In the previous chapter we have explained a framework that enables DPO.s to work with GDPR based on KPI:s. In this chapter we will describe the meats to the bone meaning the pragmatical approach that the process owner can use. The work described in this section is aligned with the new EDPB guidelines on privacy by default and privacy by design - and can be found here.

• Responsibility is the actual GDPR requirement that the process owner needs to describe. As you can see above we have clustered some of the responsibilities because they share commonalities - and there is no need to document just for the sake of documenting.

• Ownership is the organizational and technical measures that the process owner has decided to implement in order to achieve the responsibilities.

• Evidence is the practical effort that the process owner and/or the compliance department has executed to warrant the ownership.

• Baseline is the actual state of the responsibility and can be:

  • Implemented: Technical or organisational measures that are already in place and have sufficient resources to be maintained are categorized as “Implemented”.

  • In Progress: If the technical or organisational measure is resourced and is in progress of being implemented, or is scheduled to be implemented, it is categorized as “In Progress”

  • Desired: Technical or organisational measures which are determined to be applicable or relevant for GDPR compliance but are not currently Implemented or resourced for implementation (In Progress) are categorized as “Desired”.

  A notate bene is that the items in the ownership may be central for example a policy on privacy by default and afterwards configured to fit the process owners actual need.  

  In the next chapter Casimir will describe a practical example of processes where this framework can be used.