The main purpose of this topic is to discuss the state for affairs of GDPR for a DPO in a typical mid/large enterprise. Furthermore, we are trying to introduce a simple, pragmatic approach and framework that can be used in a typical business scenario.

The overall picture of the framework can be illustrated below:

The framework begins by defining the personal registry (mandatory as per Art 30) that sets out a detailed list of information that must be maintained as records of processing activities carried out by the controller.

The next step is to define the business needs on a process by process level (see chapter business needs for details). This is where each process owner define how they comply with GDPR.

• Responsibility: What kind of privacy is the process addressing?

• Ownership: how is the technical and organizational measured implemented?

• Evidence: How is the ownership proven for an authority (Data Inspection Authority)

• Baseline: what level of implementation has the process achieved (Implemented, In progress or desired)

When each process owner has provided their definitions according too the business needs. The DPO can evaluate each process based on a set of impact categories. They are defined as:

• Violation of regulatory and legal requirements

• Disruption of business activities

• Reputational damage

• Negative financial impact

 Finally, the DPO can aggerate and evaluate how the organisation as a whole is doing for each of the impact categories. Based on the following typical categories:

• Low: Impact is not to be expected

• Medium: Impact is limited and manageable

• High: Impact can reach an existentially threatening, catastrophic scale

In the next chapter we will explain the details of the business needs that each process owner is responsible for.