How should the DPO monitor GDPR compliance?

The EU guidance on GDPR states the following in relation to how the DPO should monitor compliance by data controllers (i.e the Practice).

“As part of these duties to monitor compliance, DPOs may, in particular:

  • collect information to identify processing activities,
  • analyse and check the compliance of processing activities, and
  • inform, advise and issue recommendations to the controller or the processor.”

The ELR GP Federation Data Protection Officer service for practices achieves this through the following means:

  1. Practices fill out an initial self-assessment questionnaire
  2. The DPO reviews their self assessment and provides initial advice on each area as to next steps
  3. The DPO periodically reviews outstanding actions and seeks clarification from the Practice on what is being done to achieve compliance