• responsible medical departments, like radiology and surgery
• main datacenter
• back-up data center
• the companies servicing the data centers
• hospital pharmacy
• staff, like financial administration and human resources
• patients at home and in retirement centers etcetera
2. Set up a high level mapping for the data flows of the personal data processed between the above mentioned parties in the newly merged hospital organization.
3. Describe the possible risks for personal data due to the merger and the responsibilities and challenges you face as a DPO during the merger
Recommended time
2 hours
Expected results
A presentation for the two Boards (approximately 10 minutes) about the following topics in the future situation after the merger:
• a short analysis regarding the roles & responsibilities of the controllers and processors (see above list of stakeholders).
• a high level mapping of the data flows between these controllers and processors and data subjects
• the DPO’s role and responsibilities towards the various stakeholders (the controllers or processors mentioned earlier)
• an analysis of three data protection risks that might arise from the merger and the recommended mitigating actions
Assessment criteria for the exercise
The individual candidate can….
• analyze which role stakeholders have according to the GPDR and how they interrelate
• make and provide a data mapping of the different roles
• apply the tasks of the DPO in the given specific context
• demonstrate how to act in compliance with the GDPR regulation in the event of a hospital merger
Assignment 2 Checklist
The trainer can assess each candidate on each exam specification.
4. Assignment 3: Executing a DPIA: Outsourcing of personal data processing
Background
A company named Alpha Manufacturing Inc. (Alpha) outsources the payroll processing operation of the company’s employees to a company called Beta Cloud Services S.A. (Beta).
Company Alpha has the role of controller, company Beta has the role of processor.
Company Beta is certified according to the latest ISO 27001 (Information Security) standard and has been selected through the procurement process of company Alpha.
The board of directors of company Alpha has requested for a Data Protection Impact Assessment (DPIA) to be performed. The DPIA should be done with regards to outsourcing the processing of personal data (by a newly developed payroll application) to this external service provider, in full compliance with the EU GDPR Regulation. The results have to be reported to the board directly.
A DPIA is required because:
- it concerns application of a new technological solution in a changed organizational set-up.
- the processing of this specific personal data by the external party could have a significant impact on the daily lives and privacy of company Alpha employees
The first two steps of the DPIA have already been executed.
A description of the envisaged processing operations and the purposes of the processing is available. The purpose of the processing has been defined by the board.
The inventory of the payroll personal data and the data flows are available, as well as an overview of the responsibilities for and ownership of these personal data. This inventory was set up by a privacy analyst working at the legal department.
Your Assignment
You are a group of three employees of the privacy department of company Alpha. You divide the roles of the data protection officer (DPO) and two employees in charge of privacy tasks.
The board assigns the three of you as the DPIA project group and asks you to perform the following steps of the DPIA. Since this is a heavy workload you divide the steps among the three of you. Each role takes responsibility for preparing two of the steps of the DPIA.
1. make a list of data subjects and stakeholders (internal and external) that you need to consult;
2. assess the necessity and proportionality of the processing;
3. make a list of measures envisaged to demonstrate compliance with the EU GDPR Regulation;
4. assess the risks to the rights and freedoms of data subjects;
5. present the measures envisaged to address the risks;
6. make an overview of the necessary documentation and products.
Recommended time
3 to 4 hours
Expected Results
A presentation of approximately 15 minutes in which you present your set-up of the remaining DPIA steps and the outline for documentation detailing:
• consultation with the internal and external stakeholders;
• assessment of the necessity and proportionality of the processing;
• measures envisaged to: demonstrate compliance with this Regulation;
• assessment of the risks to the rights and freedoms of data subjects;
• measures envisaged to address the risks;
• an overview of the necessary documentation and products.
Assessment criteria for the assignment
• The presentation must contain all above mentioned topics,
• Per candidate 2 of the DPIA steps must be prepared and presented
• The steps must be prepared according with the literature requirements (Literature A and E) and common best practices
• The candidate must be able to provide insight and adequate solutions within the timeframe of the assignment
Assignment 3 Checklist
The trainer can assess each candidate on each exam specification.
5. Evaluation
The trainer can fill out the final evaluation below for each individual candidate. When a minimum of 9 out of 14 (65%) of the criteria have been observed, the candidate has successfully performed the practical assignments.
Please note that some of the exam specifications are assessed in more than one assignment. If the requirement has