2.1 Building a Privacy Management Program

One of the main objectives of TPOmap is to support an organisation’s Privacy Management Program.

Such program is necessary to structure privacy compliance work efficiently and to ensure compliance with the accountability principle enshrined in Art. 24 GDPR.

Pursuant to that article, “taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with [the GDPR]”.

An organisation is thus responsible not only for complying with all data protection principles and material requirements relating to legitimacy and security of processing, transparency and data subject rights, but also for ensuring that it is able to demonstrate such compliance.

Based on relevant guidance from the data protection authorities and on our own data protection consulting experience since 2007, we consider that building an efficient Privacy Management Program requires the following basic steps:

GDPR project – Compliance over time

TPOmap has been designed to support each of these steps.