Skip to content

4.0 - Technical Components

4.1 - Article 24: Responsibilities of the Controller

  • Outlines the 4 primary tasks a controller is responsible for
  • Implement Technical and Organization Measures
  • Demonstrate that data processing occurs properly e.g. via audit mechanisms
  • *Understand the Data being Processd**
  • Use data mapping to understand what the organisation has, why they have it, risks to having it, and appropriate protection measures.
  • Implement a Data Protection Policy
  • Policy should be proportionate to the processing activity
  • Develop and Approve a Code of Conduct
  • Demonstrate compliance with obligations
  • Must be a written policy
  • Must comply with

4.2 - Article 28: Data Processor Tasks

  • Data processors are responsible for four primary tasks:

  • Implementing security measures: Provide sufficient guarantees of technical and organisation measures

  • Use of subprocessors: can only be done with the controller's prior consent
  • Contracts with Controller - should detail the following:
  • Subject matter
  • Type of data / subjects considered
  • Nature and purpose of data usage
  • Obligations of each party

  • RACI Matrix is a useful tool in this context

  • Model Clauses: Contracts with technical addendums

  • Plenty of templates are available online.

  • Process only data in scope - the processor should have records of processing activity for evidence and review in the event of an audit.

  • Processors can be considered accountable like data controllers if any of the 4 tenants are violated.

4.3 - Runbooks and Processes

  • Key documents that define how an organisation should reacti in the event of a data breach
  • Process: a series of actions or steps taken in a specific order - can be automated/manual, technical/non-technical or a mixture
  • Processes should always be defined with a specific end goal in mind
  • Once standardised, runbooks can be created from the process(es)
  • Runbook: A compilation of routine procedures and operations that the system admin or operator carries out
  • May primarily be used for reference
  • Can be electronic or physical
  • Runbook components:
  • An overview of the system
  • Security and access control
  • System configuration
  • Monitoring and alerting
  • Operational tasks
  • Maintenance tasks
  • Failure and security procedures
  • OWners and contact details
  • Security of data processing:
  • Ensure information and processes on IT and security actions appropriate to the risk of the issue are included
  • I.e. ensure only the relevant information for the specific runbook are included

4.4 - PIAs and DPIAs

  • PIA = Privacy Impact ASsessment
  • Analyzes how an organisation handles personally identifiable information e.g. collection, use, sharing, etc
  • Usually completed whenever an organisation completes a new process or launches a new product
  • Any third party tooling used is also assessed
  • Considerations include:
  • What data will be collected (source and type)
  • Will the data ever be disclosed

  • How will the data be destroyed

  • DPIA = Data Protection Impact Assessment (DPIA)

  • Identifies any risks that may be present when processing data, and how to mitigate it
  • Conditions for Performing a DPIA usually depend on the outcome of a PIA
  • Security prerequisites
  • Vendor risk assessments
  • Self-certifications

  • Audit function (internal or external)

  • DPIAs are typically required when the data processing meets at least one of the below conditions:

  • Performed at a large scale
  • Involves transfers across borders
  • Evaluates and scores data
  • Data sets are matched or combined
  • Data subjects include children or vulnerable individuals
  • Involves automated decision-making

  • Includes systematic monitoring

  • DPIAs must consist of the following elements:

  • A systematic description of processing operations
  • Necessity of processing in relation to the purposes
  • Risk assessment
  • Risk mitigations and safeguards

  • Compliance measures

  • PIA is used to determine IF an organisation will collect personal data and if so, gathers information about the data lifecycle

  • DPIAs are used to assess potential threat areas and vulnerabilities that exist and outline mitigiations; they usually follow on from PIAs.

4.5 - Trust: A Competitive Advantage

  • By disclosing data collection processesm consumers can know what data companies collect about them
  • Similar trust can be built by outlining to conusmers what options are available regarding how their data is processed, as well as verifying the information is used in an ethical manner.
  • Transparency is the ultimate win - ensure it is easy to understand.
  • Trust can be built by encouraging benefits - customers may be willing to give information if it creates a better user experience.