Audit model20 key questions when choosing your DPO
DPOGDPR
What questions should be asked when choosing a DPO?
Version 1.0
1. DPO designation
1.1. Is my organisation an authority or a public body?
1.2. As a public body, I am obliged to designate a DPO. Has a DPO been appointed?
1.3. My core business involves the processing of personal data enabling regular and systematic monitoring of people on a large scale?
1.4. In the event of a positive response, I must designate a DPO. Has a DPO been appointed?
1.5. Does my organisation's core activity involve the processing of sensitive data or data relating to criminal convictions and large-scale offences?
1.6. In the event of a positive response, I must designate a DPO. Has a DPO been appointed?
2. DPO choice
2.1. Has a GDPR governance structure been defined (GDPR committee, establishment of relays or referents, formalisation of the tasks of these relays, etc.)?
2.2. Has all the documentation needed to justify the choice of DPO been kept (e.g. resume, skills certification, etc.)?
2.3. Has there been any internal communication about the appointment of the DPO?
3. DPO skills
3.1. Is DPO training planned?
3.2. Does the person chosen have the necessary level of knowledge (legal and technical expertise in data protection, sector of activity, etc.) and skills (communication skills, etc.)?
For example, through DPO skilss certification approved by the data protection authority.
4. Independence
4.1. Can the DPO easily report directly to the highest level of the organisation's hierarchy?
For example, access to the company's board committee
4.2. Are there any guarantees to ensure the independence of the DPO?
In particular: not to be penalised in the context of his/her duties as DPO, not to receive instructions in the context of his/her duties as DPO.
5. Conflicts of interest
5.1. Doesn't the position or function of the person chosen entail a conflict of interest with the duties of a DPO?
6. Means
6.1. Does the DPO have access to the relevant procedures and information governing the processing of personal data?
6.2. Does the DPO have easy access to personal data and data processing?
6.3. Has an assessment been made of the DPO's workload and material requirements (infrastructure, additional staff, etc.)?
7. Mission
7.1. Are the DPO's duties and the conditions under which they are to be carried out formalised in an engagement letter or service provision contract?
7.2. Has the scope of the DPO's duties been defined?
For example, keeping the record of data processing activities (ROPA), regular audits of processing operations, verification of PIAs, etc.?
7.3. Is the DPO involved upstream of any project involving the processing of personal data?
For example, through a project management procedure following privacy by design and by default principles
Created at:11/27/2023
Updated on :07/29/2024
License : © Creative commons :
Attribution / Pas d'utilisation commerciale
CC-BY-NC
Attribution / Pas d'utilisation commerciale
CC-BY-NC
Author :
Uses :2