The Data Protection Programme
The records and procedures that make compliance demonstrable.
Compliance with the GDPR is not a state reached once, but a programme that is maintained. The principle of accountability — Article 5(2) — requires the organisation not only to comply, but to demonstrate that it complies. The data protection programme is the machinery that makes that demonstration possible, and the DPO is the one who monitors it.
The following elements form the core of the programme. They are not bureaucracy: they are the records and procedures that, before the CNPD, a data subject or a court, prove the organisation takes data protection seriously.
Records of Processing Activities
The Article 30 register: purposes, categories of data and data subjects, recipients, transfers and retention periods — the backbone of accountability.
Lawful Bases
The identification and documentation of the lawful basis for each processing operation, under Articles 6 and 9, including consent management where applicable.
Impact Assessments (DPIA)
The assessment of high-risk processing and the management of residual risk, under Article 35.
Processor Agreements
The Article 28 contracts governing processors, with the required guarantees and instructions.
Security of Processing
The technical and organisational measures appropriate to the risk, under Article 32, in articulation with cybersecurity.
Breach Management
The procedure for personal data breaches: the 72-hour notification and the communication to data subjects, under Articles 33 and 34.
International Transfers
The lawful framework for transfers to third countries, under Chapter V — adequacy decisions, standard contractual clauses and supplementary measures.
Data Subject Rights
The procedures that guarantee the exercise of rights under Chapter III, within the legal time limits.