Big school of GDPR lesson 5: Harmonizing organizational structure and business processes, reporting

This is the time when you need to appoint a person responsible for the protection of personal information in the organization. Do not mix the function of a Personal Data Protection Officer, who your company has already appointed under the old Act with this function. The new function has almost no similarities with the old one.

Selection of DPO

The data protection officer (DPO) must be appointed in all organizations that collect or process larger amounts of personal data, regardless of whether the data is about employees, clients or a third category, if:

  • processing is carried out by a public authority or public body, except for courts acting within its jurisdiction,
  • the main activities of the processing manager or processing operator consist of processing procedures that, due to their nature, scope and/or purpose, require regular and systematic monitoring of the respondents to a large extent, or
  • the main activities of the processing manager or processing operator consist of extensive processing of special categories of data and personal data in connection with criminal convictions and punishable offenses.

All in all, if you collect and process your personal information, you are required to name a DPO regardless of whether you are a private company or a part of public authority.

Formally, the DPO's task is at minimum:

  • notifying and consulting the manager or the processing operator, and the employees who process personal data on their obligations under the Regulation,
  • monitoring the compliance with the Regulation and internal policies and other regulations related to the protection of personal data,
  • assigning responsibility for the protection of personal data to employees and third parties involved in the collection and processing of personal data,
  • raising awareness and education in the area of personal data protection,
  • incorporating privacy protection into auditing processes,
  • counseling in the implementation of impact assessment on data protection,
  • cooperation with supervisory bodies,
  • supervise risk management processes in the processing of personal data.

In reality, the DPO will be expected to propose an overall personal data management strategy, which includes the allocation of operational responsibilities from this area to business sectors, the design of identification and response procedures, incident reporting, the management of the harmonization process and the design of the control efficiency measurement system.

You will find it very difficult to find an ideal DPO, because this highly responsible position requires a wide range of knowledge and experience, and that is not enough. Keep in mind that DPO maintains the reputation of your organization and protects you from the enormously high penalties planned for offenders. You want the DPO to report directly to the management board. Instead of one person many will have the whole department because the characteristics your DPO should have are:

  • at least 10 years of experience that must at least include the following areas:
    • Understanding of the EU, global and local privacy protection legislation, including experience in designing privacy policies, NDA and SLA agreements, and other processes and documents that regulate privacy protection,
    • Management of information systems, and understanding of programming and system administration,
    • IT security management system and their certification according to security standards,
    • analysis and revision of information systems, assessment and risk management,
  • ability to manage projects and achieve goals with different types of coworkers (business, legal, IT ...),
  • negotiating abilities for effective communication with the regulator,
  • experience in managing outsourcing,
  • excellent communication skills,
  • proactivity in work and the ability to acquire the necessary knowledge independently,
  • proactivity in monitoring upcoming regulation and technologies,
  • experience in designing and implementing education and awareness raising programs,
  • experience in work and communication in multicultural and international environments (if you provide services on the international market).


In addition, the DPO must not be in conflict of interest. Therefore, the DPO cannot be operationally responsible for the implementation of personal data protection activities because his/her task is to monitor the effectiveness of these activities. The DPO cannot be an IT sector employee, nor CISO.

The likelihood of finding an ideal DPO within your organization is small. However, try to find or hire a person who best suits this description and intensively educate him/her in the areas where it is needed. Informal education in the form of exchange of experience within a community of experts can help you solve specific problems. Zagreb GDPR MeetUp ( ) is one of such places.

Accelerate, simplify, and make it cheaper

DPO must be appointed by name and surname, but he/she does not have to be your employee. This function can be outsourced. The wisely agreed outsourcing of the DPO function can solve initial errors, save you lots of time and money, and result in better implementation of GDPR.

If you are not sure that you are good enough in this area, find someone who has a lot of experience and is already working on numerous GDPR projects. Ideally, let it be a company that will dedicate an experienced DPO for you, but will also provide legal and IT support. As part of the outsourcing service, require the outsourced DPO to meet all of the above requirements and give special attention to the experience of other GDPR projects and information security management projects. Do not forget what GDPR means, DP - Data Protection!

Organizational structure

Head of the privacy accountability structures will be DPO or Personal Data Protection Officer as this function is formally called in the Croatian translation of the Regulation, while all other responsibilities will ideally be distributed through the organization in a way to integrate them with normal business responsibilities. For example, a person responsible for managing information security (CISO) is already responsible for the security of all data, including personal ones. Now CISO will also make sure that security policies are aligned with special requirements related to the security of personal data. The IT manager will ensure that incident management procedures in information systems are harmonized with the specifics of GDPR. Managers of business sectors will identify personal data within their business processes and define ways to handle this information in accordance with organizational policy of personal data management or GDPR, and so on.

What is a personal data management policy? That is a document where the management board expresses its attitude towards the protection of personal data and assigns responsibilities for their protection and compliance. Such a roof policy is the basis for building a personal data management system. Guidelines for creating a personal data management policy can be downloaded here.

When designing responsibilities, be guided by the rule that personal data management responsibilities must be integrated to the existing business processes to the fullest extent, and responsibility should, wherever possible, be assumed by persons who are already responsible for carrying out the process. For example, the responsibility for dealing with personal information in the sales department must be borne by the same person responsible for the results of that department.


By the old Act, you had to register your personal data base with the AZOP. This practice is recognized as ineffective and expensive. It is therefore necessary to abolish such comprehensive obligations of general notifications and to replace them with effective procedures and mechanisms that instead focus on those types of processing that are likely to cause high risks to individuals' rights and freedoms by virtue of their nature, scope, context and purpose.

You are expected to responsibly manage personal data based on risk assessment, i.e. the effect on data protection. You must make sure that the data is used responsibly and appropriately protected during processing. Only if this is not possible, you are obliged to report to the appropriate supervisory body and consult with it. Until now that body was AZOP, maybe it will stay, and maybe we will get a completely new agency. The Croatian law has not yet decided on this issue.

In addition to the supervisory body, you will also need to report to the owner of personal information about the changes made regarding his/her data as well as the reasons for not making a change to his/her application, which you must do within one month of submitting the application. In the event that the owner of the personal data has obtained a temporary ban on the use of the data in processing, prior to the expiration of this ban you must notify him/her about it.

If you process personal data that has been transferred to you by another organization, and access to data for example is requested by a judicial authority, you are obliged to notify the processing manager if the legal basis on which the access is sought does not prohibit it. A typical example of such a ban would be access to personal data for the purpose of protection against terrorism.

In the event of a breach of personal data security, you must notify the supervisory authority within 72 hours of the incident's discovery and, if necessary, the data owner as well. In this report, you must at least describe the nature of the personal data breach, provide DPO's contact details, describe the probable consequences of the incident, and the measures you have taken to prevent the incident and reduce the damage.

Also, a procedure for reporting to data owners on changes to security policies or regulations related to the protection of personal data should be established as well.

Finally, remember that there is also internal reporting. You must measure the effectiveness of the personal data management system. You must report to the Management Board about the results. You should equally keep records of completed education and awareness-raising programs, and include the results in a management report. The internal audit will have to include in its reports also a report on the audit results of the personal information management system.

In the next issue, we will deal with changes in IT systems. These changes are relatively small in number, but with their complexity and cost they are the biggest obstacle in compliance with GDPR requirements.

Large poster with a list of 137 GDPR requirements and recommendations

To download for free the large poster with a list of 137 GDPR requirements and recommendations, you must complete all fields in the form, after which the download of the document will be activated.

URL for news «Big school of GDPR lesson 5: Harmonizing organizational structure and business processes, reporting»   -
«»   -