The following subsection describes how to identify appropriate technical and organizational measures when determining the means.
While determining the purposes of processing specifies the “what” shall be achieved by the processing, determining the means specifies “how” this objective is achieved. In every step of determining this “how”, data protection principles and requirements must be taken into account.
Determining the means can be seen to result in an implementation plan of the processing activity. It entails resources, instructions as well as technical and organizational measures. The latter are designed to implement the data protection principles. For a detailed discussion of measures that implement the various principles, see the Guideline section on principlesguidelines (see the “Main Principles” section in the general part of these Guidelines).
Managing the process of determining the means
Determining the means is often a substantial process that typically involves a multitude of persons, fields of expertise, organizational units or departments, and may even involve external consultants and experts.
The primary (meta-) organizational measure is therefore to set up the process of determining the means in a way that it complies with data protection by design. This measure is referred to as a “meta-measure” since it is designed to identify those measures that actually implement the data protection principles. The meta-measure must assign clear responsibilities to the upper management:
- The upper management who represents the controller legally has to be in control of this process and mandate that data protection is appropriately taken into account in every step and decision.
- The upper management must be able to design whether the determined means (i.e., the result of this process) actually comply adequately with the data protection requirements.
- At the end of this process, it lies in the responsibility of the upper management to sign off on the determined means and give a go-ahead for the actual processing operations (the processing itself).
There are different possible (meta-) organizational measures of how to achieve this. Some examples are listed in the following:
- Every step or decision made as part of determining the means must describe the relevant data protection requirements and how they have been enforced or otherwise satisfied.
- If a staged approach is chosen, any transition of stage gates must be subject to the approval of the data protection aspects.
- A clear designation of persons responsible for determining whether data protection requirements have been met in the individual steps should be made.
- Where available, the data protection officer should be involved in the process.
- (Continuous) documentation (i.e., demonstration) of considering and incorporating data protection should be an integral part of the process. This serves both, to satisfy the principle of accountability (see Art. 5(2) GDPR) and as a basis for the determination by upper management for their decision to formally approve the result to be operationally used (i.e., a go-ahead for the processing itself).
The process of determining the means inevitably needs to assess the effectiveness of various measures (see discussion of effectiveness in section 220.127.116.11 above). This typically requires to perform
- risk assessments and
- surveys of the state of the art or market.
Note that the formal tool foreseen in the GDPR to assess the effectiveness of data protection measures is the data protection impact assessment (DPIA, see Art. 35 GDPR) (see the “DPIA” subsection in the “Main Tools and Actions” section in the general part of these Guidelines). Both, risk assessment and description of measures are contained in its mandatory parts. A DPIA is only formally required by the GDPR in presence of high risk but can be used informally within the internal process. A DPIA is also a prime tool for documenting compliance with data protection by design.
At least larger organizations with several distinct processing activities can benefit from using a more systematic approach of determining the means. This can include the following:
- The use of data protection policies that are applicable to multiple processing activities and can thus bring economy of scale (see Art. 24(2) GDPR).
- The identification and application of applicable industry-wide codes of conduct can save effort and improve quality of implementation (see Art. 24(3) GDPR).
The final result of a successful process of determining the means is a clear and documented approval of the means and a go-ahead by the upper management that represents the controller. The go-ahead is necessary in order for the controller to assume full responsibility for the processing (see Art. 29 GDPR). As an additional basis for the go-ahead decision, controllers can seek formal certification according to Art. 42 GDPR (see Art. 24(3) GDPR). Certification represents a formal attestation of compliance with the GDPR. A documented go-ahead is a pre-requisite for the start for the operational stage of processing (the processing itself).
Assessing the effectiveness of measures relative to the data protection principles
The above process should take a systematic approach to applying all data protection principles systematically to all decisions about means. In particular, each principle has to be enforced with technical and organizational measures. It has to be shown that these measures are effective in regard to
- “the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing”,
- “the cost of implementation”,
- “the state of the art”, and
- “the nature, scope, context and purposes of processing”
(see section 18.104.22.168 above).
When the risk is assessed (see first bullet point), one basic risk is that the principle is violated or insufficiently guaranteed. This could be the case for all data subjects or for special groups or minorities. The vulnerable data subjects that were possibly identified during the determination of the purposes should be taken into account (see section 1.4.1).
To evaluate the third aspect of effectiveness, it may be necessary to conduct surveys of the state of the art.
One way to evaluate the effectiveness of measures is to use an iterative approach that is very similar to that used to determine purposes (see Figure 2). Instead of a version of the purpose specification, a concrete implementation plan is evaluated. This plan entails both resources, instructions, and already foreseen technical and organizational measures (see the “Main Principles” section in the general part of these Guidelines). In every iteration, the effectiveness of the measures is assessed and the plan is improved according to the shortcomings that were identified. The iterative process then terminates when an implementation plan with effective measures has been found.
To render this process systematic, each task that results in a decision about the means has to be evaluated in regard of all principles. Section 22.214.171.124 above has provided an overview of possible tasks. The precise breakdown of the overall determination into task depends on the nature, scope, context and purposes of the processing activity, however. It is therefore necessary to adapt the breakdown into tasks to the concrete situation.
2Note that stages are not restricted to “waterfall” management, but exist also in agile methods, such as the Agile Unified Process, see http://www.ambysoft.com/unifiedprocess/aup11/html/phases.html (last visited 13/7/2021). ↑
3Note that the data protection officer does not bear direct responsibility for compliance but is the internal expert likely most familiar with the requirements of the GDPR (see also Art. 39(1)(a) through (c) GDPR). ↑