights and freedoms of natural persons” and implement appropriate technical safeguards;
  • Assure the protection of data subject rights, such as erasure, reporting and notice requirements, and maintaining records of processing activities;
  • Carry out duties to the supervisory authority, such as data breach notification and consultation prior to processing. 

Processors mainly have responsibilities to the controller. For example, they must:

  •  Process data only as instructed by controllers;
  • Use appropriate technical and organizational measures to comply with the GDPR;
  • Delete or return data to the controller once processing is complete; and
  • Submit to specific conditions for engaging other processors.

Check back soon for more on selecting the right processor for you.

Third-Party Vendor Management Means Managing Your Own Risk

This series presents nine elements of a successful vendor-management program and a checklist to help you, the privacy pro, to manage an effective program. Sometimes themes can help us remember information, so for that reason, we’ll use the solar system to guide us through this series: Picture your company as the star around which all vendors revolve—outer space was so much more appealing than an oceanic theme where sharks circle. 1. Mercury—Why Have a Vendor Management Program?As the messenger ... Read More

Consent

The GDPR sets out new rules for obtaining consent. This chart offers a high-level overview of what type of consent is need for what data or type of processing.
GDPR-consent-chart

Data Transfer Mechanisms

Transferring EU personal data across borders has always come with strong protections, and the GDPR sticks with that tradition. 

IAPP-OneTrust EU Data Transfer Kit

The IAPP and OneTrust have partnered to provide a complimentary online platform to help organizations assess their readiness to meet the requirements of the GDPR, Privacy Shield, and Binding Corporate Rules for Processors and Controllers (BCR). Read More

EU-U.S. Privacy Shield

This press release from the European Commission offers an overview of the new data transfer agreement between the U.S. Department of Commerce and the European Commission, including links to the Annexes, a Q&A and a fact sheet.Read Now... Read More

EU-U.S. Privacy Shield - Full Text

This pdf comprises the full EU-U.S. Privacy Shield package, including two Arbitral Models (Annex 1 and 2) the EU-U.S. Privacy Shield Principles, the EU-U.S. Privacy Shield Ombudsperson Mechanism, the FTC’s Privacy & Data Security Update: 2015, and letters from Under Secretary for International Trade Stefan Selig; U.S. Secretary of State John Kerry; Federal Trade Commission Chairwoman Edith Ramirez, U.S. Secretary of Transportation Anthony Foxx; General Counsel Robert Litt, Office of the Dire... Read More

Binding Corporate Rules

Binding Corporate Rules (BCRs) are an appropriate safeguard allowed by the General Data Protection Regulation to facilitate cross-border transfers of personal data between the various entities of a corporate group worldwide. They do so by ensuring that the same high level of protection of personal data is complied with by all members of the organizational group by means of a single set of binding and enforceable rules. BCRs compel organizations to be able to demonstrate their compliance with all... Read More

Breach Notification

Notifying the supervisory authority

In the event of a personal data breach, data controllers must notify the appropriate supervisory authority, most likely the supervisory authority of the member state where the controller has its main establishment, within 72 hours. The notification must: 

  1. Describe the nature of the personal data breach, including the number and categories of data subjects and personal data records affected;
  2. Provide the data protection officer’s contact information;
  3. “Describe the likely consequences of the personal data breach”; and
  4. Describe how the controller proposes to address the breach, including any mitigation efforts. If not all information is available at once, it may be provided in phases. The IAPP’s DPA directory will help you find the contact information and websites of DPAs from around the world.

Check back soon for tools to help you figure out which DPA to notify. 

Data Protection Authorities

This interactive, color-coded map lists the data protection authorities of more than 150 countries worldwide. You'll also find legislative information on whether countries have implemented an omnibus data protection law, are in the process of creating an omnibus law and those that have sectoral coverage. Read More

Notifying affected individuals

Under the GDPR, a “personal data breach” is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”  If an organization determines a breach “is likely to result in a high risk to the rights and freedoms of individuals,” it must notify affected individuals of the breach. There are some exceptions to this, however, as follows: (1) the controller has “implemented appropriate technical and organizational protection measures” that “render the data unintelligible to any person who is not authorized to access it, such as encryption”; (2) the controller takes actions subsequent to the personal data breach to “ensure that the high risk for the rights and freedoms of data subjects” is unlikely to materialize; or (3) when notification to each data subject would “involve disproportionate effort,” in which case alternative communication measures may be used.

Quick Links

Here are some quick links to information you may find useful to fulfill your responsibilities as a DPO.

 

The GDPR in 20 Minutes

Looking for a slimmed down version of the EU's General Data Protection Regulation? The GDPR in 20 Minutes might just be your thing. List-formatted, in outline, this is a way of looking at the GDPR text in truncated fashion highlighting meaning, while providing links to relevant text you can expand to find a fuller picture. The text has also been reorganized to group information that topic. Interested? Click here to check it out.... Read More

Data Protection Authorities

This interactive, color-coded map lists the data protection authorities of more than 150 countries worldwide. You'll also find legislative information on whether countries have implemented an omnibus data protection law, are in the process of creating an omnibus law and those that have sectoral coverage. Read More

All of the European Data Protection Board and Article 29 Working Party guidelines, opinions, and documents

Opinion 1/2018 Austrian SAs DPIA List25 Sep 2018, pdf 135 KB Opinion 2/2018 Belgium SAs DPIA List25 Sep 2018, pdf 134 KB Opinion 3/2018 Bulgaria SAs DPIA List25 Sep 2018, pdf 134 KB Opinion 4/2018 Czech Republic SAs DPIA List25 Sep 2018, pdf 137 KB Opinion 5/2018 Germany SAs DPIA List25 Sep 2018, pdf 141 KB Opinion 6/2018 Estonia SAs DPIA List25 Sep 2018, pdf 134 KB Opinion 7/2018 Greece SAs DPIA List25 Sep 2018, pdf 134 KB Opinion 8/2018 Finland SAs DPIA List25 Sep 2018, pdf 134 KB Opin... Read More

GDPR guidance documents

This page is a straightforward list of links to GDPR guidance documents, organized by topic, from the Article 29 Working Party, various data protection authorities, law firms, consultancies and more. Read More

The IAPP Privacy Vendor List

Find a vendor to meet your needs based on services provided and location. An interactive map helps you determine the best vendor for your specific needs. The list includes IT services, consumer services, cyberinsurance providers, legal services, DPO as a service vendors, recruiters and more. Read More