Guidelines on the protection of personal data in IT governance and IT management

adopted from the European Data Protection Supervisor 2018-03-27 back
  1. These guidelines are to assist education institutions, schools, course provider and agencies ("institutions") especially in the EU in enhancing their internal control system for the management and governance of their IT systems in order to ensure that their processes and systems comply with their legal responsibilities regarding the processing of personal data throughout. These guidelines complement individual guidelines on specific IT related matters, such as those on mobile devices, web services, mobile apps and cloud computing.
  2. This guidelines are also compliant to the European Data Protection Supervisor (EDPS). The EDPS may among other tasks issue Guidelines on specific issues related to the processing of personal data.
  3. This is in order to ensure that personal data is processed in line with data protection principles, “data protection by design” and “data protection by default” constitute good practices in the management of IT systems.
  4. The establishment of an effective internal data management and control system is the responsibility of every institution. It is good practice for the management to demonstrate its “accountability” by taking full account of its obligations. Following the adoption of the General Data Protection Regulation (GDPR), the principles of accountability, data protection by design and data protection by default will become mandatory for EU companies as the EU legislator has embedded these principles as legal obligations in the GDPR.
  5. These guidelines do not provide all necessary guidance for the implementation of data protection by design in specific IT solutions, as concrete technical measures will need to be designed and implemented for each specific technical context of every company.
  6. However, introducing accountability for privacy and data protection also in IT management and IT governance processes is a necessary condition to meet these and other obligations in the future. The guidelines should be considered by Data Protection Officers (DPOs) and Data Protection Coordinators or Contacts (DPCs) within each company, as well as IT staff and other services concerned with the development and operation of IT systems, and to all persons carrying responsibility as controllers. They will also be useful to senior management in supporting a culture of data protection from the top of the organization.
  7. While the purpose of these guidelines is to make it easier for companies to fulfil their obligations, they do not take away any of the responsibility applying them. The measures recommended in these guidelines are not intended to be exhaustive or exclusive. They will be flexible enough to allow integration with expected process on accountability, and to be future oriented by considering expected legislative changes. Every company may choose alternative, equally effective, measures other than the ones presented in this document taking into account their specific needs. Their effectiveness will need to be justified in writing.
  8. IT governance IT governance is the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization's IT sustains and extends the organization's strategies and objectives.
  9. IT management Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives.
  10. IT governance structures and processes must be designed to ensure compliance with data protection principles and their effective implementation. They should also cover organisational and staff related aspects, such as clearly setting roles and responsibilities, raising awareness of all staff on existing data protection law and policies.
  11. Article 5 of the GDPR provides for accountability by stipulating that "the controller shall be responsible for, and be able to demonstrate compliance with the data protection principles of 'lawfulness, fairness and transparency', 'purpose limitation', 'data minimisation', 'accuracy', 'storage limitation' and security ('integrity and confidentiality')”.


  1. It is of utmost importance that data protection principles should be unambiguously supported at management level.
  2. Senior management, whether or not performing the role of the controller for specific data protection operations, has to be accountable for data protection. If not themselves performing the role of the controller, the senior management should still take specific responsibility to ensure compliance with Data Protection rules, e.g. by setting up appropriate organisational structures and procedures, so that operational management is provided with the means and powers to perform the role of controller and ensure compliance effectively.
  3. Senior management should designate a responsible20 for data protection (e.g. Data Protection Officer, Data Protection Coordinator) and provide the responsible with a mandate to implement data protection policies
  4. Existing policies and procedures on data protection should be well known by all staff. This can be ensured through e.g. mandatory induction training, provision of informative material or recurrent training.
  5. Policies, procedures as well as responsibilities and functions regarding data protection should be regularly monitored and maintained.
  6. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract,
  7. the data subject has unambiguously given his or her consent,
  8. processing is necessary in order to protect the vital interests of the data subject.
  9. Inception (Start): As a starting point, it should be determined whether data processed via the respective IT system is personal data or not, or whether it can become personal data as the result of such processing.
  10. Requirements collection: Data protection requirements should be collected from stakeholders and documented in the IT system's specification phase.
  11. Design: Additional safeguards should be used such as encryption and multi-level access controls to mitigate high risk processing if an IT system processes especially sensitive (personal) data e.g. physical/mental health, racial/ethnic origin, political opinion, religious belief, criminal verdicts.
  12. Construction and Development : The development team should be aware of data protection law and rules before the development phase starts. This can be guaranteed e.g. through training arranged with the DPO for the current and new development teams or equivalent measures.
  13. Operations and Maintenance: The maximum retention time for data on storage media should be determined to ensure that it is in line with contractual, legal and regulatory requirements. The retention time may differ for different storage purposes
  14. Formal change management procedures should be established and implemented to handle in a consistent way all requests for changes to an information system.
  15. Access to files containing personal data should be monitored on a permanent basis.
  16. Data exchange:Personal data should only be transferred via secure online channels. This can be achieved via trusted networks, using a channel where data is encrypted or equivalent means Institutions using email to transfer sensitive personal data should be aware of the inherent Data Protection issues of the technology which should be reflected in the Risk Assessment and ensure that this transmission is secured through e.g. encryption of a file, a secure email facility that encrypts the data including attachments or done only inside a trusted network.

Data protection by Design and by Default

Article 25 of the GDPR obliges controllers to "implement appropriate technical and organisational measures (…), which are designed to implement data protection principles, (…) and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects". "by default, only personal data which are necessary for each specific purpose of the processing are processed" (data protection by default). data protection by default is particularly relevant for systems which directly interact with users, inside or outside the EU Institutions. Where appropriate, any processing operations shall be limited to what is the absolutely necessary, as regards “the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility23” for persons or organisations. According to Article 2 of the Regulation, personal data shall mean any information relating to an identified or identifiable natural person

Three lines of defense

They are:
  1. Operational Management
  2. Risk Management Compliance Functions
  3. Internal Audit