The Data Protection Officer, an ubiquitous role nobody really knows - arXiv
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
1
The Data Protection Officer,
an ubiquitous role nobody really knows
arXiv:2212.07712v1 [cs.CR] 15 Dec 2022
Authors:
Francesco Ciclosi, University of Trento (IT), on leave from the Italian Ministry of Economic
Development (IT)
Fabio Massacci, University of Trento (IT), Vrije Universiteit Amsterdam (NL)
This paper was written within the H2020 CyberSec4Europe project that received funding from
the European Union’s Horizon 2020 research and innovation programme under grant agreement No
830929. This paper reflects only the author’s view and the Commission is not responsible for any use
that may be made of the information contained therein.
2
Cyber Security for Europe (CyberSec4Europe)
As a research project, CyberSec4Europe is
working towards harmonising the journey from
the development of software components that
fit the requirements identified by a set of short-
and long-term roadmaps, leading to a series
of consequent recommendations. These are tied
to the project’s real-world demonstration use
cases that address cybersecurity challenges within the vertical sec-
tors of digital infrastructure, finance, government and smart cities,
healthcare and transportation. CyberSec4Europe’s long-term goal and
vision are of a European Union that has all the capabilities required
to secure and maintain a healthy democratic society, living according
to European constitutional values, with regard to, for example, pri-
vacy and data sharing, and being a world-leading digital economy.
CyberSec4Europe’s main objective is to pilot the consolidation and
future projection of the cybersecurity capabilities required to secure
and maintain European democracy and the integrity of the Digital
Single Market. CyberSec4Europe has translated this broad objective
into measurable, concrete steps: three policy objectives, three technical
objectives and two innovation objectives. CyberSec4Europe: Cyber
Security for Europe. More information at https://cybersec4europe.eu/.
Francesco Ciclosi is a Ph.D. student in in-
formation engineering and computer science
at the University of Trento, Italy. He has been
a DPO for an Italian city for the past five
years and is currently on leave from the Italian
Ministry of Economic Development. He works
on methodologies for privacy in socio-technical
systems. Previously, he was an adjunct profes-
sor of computer science at the University of Macerata. Contact him at
francesco.ciclosi@unitn.it.
Fabio Massacci (Phd 1997) is a professor at
the University of Trento, Italy, and Vrije Uni-
versiteit Amsterdam, The Netherlands. He re-
ceived the Ten Years Most Influential Paper
award by the IEEE Requirements Engineering
Conference in 2015. He is the Leader of Edu-
cation and Skill WP of the CyberSec4Europe
project. Contact him at fabio.massacci@ieee.org.
How to cite this paper:
• Ciclosi F. and Massacci F., The Data Protection
Officer, an ubiquitous role nobody really knows.
IEEE Security & Privacy, Special Issue on Usable
Security for Security Workers. IEEE Press. 2023, doi:
10.1109/MSEC.2022.3222115. Full arXiv version with
supplemental material.
License:
• This article is made available with a perpetual, non-
exclusive, non-commercial license to distribute.ACCEPTED FOR IEEE SECURITY AND PRIVACY MAGAZINE 3
The Data Protection Officer,
an ubiquitous role nobody really knows
Francesco Ciclosi, Fabio Massacci, Member, IEEE,
Abstract—Among all cybersecurity and privacy workers, the Data Protection Officer (DPO) stands between those auditing a
company’s compliance and those acting as management advisors. A person that must be somehow versed in legal, management, and
cybersecurity technical skills. We describe how this role tackles socio-technical risks in everyday scenarios.
Index Terms—GDPR, data protection officer (DPO), socio-technical system, qualitative studies, case studies
F
1 I NTRODUCTION
T HE recent application of Regulation (EU) 2016/679, best
known to the world as the General Data Protection
Regulation or GDPR, introduced the role of the data pro-
research question is:
• Can we enucleate in a few representative scenarios the
concrete activities of a DPO?
tection officer (DPO). While DPOs have been a key enabler
of the GDPR [1], the role of this privacy worker is not a new The article focuses on the role of the DPO introduced by
concept: in several EU Member States, its appointment was the GDPR, but the insights are valuable for readers outside
already good practice for some years. Yet, the GDPR does the EU countries. The GDPR can apply to organizations
not formally describe the DPO job profile, and most papers that carry out their activities in the EU and organizations
discuss how to support a DPO with algorithms without outside the EU that process the personal data of EU data
providing practical examples of what the DPO does. subjects. Further, in many countries worldwide, there is data
For example, Diamantopoulou et al. [2] identify which protection legislation in which a DPO role exists at some
ISO 27001/2 controls need to be extended to meet GDPR level. The International Association of Privacy Professionals
requirements and which of them the DPO is involved - but (IAPP) lists the different roles in many countries worldwide
why in some and not in others? Ryan et al. [3] explain how that share some characteristics with the DPO legally defined
their framework RegTech can be helpful to a DPO for check- in the EU [9].
ing GDPR compliance - but when and for what concretely?
Chatzipolidis et al. [4] describe a readiness assessment tool
for GDPR’s compliance - but for solving social or technical
2 O UR M ETHODOLOGY
issues? Other articles discuss GDPR’s compliance topics as The insights described in this article are grounded in case
if DPOs did not exist, from software engineering [5] to studies along Yin’s case study methodology [10, Ch.4] and
socio-technical management processes [6], from the GDPR’s the suggestions [11] by Glaser, the founder of grounded
cost among cybersecurity investments [7], to algorithms for theory, to build core categories across field observations
checking GDPR compliance itself [8]. derived from the live experience.
Our purpose is to introduce this legally required orga- First, we analyzed data protection laws and recommen-
nizational role — this ubiquitous privacy worker — to the dations of relevant authorities. Secondly, we analyzed the
engineering community represented by Security & Privacy seven functions of the DPO that the European Data Protec-
readers through concrete examples of what problems DPOs tion Supervisor (EDPS) identified in its paper on the role
face, what they do, and what they may or must know. of DPO in compliance with Regulation (EC) 45/2001. Then,
While the literature is surprisingly silent about this, we we looked at the summary of opinions of some supervisory
think that the knowledge of the everyday challenges that authorities (i.e., Bulgaria, Croatia, Italy, Poland, and Spain)
DPOs have is the starting point for all subsequent research on the DPO’s activities involved with these functions (e.g.,
activities. For example, if a researcher has no reference to [12]) to have a perspective that was not restricted to a single
the daily activities of the key privacy worker in charge of country.
GDPR compliance, how can one design logic or a tool for To make this paper concrete as a use cases references,
checking this privacy compliance or any privacy-by-design we selected only sources of information for which there was
technology with a practical impact? In summary, our key evidence that the activities carried out by DPO involve at
least one of these seven functions. The starting point for
the case study selection was the personal experience of
• F. Ciclosi (corresponding author) is with the University of Trento, Italy, the first author, who has been a DPO in the Italian public
and on leave from the Italian Ministry of Economic Development.
E-mail: francesco.ciclosi@unitn.it administration for the past five years and is a member of
• F. Massacci is with the University of Trento, Italy and Vrije Universiteit the Italian Association of DPOs.
Amsterdam, The Netherlands. To make the results of our study accessible, we looked
Manuscript accepted 02/11/2022 for some publicly available information (for example, courtACCEPTED FOR IEEE SECURITY AND PRIVACY MAGAZINE 4
decisions, supervisory authorities’ decisions, and newspa- (second case) or processes on a large scale personal data
per articles) on case studies similar to the ones on which the which belong to special categories or are related to criminal
first author had first-hand experience. This approach allows offenses (third case).
us to go beyond the individual experience and provide The GDPR Article 39 entrusts to DPO different tasks:
shareable evidence. Out of over 90 public case studies, we a) to inform and advise one’s employer on how to carry out
finally distilled 12 scenarios with at least one analyzable processing about its obligations under the law;
practical example for each of the DPO’s primary functions. b) to monitor compliance with the law;
In this paper’s main text, we made the scenario general c) to provide advice regards the data protection impact
by renaming the actors involved (but without altering their assessment (DPIA) and monitoring its execution;
nature) to be resilient to potential requests on the ”right to d) to cooperate with the supervisory authority (SA) as a
be forgotten” and be of general interest to the readers. contact point between this and the organization.
The scenarios we propose map well into the general Table 1 summarizes the seven functions of the DPO,
literature. For example, the site GDPR Enforcement Tracker identified by the EDPS in its position paper on this role.
fines database [13] reports 1475 occurrences of GDPR fines Appendix B provides further information and examples
related to DPOs across 31 different EU Member or EEA about these seven functions of the DPO.
States. Our scenarios cover more than 1400 cases. In summary, DPOs must be fully cognizant of the con-
The concrete references are listed in the supplemental troller’s working environment to carry out their tasks. This
material available in Appendix A. awareness implies that a DPO must know the internal distri-
bution and allocation of responsibilities and tasks related to
3 H OW THIS ROLE IS BORN every personal data processing. A DPO must also be famil-
iar with any external links (between the controller and other
In Europe, the concept of DPO comes from the German organizations) and with legal frameworks in which these
data protection law of 1977, the Bundesdatenschutzgesetz links take place. According to many supervisory authorities’
(BDSG), which introduced a precursor of the role (Figure 1). opinions [12], a preliminary task in which a DPO scopes the
The DPO role over time became widely adopted by controller’s environment fulfills this requirement.
the other European States until, in 1995, the European
Community issued Directive 95/46/EC on the protection
of individuals concerning the processing of personal data 4 W HAT PROBLEMS DOES A DPO FACE ?
and on the free movement of such data. A patchwork To understand the daily problems a DPO faces, we have
of approaches followed: many Member States introduced illustrated several real-life scenarios in Table 2. We edited
the DPO role in their national law, as in Austria (where them to obfuscate the original entity responsible for the
the appointment was mandatory) or in France (where the privacy issues faced by the DPO. The supplemental material
appointment was optional), but only in some of them (in reports the sources of these scenarios.
Italy, the DPO role was absent in national law). Moreover, Empirical research on the problems of the DPO [15]
the DPO duties were limited to independently ensuring an has shown that sometimes these could be very basic and
organization’s internal application of the national provisions relate to a lack of sufficient resources (time, finances, and
taken according to the Directive and keeping a register of humans) to carry out one’s duties and to some issues in
processing operations carried out by the controller. the operational interpretation of the law. Below in Table
For EU institutions, only the appointment of at least 2, we analyze the challenges that DPOs face even when
one DPO was mandated by Regulation (EC) 45/2001. These adequately supported.
rules were very similar to the ones that would be introduced A first example: although maintaining a record of pro-
in later years. 2016 was a pivotal year for data protection cessing activities is formally a controller’s duty, the DPO
as the European Parliament and the Council issued the will most likely be in charge of this work or closely involved
Directive (EU) 2016/680 on criminal offenses or criminal in its oversight activities. In quite some job adverts for DPO
penalties and the GDPR on personal data protection. appointments, it is formally stated that the DPO is in charge
To provide an interpretation of the EU’s data protection of maintaining the record of processing activities. Without a
legislation, the Article 29 Working Party Committee issued regulatory constraint, the DPO may also be appointed to
the Guidelines on DPOs (WP243) [14], which was initially carry out some activities that are formally a duty of the
adopted on December 13, 2016, and later revised on April controller. It is a free choice of the controller who pays
5, 2017. After the GDPR adoption, the new European Data the DPO. The involvement of the DPO is only sometimes
Protection Board (EDPB), an independent European body an indicator that things are working well. A data con-
tasked with ensuring the consistent application of data troller could use a non-GDPR-compliant service because of
protection rules throughout the European Union, endorsed a DPO’s mistake (Tab. 2, W RONG -A DVICE). Unfortunately,
these guidelines in its first plenary meeting on May 25, 2018. the controller is solely responsible for the choice made, and
Not all organizations are required to appoint a DPO, even a DPO’s evaluation errors expose it to administrative
although doing it is a good practice. There are three specific fines or penalties. The accountability principle constrains
cases in which a controller or a processor must appoint a the controller to demonstrate having complied with the
DPO (GDPR article 37). In the first case, if the organization regulatory requirement.
is a public institution, it must appoint a DPO. Otherwise, In an opposite scenario, a controller operating a catering
an organization must appoint a DPO if it requires regular service implements a new data processing to control the
and systematic monitoring of data subjects on a large scale EU Digital Covid Certificate of staff but neglects the DPO’sACCEPTED FOR IEEE SECURITY AND PRIVACY MAGAZINE 5
TABLE 1
High-Level View of the Functions of the DPOs
This table describes the tasks of the DPO grouped according to the seven functions of the DPO that the European Data Protection Supervisor
(EDPS) identified in its position paper on the role of DPO in compliance with Regulation (EC) 45/2001.
DPO’s Functions Summary Descriptions
Organizational function Review or even directly organize a processing operations register on behalf of the controller, help both
assess the related risks, and support the processing activities with high-risk value.
Monitoring of compliance Investigate (on autonomous initiative) matters and occurrences directly relating to the GDPR and
report back to the controller
Advisory function Make recommendations for the practical improvement of data protection to the controller and advise
it on matters concerning the related provisions.
Cooperative function Facilitate cooperation (between the Supervisory Authority and the controller), especially in the frame
of investigations, complaint handling, or prior checks.
Handle queries or complaints The authorization to handle queries or complaints originated from the very possibility of autonomous
investigations.
Information and raising awareness function Prepare staff information notes, training sessions, privacy statements, and learning material.
Enforcement Powers of enforcement are limited.
TABLE 2
Scenarios and Privacy Issues daily faced by a DPO
Short name Scenario description What went wrong
W RONG -A DVICE A controller wants to process data using a processor The advice of the DPO turned out to be wrong, but
service and asks the DPO’s advice to understand if the the controller uncritically trusted the DPO’s advice.
proposed contract complies with GDPR.
I GNORED -DPO-A DVICE A controller implements a new data processing. The The controller chooses to neglect the DPO’s advice
DPO advises that a prior execution of a DPIA is without justifying in writing why it did not take into
required. account that advice.
DPO-A DVICE -N OT- A controller implements a registration procedure of The registration procedure does not carry out a check
S OUGHT service without prior asking for DPO’s advice about on the identity of the person who enrolls, so it is
compliance with GDPR principles unknown who saw the data
W EBSITE -F ORCES - In a controller procedure, data processing for market- The procedure forces a data subject to release consent,
C HOICES ing purposes asks for the consent of the data subject. imposing him or her to select a box, otherwise pre-
venting it from continuing.
A DMIN -A SKS -F OR - A controller’s staff member satisfies the law on access A controller processes personal data by asking the
E VERYTHING to data (e.g., FOIA) by publishing some documents data subject and publishing all data without correctly
about a data subject. applying the data minimization principle.
N EGLECTED -S UBJECT- A data subject files a complaint with the competent The controller did not designate the DPO, or it did,
R IGHT supervisory authority because s/he has not received but the designated DPO did not monitor the official
a response within the time frame set by law address.
S UBJECT-R IGHT-R EQUEST A data subject exercises one’s rights of access accord- When the controller drew up the record of processing
ing to article 15 of the GDPR, sending a formal request activities, it did not correctly identify the actual pro-
to the DPO’s address. cessing activities, so the DPO could not answer the
query.
N O -D ATA -P ROTECTION - A controller implements a configuration in company There is an incorrect configuration that allows unfet-
P RINCIPLES equipment. tered access to personal data.
U NCHECKED -R EMOTE - A controller implements remote assistance software The technicians use a remote assistance software solu-
M ONITORING tools on company workstations tion that does not notify the user when remote access
is performed.
W RONG -P UBLIC - A controller issue a public tender for procuring prod- In the tender evaluation grid, there is no explicit
P ROCUREMENT ucts or services. checkpoint for applicants to ”demonstrate” that their
products or services fully comply with the GDPR.
S OFTWARE -E ND - OF -L IFE The DPO of a company noticed some results about the The software used in the company’s workstations is
software used for processing activities. obsolete, and the support provided by the vendor
software house is expired or close to expiring.
S UBCONTRACTOR - A controller appoints its DPO to test a software pro- The tender winner has violated the contract for the
V IOLATES -P RIVACY cedure of a tender’s winner supply of IT programs and services terms on GDPR
compliance.ACCEPTED FOR IEEE SECURITY AND PRIVACY MAGAZINE 6
Fig. 1. The evolution of the European role of Data Protection Officer (DPO)
advice without justifying in writing why that advice has The relationship between the DPO and the supervi-
not been taken into account (I GNORED -DPO-A DVICE). This sory authority (SA) is significant. The WP29 [14] highlights
action is to blame because it is reasonable that the DPO that the DPO must act as a “facilitator” by cooperating
gave his or her advice to ensure that the processing com- with the SA. Furthermore, the obligation of secrecy or
plied with the GDPR. Again, not documenting the reasons confidentiality cannot prohibit the DPO from contacting
behind choosing to neglect this advice results in violating and seeking advice from the SA. The controller who acts
the accountability principle, exposing data subjects to risks to weaken this relationship could be sanctioned. If the
and the controller itself to administrative fines or penalties. data controller does not appoint the DPO, problems will
The DPIA execution is a controller’s responsibility, while likely arise in scenarios N EGLECTED -S UBJECT-R IGHT and
the DPO task is limited to providing the advice requested. S UBJECT-R IGHT-R EQUEST. In N EGLECTED -S UBJECT-R IGHT,
The WP29 [14] highlights that a controller should justify in another violation is the missing communication to the SA of
black and white in the DPIA’s documentation why it has the DPO’s contact details because, in that case, the SA does
not considered the DPO’s advice. For properly handling the not know how to contact the DPO to handle the complaint.
execution of a DPIA, a controller could define, in an internal In S UBJECT-R IGHT-R EQUEST, an aggravating factor would
regulation, the procedures for consulting the DPO about occur if, when the controller draws up the record of process-
this topic. By way of example, this regulation may contain ing activities, it does not correctly identify them. In such a
whether or not to carry out a DPIA, what methodology to case, even if appointed, the DPO may find it challenging to
follow, and whether to use internal resources or outsource identify the processing details and promptly respond to the
it. Other helpful information to include in regulation is what data subject’s requests.
safeguards to apply to mitigate any risks to the rights and
freedoms of the data subjects.
The scenario DPO-A DVICE -N OT-S OUGHT describes a 5 R ISK MANAGEMENT
case in which a controller is exposed to mistakes in the DPOs face many challenges that we can classify into two cat-
processing’s design because it did not ask the DPO’s advice. egories: technical risks and socio-organizational risks. The
The scenario W EBSITE -F ORCES -C HOICES exemplifies the first challenges stem from faulty technical or technological
vulnerability stemming from a wrong implementation of a solutions which do not fully guarantee the protection of the
seat reservation software procedure of a transport company. subjects whose personal data is processed. The second type
The software forced the data subject to consent to other of challenge is due to incorrect organizational procedures or
forms of processing. incorrect human behavior.
The A DMIN -A SKS -F OR -E VERYTHING scenario is related We can subdivide technical risks into two subgroups.
to a failed application of the minimization principle. In it, The first type relates to design problems when the DPO
the human resources office of a public institution (which supports and advises the controller on technical choices.
must satisfy the law on publication obligation) publishes in For example, the DPO may be asked to choose between
the “Transparent Administration” section of the institution’s configurations that comply with the data protection by
website the unredacted CV of the winner of a public se- default principle and configurations that seem to do so (Tab.
lection, thus exposing the data subject’s personal data (e.g., 2, N O -D ATA -P ROTECTION -P RINCIPLES and U NCHECKED -
home address, personal phone number, and others). R EMOTE -M ONITORING). S/he might find (or fail to find)ACCEPTED FOR IEEE SECURITY AND PRIVACY MAGAZINE 7
insecure technical solutions in a call for tenders (W RONG - the monitoring of compliance. However, in the response
P UBLIC -P ROCUREMENT) that can cause kick-start litiga- part, there is a combination of the advisory, organizational,
tion between contractors. The second type of risk in- and cooperative functions, performed secondarily, as well
volves misconfigurations or errors which appear during as the enforcement one.
the implementation (S UBCONTRACTOR -V IOLATES -P RIVACY The case W EBSITE -F ORCES -C HOICES corresponds to two
and S OFTWARE -E ND - OF -L IFE). different scenarios. The first is a detection scenario in which
Socio-organizational risk can appear daily while the the DPO exercises the function monitoring of compliance
DPO supports the controller in processing activities. (D1 and D2), while the second is a response one where the
We can divide them into four additional categories, Enforcement function is applied (R5).
such as auditing (Tab. 2, I GNORED -DPO-A DVICE and In the scenario A DMIN -A SKS -F OR -E VERYTHING, the
S UBCONTRACTOR -V IOLATES -P RIVACY), communication DPO carries out his or her activities in a response sce-
(N O -D ATA -P ROTECTION -P RINCIPLES and U NCHECKED - nario. Some (R3 and R9) combine enforcement and handling
R EMOTE -M ONITORING), processing designing (S OFTWARE - queries or complaints functions. At the same time, another
E ND - OF -L IFE) and relationship (N EGLECTED -S UBJECT- (R11) involves primarily the handling queries or complaints
R IGHT). Conflicting requirements are a particular instance function and secondarily the monitoring of compliance one.
of these risks. The importance of the DPO’s cooperation function
No matter how sophisticated the technical protec- comes to light from the scenarios N EGLECTED -S UBJECT-
tion measures are, DPOs may experience side-channel at- R IGHT and S UBJECT-R IGHT-R EQUEST. These cases are
tacks from the most unexpected human behavior. A well- linked to two response scenarios. The first is primarily
designed processing activity may become unlawful because involved in the DPO’s handling queries or complaints
a staff member operates differently from what is prescribed function, followed by the function monitoring of com-
by the procedure and from the instructions received by the pliance (R11). The second relates to handling queries or
controller. For example, an operator recorded the screen of complaints and monitoring compliance functions (R4 and
the closed-circuit video surveillance cameras, only accessi- R12). Moreover, related to N EGLECTED -S UBJECT-R IGHT,
ble to the local police control station, with a smartphone and there is an additional response scenario in which the DPO’s
disseminated a video of a traffic accident on social channels. cooperative function is the primary involved, which fol-
Appendix C provides further information about technical lows up handling queries or complaints function (R6 and
and socio-organizational risks. R8). The cases N O -D ATA -P ROTECTION -P RINCIPLES and
Table 3 shows some of the possible consequences of U NCHECKED -R EMOTE -M ONITORING highlight the impor-
damaging the freedom and rights of natural persons. It tance of the DPO’s organizational function (P3), primarily
is difficult to determine the impact grade without an in- in a prevention scenario. The advisory function follows up
depth analysis of the processing and the technical and as second in the same.
organizational means used to mitigate their risks. In some In W RONG -P UBLIC -P ROCUREMENT, there is an exam-
circumstances, the case study’s high-level description (e.g., ple of a prevention scenario in which the DPOs exercise
in the case of the GDPR accountability principle’s violation) their advisory function (P5). While in S OFTWARE -E ND - OF -
is sufficient to conclude that the consequences are actual and L IFE, there is a prevention scenario where DPOs exercise a
potentially disastrous for an organization. Because personal combination of their organizational and advisory functions
data breach is a broad concept, we split this class into three (P6). The S UBCONTRACTOR -V IOLATES -P RIVACY shows the
classes representing the specific breach. Finally, Table 3 in- DPO’s monitoring of compliance use in an investigative
cludes some more specific classes (e.g., ”GDPR non-compliant scenario (I1). Then, in a combination of response and in-
processing” is a particular case of ”unlawful processing”). vestigative scenarios, the DPO exercises the monitoring of
Some DPO mistakes (such as W RONG -A DVICE) may also compliance function, followed by a mix of the advisory,
cause a controller’s wrong assessment, which subsequently organizational and cooperative functions performed secon-
induces wrong organizational choices. darily (R2, R7, R10, and I2).
If a threat exploits even one vulnerability, it will deter- Regarding the DPO’s advisory function, when DPOs
mine a GDPR’s principles violation, exposing the controller are involved in new data processing, they can consult the
to fines or penalties. Of course, this might depend on some- SA if necessary (P8). In W EBSITE -F ORCES -C HOICES, when
body tipping the supervisory authority or the SA coming to the DPO becomes aware of a process that is not entirely
investigate its initiative or after a data breach. compliant with data protection policies (D2), he or she ad-
vises the controller, making recommendations for practically
improving it (D1 and then R3 or R5).
6 W HAT DOES A DPO ACTUALLY DO ? Finally, the DPO should perform the investigative ac-
The boundary between the DPO’s functions sometimes is tivity even if the controller does not involve him or her.
fuzzy, especially in complex scenarios where more of them For example, in S UBCONTRACTOR -V IOLATES -P RIVACY, the
are involved. In Table 4, we summarized some examples, DPO can independently carry out this activity (I1). If he or
presenting the role of DPO in mitigating risks (namely: she finds a violation of data protection by design and default
prevention, detection, response, and investigation) for each principles, the DPO acts accordingly (I2).
scenario from Table 2.
In DPO-A DVICE -N OT-S OUGHT, the DPO’s activities 7 W HAT DOES A DPO NEED TO KNOW ?
correspond to a detection (D1 and D2) and a response GDPR does not specify the professional qualities required
scenario (R2, R5, R7, and R10). The DPO primarily exercises at a DPO, but only that the needed expert knowledge mustACCEPTED FOR IEEE SECURITY AND PRIVACY MAGAZINE 8
TABLE 3
Some possible consequences of risks faced by a DPO may deal with
This table summarizes some examples of the consequences of technical or socio-technical risks that a DPO may face while carrying out his or
her duties. These consequences are grouped into classes and associated with a possible reference scenario. Any such infringement exposes the
controller to administrative fines of up to 20 000 000 EUR, or up to 4% of the total worldwide annual turnover, whichever is higher.
Impact’s class Impact example Scenario example
Attack on customers Identity theft of the data subject could happen (e.g., an attacker steals from N O -D ATA -P ROTECTION -
a misconfigured database a data subject’s personal data and later uses them P RINCIPLES, DPO-A DVICE -N OT-
pretending to be the data subject). S OUGHT, I GNORED -DPO-A DVICE
Attack on employees Unauthorized persons could capture the private data of employees U NCHECKED -R EMOTE -
M ONITORING
Contract termination It is possible that the tender be subject to litigation due to a violation of the terms S UBCONTRACTOR -V IOLATES -
indicated in the contract for the supply of IT programs and services P RIVACY
Data breach (access or A personal data breach may happen because unauthorized access to (or dis- U NCHECKED -R EMOTE -
disclosure) closure of) personal data transmitted, stored, or otherwise processed (e.g., M ONITORING, S UBCONTRACTOR -
a software’s misconfiguration allows technicians to connect to a workstation V IOLATES -P RIVACY, N O -D ATA -
without the user’s consent stealthily). P ROTECTION -P RINCIPLES
Data breach (destruc- There is unlawful destruction or an accidental loss of personal data held by S OFTWARE -E ND - OF -L IFE
tion or loss ) the controller (e.g., a malware of type ransomware has ciphered all office’s files
stored in a file server)
Data breach (alter- There is an unlawful alteration to personal data stored (e.g., exploiting a system’s S OFTWARE -E ND - OF -L IFE, NO-
ation) vulnerability, a cracker modified some personal data stored in a database) D ATA -P ROTECTION -P RINCIPLES
Data Disclosure Excess and irrelevant personal data are disseminated over the Internet by the A DMIN -A SKS -F OR -E VERYTHING,
controller. N EGLECTED -S UBJECT-R IGHT
Inadequate identifica- Anyone could pretend to be another data subject and access his or her personal DPO-A DVICE -N OT-S OUGHT
tion data.
GDPR non-compliant A controller processes personal data without providing information to the data W RONG -A DVICE, I GNORED -DPO-
processing subject (e.g., a controller issues a loyalty card to a customer without providing A DVICE
the customer with a privacy policy)
Risky processing The processing could be risky for the rights and freedoms of natural persons. I GNORED -DPO-A DVICE
Unlawful processing There is no legal basis for the processing. For example, the procedure forces the W EBSITE -F ORCES -C HOICES
data subject to release consent for an unnecessary activity. In another example,
a controller acquires personal data for a purpose and uses them for another
purpose without obtaining the data subject’s consent.
Unlawful procure- A contractor that offers products or services, not GDPR-compliant can win a bid. W RONG -P UBLIC -P ROCUREMENT
ment The call for tender may be subject to litigation.
be adequate for the data processing operations and their law degree. A DPO may have a cybersecurity degree, but a
protection rank. The WP29 [14] suggests that it must be European study [16] found that European master of science
commensurate with the sensitivity, complexity, and amount (M.Sc.) programs in cybersecurity practically do not cover
of data the organization processes. Table 5 summarizes the the knowledge units on component procurement. Knowing
expertise and skills that a DPO should have. They consist this unit is critical to guarantee compliance with the privacy-
of qualities, expertise in law and practices, ability, and by-design principle because third-party components and
educational qualification. contracts with IT providers are the norms for any admin-
In the absence of relevant bodies’ specific guidance, istration because they rarely have in-house developers.
from a legal perspective, it is challenging to define DPOs’ Some training support can also come from internal and
selection criteria that can truly measure the adequacy of external information sources. An example of internal ones
their level of knowledge. While technical and management may be information that a SOC (Security Operation Center)
skills are essential, there is no consensus on ”specific” cer- or the IT staff provides to DPO about events and incidents
tifications that guarantees an adequate expert knowledge of security. The national CSIRT (Computer Security Incident
level of the DPO. As a result, it is complex to establish Response Team) is an external source that provides pre-
the absolute value of specific qualifications (e.g., university alerts, alerts, bulletins, and information regarding risks and
master’s), professional certifications (e.g., UNI 11697: 2017 incidents. For instance, in case of a data breach, a DPO
certification), and being an author of books, articles, papers, should collaborate with the internal IT department (if avail-
or research products. Courts reverted, as unfair require- able) and later refer to the national CSIRT. As a further
ments, several attempts to mandate this or that certification example, considering the interaction between a DPO and
(e.g., BS-7799 or ISO 27001). a SOC, the DPO will not have direct access to a security
In our experience, a DPO can achieve a good knowledge incident and event management (SIEM) system for an inde-
of data protection practices by studying documents ar- pendent analysis of the inputs collected from the connected
ranged by EDPB, EDPS, ENISA, and supervisory authorities security devices and sensors [17]. Instead, the DPO will
of EU member states. refer to summary reports prepared by security analysts. In
Another critical point is finding appropriate training for the case of a data breach uncovering, direct contact with
the professional profile of the DPO, from both a technical security analysts could help obtain more information about
and a legal point of view: while knowledge of data protec- the incident and better determine its impact and extent.
tion law is a crucial requirement, a DPO may not have a Unfortunately, in many places (e.g., small public adminis-ACCEPTED FOR IEEE SECURITY AND PRIVACY MAGAZINE 9
TABLE 4
Some examples of activities that a DPO carries out to mitigate consequences of realized risks
ID Illustrative mitigation by the DPO Applicable Scenarios (or DPO’s
function)
Prevention - Controller initiated
P1 A group of joint controllers (two or more controllers who jointly determine the purposes and Advisory function, Cooperative func-
means of processing) asks their DPOs for advice on the technical and organizational aspects tion, Organizational function and
of periodic or new processing. For example, processing will build on an integrated territorial Monitoring of compliance
video surveillance system using OCR cameras.
P2 The DPO helps the controller to do a DPIA before starting new high-risk processing (e.g., one Organizational function
relating to a Covid-19 screening data acquisition and management system).
P3 The DPO supports the controller in choosing the configuration of a company’s telecommuni- N O -D ATA -P ROTECTION -P RINCIPLES,
cation equipment or a software tool that guarantees the protection of personal data by default. U NCHECKED -R EMOTE -M ONITORING
Prevention - DPO initiated
P4 A DPO monitors the data protection laws changes and the indications of the bodies in charge, Information and raising awareness
and after that, he prepares short information pills or notes for an SME’s staff. function
P5 The DPO advises the controller that in issuing public tenders, it should expressly call for W RONG -P UBLIC -P ROCUREMENT
applicants that can “demonstrate” that their product or service fully complies with GDPR.
P6 The DPO advises the controller to launch a census of all the PCs in the organization that have S OFTWARE -E ND - OF -L IFE
a Microsoft operating system version 7 or older. The DPO interacts with the ICT Department
to develop an updated operating software plan.
P7 The DPO of a National central bank illustrates to some banks’ DPOs the controller’s obligations. Advisory function
P8 The DPO consult the competent SA about implementing a new data processing. Cooperative function
Investigate - DPO initiated
I1 The DPO initiate an investigative activity to verify compliance with contract terms. S UBCONTRACTOR -V IOLATES -P RIVACY
I2 The DPO immediately advise the controller about the existence of a violation of the contract S UBCONTRACTOR -V IOLATES -P RIVACY
terms. The controller, in turn, immediately formally warns the processor about this violation,
ordering it to stop the infringement at once (e.g., by returning the data encryption key).
Investigate - Data subject initiated
I3 A DPO receives a piece of informal information and initiates an investigative activity (e.g., to Monitoring of compliance and Handle
verify the control procedure of the EU Digital COVID Certificate held by the staff). queries or complaints
Detection - DPO initiated
D1 Examining the output of an audit, the DPO finds that the processing is not compliant with the DPO-A DVICE -N OT-S OUGHT, W EBSITE -
GDPR principles or is unlawful. F ORCES -C HOICES
D2 The DPO conducts periodic audits of processing compliance with GDPR principles. I GNORED -DPO-A DVICE, DPO-A DVICE -
N OT-S OUGHT, W EBSITE -F ORCES -
C HOICES
Response - Controller initiated
R1 The DPO could refuse to sign the GDPR compliance of a new or modified processing. Enforcement
R2 The DPO assist the controller in investigating if a personal data breach has occurred. DPO-A DVICE -N OT-S OUGHT,
S UBCONTRACTOR -V IOLATES -P RIVACY
Response - DPO initiated
R3 The DPO invite the controller to immediately remove irrelevant and excess personal data and A DMIN -A SKS -F OR -E VERYTHING,
apply the data minimization principle. W EBSITE -F ORCES -C HOICES
R4 The DPO interact with the controller’s structure to follow up on the data subject’s request. N EGLECTED -S UBJECT-R IGHT, S UBJECT-
R IGHT-R EQUEST
R5 The DPO advise the controller to immediately stop the processing by temporarily suspending DPO-A DVICE -N OT-S OUGHT, W EBSITE -
the service to modify the software procedure. F ORCES -C HOICES
R6 After the controller follows up data subject request, the DPO reports it to the SA. N EGLECTED -S UBJECT-R IGHT
R7 The DPO notifies a personal data breach the SA, acting on behalf of the controller. DPO-A DVICE -N OT-S OUGHT,
S UBCONTRACTOR -V IOLATES -P RIVACY
R9 After the controller deletes irrelevant and excess personal data, the DPO notifies the data A DMIN -A SKS -F OR -E VERYTHING
subject of complaint upholding.
R10 The DPO communicate a data breach to the data subjects, acting on behalf of the controller. DPO-A DVICE -N OT-S OUGHT,
S UBCONTRACTOR -V IOLATES -P RIVACY
Response - Supervisory Authority initiated
R8 The DPO interact with the SA giving it the best collaboration in handling complaints lodged N EGLECTED -S UBJECT-R IGHT
versus the controller and facilitating access to the documents and information.
Response - Data subject initiated
R11 The DPO checks if the complaint or request received from the data subject is well-founded. A DMIN -A SKS -F OR -E VERYTHING,
N EGLECTED -S UBJECT-R IGHT, S UBJECT-
R IGHT-R EQUEST
R12 The DPO responds to a data subject who applied for information about personal data N EGLECTED -S UBJECT-R IGHT, S UBJECT-
processing, promptly providing all requested information. R IGHT-R EQUESTACCEPTED FOR IEEE SECURITY AND PRIVACY MAGAZINE 10
TABLE 5
Expertise and skills of the DPO
This table describes the expertise and skills a DPO should have to carry out his or her tasks well.
Criteria Description Examples
Qualities DPOs must possess specific Supervisory authorities provide continuous training courses reserved for DPOs (e.g., the
professional qualities T4Data international project and the SME Data project).
A controller required in the call for DPO’s appointment that the candidates must have: in-depth
knowledge of the organizational structure, the information systems present, and the specific
sector of activity of the controller, as well as being familiar with the data processing operations
carried out by the latter.
EDPS asserts that it is better to recruit the DPOs of EU institutions/bodies/agencies (EUI)
within the EUI. These people usually ensure a better knowledge of the organization, structure,
and functioning of the EUI itself.
Expert in DPOs must have expert The EDPS asserts that the expert knowledge of data protection law is a prerequisite to the EUI’s
law knowledge of data protection DPOs function.
law A controller required in the call for DPO’s appointment that the candidates must know the
legislation and practices on data protection both from a legal and IT point of view, including
in-depth knowledge of the GDPR.
Expert DPOs must have expert According to EPDS for EUI’s DPOs, one of the professional qualities is knowledge of IT,
in IT knowledge of IT, security, including security aspects and organizational and communication skills.
practice and organization The Network of Data Protection Officers of the EU institutions and bodies recommends that
the EUI’s DPOs should have at least three years of relevant experience/maturity, to serve as
DPO in a body where data protection is not related to the core business. Otherwise, this period
grows to at least seven years. Similarly happens if the DPO will serve in an EU institution or
which has an essential volume of processing operations.
Ability DPOs must have the ability A controller explicitly required in the call for DPO’s appointment that the candidates must
to fulfill the tasks listed in have personal qualities, including integrity and high professional ethics. According to EPDS
GDPR, Article 39 for EUI’s DPOs, the DPOs’ ability to fulfill their tasks should be referred to their personal
qualities and knowledge and their position within the organization.
Educational DPOs could have a vari- However, they cannot be uniquely determined. An Italian court ruling asserts that holding
qualifica- ety of qualifications in law ISO27001 certification cannot be a binding prerequisite in the selection procedure for a DPO’s
tion and computer science, secu- appointment.
rity and privacy
trations), the ”IT security department” is just one IT person she or he works. This case could happen especially in
who, among other duties, knows something about security. organizations with a negative attitude toward data protec-
The DPO may end up being the security expert. tion. For example, Hadar et al. [19] reported a qualitative
The currently available technology can help DPOs make study where 17 developers out of 27 declared that the
it easier to carry out their tasks. For example, using require- climate of the organization they worked for was averse to
ment analysis tools in software development or procure- data protection. Developers reported that they must comply
ment could improve compliance with the data protection with organizational norms against data protection laws
by design principle. contradictory to the company’s formally stated policies. In
Additional support comes from research. Research find- these circumstances, DPOs who carry out their duties will
ings can provide DPOs with insights into where to focus likely experience conflicts with the management. Casutt et
their efforts. According to this vision, the DPO advising al. [15] found a similar outcome. They showed that DPOs
task is “driven by research.” For example, Tang et al. [18] experienced an inherent conflict between complying with
find that users have difficulties understanding the technical the law and realizing the organization’s project whenever
terms used in privacy policies because they misunderstand there is a gap between privacy requirements and those of
and misconstrue them. As a result, also the privacy policies the organization for which the DPO works.
themselves are misunderstood and misinterpreted. Consid- A potential limitation of our research is that we based
ering the results of this and other similar studies helps the our scenarios on a detailed analysis of 90 specific cases,
DPO understand the training gaps in the firm’s workforce. mostly of Italian origin, and court decisions may differ
across EU Member States. Several factors mitigate this issue.
8 C ONCLUSIONS At first, the relevant legislation (the GDPR) is a single regu-
The goal of compliance with the GDPR makes the DPO’s lation for all EU Member States and is directly applicable to
role dual. This data protection specialist is both the person them, regardless of the national legislation, and the European
who controls the processing activities in the organization Data Protection Board is tasked to facilitate the consistent ap-
and the person who acts as a wise advisor to the manage- plication of data protection rules throughout the European
ment. This tension could be problematic as the DPO needs Union and promote cooperation among the supervisory
information to carry out his or her duties. At the same authorities of individual EU Member States. Second, we
time, the manager wants to have support in determining the reviewed supervisory decisions of several countries [12],
purposes and means of processing personal data without including over 1400 cases from [13]. So we are reasonably
giving the DPO too much information. confident that our scenarios will stand the test of cross-
The duties assigned to the DPO role can quickly put border analysis.
this person in conflict within the organization for which While we do not have an engineering solution for theACCEPTED FOR IEEE SECURITY AND PRIVACY MAGAZINE 11
DPO’s problems, at least being aware of the concrete prob- [17] S. Bhatt, P. K. Manadhata, and L. Zomlot, “The operational role
lems is the first step toward a solution. of security information and event management systems,” IEEE
Security and Privacy, vol. 12, no. 5, pp. 35–41, 2014.
[18] J. Tang, H. Shoemaker, A. Lerner, and E. Birrell, “Defining privacy:
ACKNOWLEDGMENTS How users interpret technical terms in privacy policies.” Proc.
Priv. Enhancing Technol., vol. 2021, no. 3, pp. 70–94, 2021.
The European Union has partly supported this work under [19] I. Hadar, T. Hasson, O. Ayalon, E. Toch, M. Birnhack, S. Sherman,
the H2020 Leadership in enabling and industrial technolo- and A. Balissa, “Privacy by designers: software developers’ pri-
vacy mindset,” Empirical Software Engineering, vol. 23, no. 1, pp.
gies (LEIT) program under grant agreement 830929 (Cyber- 259–289, 2018.
Sec4Europe). [20] (Article 29 Data Protection Working Party), “Guidelines on Data
Protection Impact Assessment (DPIA) and determining whether
processing is “likely to result in a high risk” for the purposes of
CRediT Regulation 2016/679,” pp. 1–22, 2017.
statements Conceptualization: FC, FM; Methodology: FM, [21] (Il Manifesto), “Marche, il buco dello screening: dati accessibili
a chiunque,” 2021. [Online]. Available: https://ilmanifesto.it/
FC; Validation: FM; Investigation: FC; Data Curation:
marche-il-buco-dello-screening-dati-accessibili-a-chiunque/
FC; Writing - Original Draft: FC; Writing - Review &
Editing: FC, FM; Visualization: FC; Supervision: FM; Project
administration: FM; Funding acquisition: FM.
R EFERENCES
[1] G. Almeida Teixeira, M. Mira da Silva, and R. Pereira, “The critical
success factors of GDPR implementation: a systematic literature
review,” Digital Policy, Regulation and Governance, vol. 21, no. 4,
pp. 402–418, 2019.
[2] V. Diamantopoulou, A. Tsohou, and M. Karyda, “From
ISO/IEC27001:2013 and ISO/IEC27002:2013 to GDPR compliance
controls,” Information and Computer Security, vol. 28, no. 4, pp.
645–662, 2020.
[3] P. Ryan, M. Crane, and R. Brennan, “Design challenges for GDPR
RegTech,” in Proceedings of the 22nd International Conference
on Enterprise Information Systems. SCITEPRESS - Science and
Technology Publications, 2020.
[4] A. Chatzipoulidis, T. Tsiakis, and T. Kargidis, “A readiness assess-
ment tool for GDPR compliance certification,” Computer Fraud &
Security, vol. 2019, no. 8, pp. 14–19, 2019.
[5] Y.-S. Martin and A. Kung, “Methods and tools for GDPR compli-
ance through privacy and data protection engineering,” in 2018
IEEE European Symposium on Security and Privacy Workshops
(EuroS&PW), 2018, pp. 108–111.
[6] M. Malatji, A. Marnewick, and S. von Solms, “Validation of a
socio-technical management process for optimising cybersecurity
practices,” Computers & Security, vol. 95, p. 101846, 2020.
[7] R. Layton and S. Elaluf-Calderwood, “A social economic analysis
of the impact of GDPR on security and privacy practices,” in 2019
12th CMI Conference on Cybersecurity and Privacy (CMI), 2019,
pp. 1–6.
[8] D. Basin, S. Debois, and T. Hildebrandt, “On purpose and by ne-
cessity: Compliance under the GDPR,” in Financial Cryptography
and Data Security, S. Meiklejohn and K. Sako, Eds. Berlin,
Heidelberg: Springer Berlin Heidelberg, 2018, pp. 20–37.
[9] W. R. Center), “Data protection officer requirements by country,”
pp. 1–12, 2021. [Online]. Available: https://iapp.org/resources/
article/data-protection-officer-requirements-by-country/
[10] R. K. Yin, Case study research and applications. Sage, 2018.
[11] B. G. Glaser, J. Holton et al., “Remodeling grounded theory,”
in Forum qualitative sozialforschung/forum: qualitative social
research, vol. 5, 2004. [Online]. Available: https://doi.org/10.
17169/fqs-5.2.607
[12] D. Korff and M. Georges, “The DPO Handbook Guidance for
data protection officers in the public and quasi-public sectors on
how to ensure compliance with the European Union General Data
Protection Regulation,” pp. 1–247, 2019.
[13] C. L. S. EEIG). GDPR Enforcement Tracker - list of GDPR fines.
[Online]. Available: https://www.enforcementtracker.com/
[14] Article 29 Data Protection Working Party, “Guidelines on Data
Protection Officers (‘DPOs’) - WP 243 rev. 01,” Brussels, 2017.
[15] N. Casutt and N. Ebert, “Data protection officers: Figureheads of
privacy or merely decoration,” in 16th European Conference on
Management, Leadership and Governance. Academic Confer-
ences International limited, 2020, p. 39.
[16] N. Dragoni, A. Lluch Lafuente, F. Massacci, and A. Schlichtkrull,
“Are we preparing students to build security in? A survey of euro-
pean cybersecurity in higher education programs,” IEEE Security
and Privacy, vol. 19, no. 1, pp. 81–88, Jan 2021.ACCEPTED FOR IEEE SECURITY AND PRIVACY MAGAZINE 12
A PPENDIX A
C ASE S TUDIES ’ R EFERENCES
A.1 Description of Supplementary Tables
In distilling our reference scenarios, we followed the
methodology suggested by Yin in [10]. According to this
vision, multiple (at least six) sources of evidence could exist
for a case study building. Because better case studies rely
on various sources usually used to build triangulation, we
employed multiple sources of evidence (for example, court
decisions, supervisory authorities’ decisions, job advertise-
ments, and newspaper articles). The distilled scenarios mask
the original persons or organization involved in the original
case study to make it more general and less vulnerable to
retraction based on the right to be forgotten.
Table 6 shows how each scenario from Table 2 covers a
DPO function as described in Table 1. Table 7 links reference
scenarios described in Table 2 with an exemplification of
possible impacts (consequences of the vulnerabilities) that
are useful in better describing these scenarios.
Tables 9 and 10 lists the sources of case studies used to
distill the scenario presented in Table 2 (in Sections 4 and
C.1, respectively.). Table 11 lists the sources of the other case
study examples cited in the article that do not belong to the
twelve scenarios.
The source of the example cited in Section 7 as a case of
a court that reverted an attempt to mandate qualifications is
the first one listed in Table 11. For the years of professional
experience in data protection that a DPO should have, one
can refer to the second row of Table 11. This document
specifies that the head of the investigation expects the DPO
to have at least three years of professional experience in data
protection. Starting from the third row of the same reference
in Table 11 are listed the related documents (such as the
job descriptions and advertisements for hiring DPOs, and
internal regulations describing the DPO’s requirements) that
we looked for in Section 7.
In Table 12 are listed the sources of evidence used to
build the case related to an integrated video surveillance
system by using an OCR camera (P1, Table 4).
Finally, we analyzed the GDPR’s fines case types in the
sites listed in [13]. We mapped the number of cases for each
of them. Moreover, we related these types to our twelve
scenarios (See Table14 for this classification).ACCEPTED FOR IEEE SECURITY AND PRIVACY MAGAZINE 13
TABLE 6
Scenarios’ correlations to DPO functions
Table 6 shows how each scenario from Table 2 covers a DPO function as described in Table 1.
Short name Primary Function(s) Ancillary Function(s)
W RONG -A DVICE Advisory function Organizational function
I GNORED -DPO-A DVICE Organizational function, Advisory function (lack of) Enforcement
DPO-A DVICE -N OT-S OUGHT Monitoring of compliance Advisory function, Organizational function, Coop-
erative function, (lack of) Enforcement
W EBSITE -F ORCES -C HOICES Monitoring of compliance Enforcement, Advisory function
A DMIN -A SKS -F OR -E VERYTHING Handle queries or complaints (or) Monitoring of Monitoring of compliance (or) Handle queries or
compliance complaints, Enforcement, Information and raising
awareness function
N EGLECTED -S UBJECT-R IGHT Cooperative function, Handle queries or com- (lack of) Monitoring of compliance, (lack of) Orga-
plaints nizational function
S UBJECT-R IGHT-R EQUEST Handle queries or complaints Monitoring of compliance, Organizational function
N O -D ATA -P ROTECTION - Organizational function Advisory function
P RINCIPLES
U NCHECKED -R EMOTE - Organizational function Advisory function
M ONITORING
W RONG -P UBLIC -P ROCUREMENT Advisory function Information and raising awareness function
S OFTWARE -E ND - OF -L IFE Advisory function Organizational function
S UBCONTRACTOR -V IOLATES - Investigation, Monitoring of compliance Advisory function, Organizational function, En-
P RIVACY forcement, Cooperative function
TABLE 7
Scenarios’ possibles consequences
Table 7 links reference scenarios described in Table 2 with an exemplification of possible impacts (consequences of the vulnerabili-
ties) that are useful in better describing these scenarios.
Short name Examples of consequences
W RONG -A DVICE The controller evaluation of the risk of processing on rights and freedom of individuals could
be wrong.
I GNORED -DPO-A DVICE The processing could be risky for the rights and freedoms of natural persons.
DPO-A DVICE -N OT-S OUGHT Anyone could pretend to be another data subject and access his or her personal data.
W EBSITE -F ORCES -C HOICES It is lost the legal basis of the processing.
A DMIN -A SKS -F OR -E VERYTHING Excess and irrelevant personal data are disseminated over the Internet by the controller, making
them accessible to an indefinite number of unauthorized subjects.
N EGLECTED -S UBJECT-R IGHT The infringement of the data subjects’ rights provisions expose the controller to administrative
fines up to 20000000 EUR, or up to 4% of the total worldwide annual turnover.
S UBJECT-R IGHT-R EQUEST The controller may not be able to respond to the data subject’s request, exposing it to complaints
and administrative fines.
N O -D ATA -P ROTECTION - A personal data breach may happen because of unauthorized disclosure of personal data.
P RINCIPLES
U NCHECKED -R EMOTE - The technicians can connect to a workstation independently without notifying their access
M ONITORING request user and acquiring its preventive consent. Moreover, they can connect to a workstation,
stealthy monitoring all activities the user logged into the computer is doing.
W RONG -P UBLIC -P ROCUREMENT A contractor that offers products or services, not GDPR-compliant can win a bid, and the call
for tender may be subject to litigation.
S OFTWARE -E ND - OF -L IFE It is impossible to guarantee adequate security and functionality of the equipment.
S UBCONTRACTOR -V IOLATES - The tender may be subject to litigation.
P RIVACYYou can also read
