One of the tasks of a Data Protection Officer (DPO) is to perform checks on how the organisation complies to the law and the internal rules and procedures. Let us call that Data Protection Compliance Checks or DPCCs. They differ from privacy impact assessments (PIAs) in that they are post factum (after the facts) rather than a priori (before implementation).
It always comes in handy to have some guidance and/or template to perform such DPCCs as there are quite a number of things to take into consideration. It also improves the self-discipline of the DPO performing the check and the coherence of the checks over time and different scopes.
It always comes in handy to have some guidance and/or template to perform such DPCCs as there are quite a number of things to take into consideration. It also improves the self-discipline of the DPO performing the check and the coherence of the checks over time and different scopes.
Today we published a template on outsourcing.
Therefore a set of three templates is developed to look at outsourcing of data processing operations:
- the (internal) organisation of the controller including policies and procedures,
- the relationship between the controller and the processor, mainly via the agreement and
- the (internal) organisation of the processor.
The published template aims to give guidance to a check on a specific relationship between a controller and a processor, thus limiting the scope.This template addresses that relationship looking at several stages from the controller side
- in the selection,
- in the agreement and
- in (the follow-up of) the performance.
This template should be used in a risk-based fashion. Therefore it is expected that critical, key, and/or high-risk outsourced data processing operations of the controller are submitted to a check with priority.
The result of this check hopefully is a certain comfort in the application of the controller’s procedures and rules with regard to outsourcing data processing operations. If such comfort is not found, it should be determined whether amends can be made, through an amendment to the agreement or the follow-up mechanisms, or a better discipline in applying them. Also, lessons may be learnt with regard to the effectiveness of the controller’s procedures and rules.
No comments:
Post a Comment