DPO Self-Assessment Checklist

v.1.0, 10.05.2023
The purpose of this checklist is to help privacy professionals assess their readiness to become
Data Protection Officers (DPO). It covers all areas for identifying strengths and weaknesses,
topics for analyzing knowledge gaps, and provides examples of useful templates.

Name: Date:
Current Position
Years of experience Privacy: Cybersecurity: Legal:
Certificates Privacy: ☐ CIPP/E ☐ CIPP/US ☐ CIPP/C ☐ CIPP/A
☐ CIPM ☐ CIPT ☐ CDPO ☐ CDPSE
Cybersecurity: ☐ CISM ☐ CISSP ☐ CISA ☐ LA/LI 27001
Project ☐ PMP ☐ CompTIA Project+ ☐ PgPM ☐ PPM
Management: ☐ PRINCE2 Practitioner ☐ ACP ☐ CPM
Other:
Membership ☐ IAPP ☐ ISACA ☐ ISC2
Other:
Education ☐ Legal ☐ Cybersecurity / IT ☐ Other
Degree:
Knowledge of ☐ EU (GDPR) ☐ US ☐ Canada ☐ Brazil (LGPD) ☐ China (PIPL)
legislation ☐ Singapore (PDPA) ☐ Saudi Arabia (PDPL) ☐ UAE (PDPL)
☐ Australia ☐ New Zealand ☐ Other:
Local requirements (Country / State):
Expertise in industries
Experience with Privacy: ☐ ISO 27701 ☐ ISO 27018 ☐ BS 10012
standards and best ☐ ISO 31700 ☐ EDPB/W29 guidelines
practices ☐ CNIL’s DPO Guide ☐ NIST Privacy Framework,
☐ ICO Accountability Framework / GDPR Guide
☐ TrustArc-Nymity Integrated Frameworks
Cybersecurity: ☐ ISO 27001/27002 ☐ PCI DSS ☐ ISF SoGP
☐ NIST CSF ☐ NIST 800-53 / 800-53A
☐ COBIT ☐ NCSC Cyber Essentials ☐ HIPPA
☐ CIS Critical Controls ☐ ACSC ISM ☐ SOC2
☐ CSA Cloud Controls Matrix (CCM)
☐ HITRUST CSF ☐ MITRE ATT&CK
Other
Experience with Privacy
software and services Management (e.g., OneTrust, BigID, Securiti, TrustArc, WireWheel, Collibra)

Regulatory
research (e.g., DataGuidance, GDPR Enforcement Tracker)

GRC
(e.g., Workiva, OneTrust, ServiceNow, MetricStream, Camms, LogicManager, IBM)

by Andrey Prozorov, CISM, CIPP/E, CDPSE, LA 27001

[Link]/AndreyProzorov
 DPO Self-Assessment Checklist
v.1.0, 10.05.2023
Topics Knowledge Templates and Checklists
Privacy Information Management System (PIMS)
1. Standards and L☐K☐J☐ ☐ Mappings (e.g., GDPR to ISO 27701) (examples)
best practices ☐ Set of privacy controls (examples)
☐ Set of cybersecurity controls (examples)
2. Data Protection L☐K☐J☐ ☐ Data protection scope (template)
Scope
3. Context L☐K☐J☐ ☐ Fines (by country, by industry)
☐ List of requirements (template)
☐ Needs and expectations of interested parties
(template)
☐ Communication plan (template)
4. DPO role L☐K☐J☐ ☐ Mission statement (template)
☐ Job description (template )
☐ Notification / Declaration (template aligned with
the Lead SA’s requirements)
5. Privacy L☐K☐J☐ ☐ General presentation / Statute of the Committee
Committee and (example)
Privacy ☐ MoM (template)
Champions
6. Data Protection L☐K☐J☐ ☐ Data Protection Policy / PIMS Policy (examples)
Policy and ☐ Privacy Framework / BCR (template)
Framework
☐ RACI Chart (template / example)
7. Privacy Program L☐K☐J☐ ☐ Privacy Program / Roadmap (example)
8. Documents L☐K☐J☐ ☐ List of documents (example)
9. Awareness L☐K☐J☐ ☐ Set of awareness presentations (examples)
☐ Knowledge tests (example)
☐ Privacy promotional merchandise
10. Monitoring and L☐K☐J☐ ☐ Set of metrics / KPIs (template / example)
Measurement
11. Audits and L☐K☐J☐ ☐ Audit plan (template)
Assessments ☐ Audit / Gap analysis report (template)
☐ Questionaries and checklists
☐ Accountability Checklist
12. Management L☐K☐J☐ ☐ Privacy management review report (template)
Review
13. Nonconformity L☐K☐J☐ ☐ Nonconformity report (template)
Management ☐ Nonconformity register (template)
and Continual
improvement ☐ Privacy issues register (template)

by Andrey Prozorov, CISM, CIPP/E, CDPSE, LA 27001

[Link]/AndreyProzorov
 DPO Self-Assessment Checklist
v.1.0, 10.05.2023
Topics Knowledge Templates and Checklists
Privacy / Data Protection
1. Privacy Principles L☐K☐J☐ N/A
2. Lawfulness of L☐K☐J☐ ☐ Legitimate Interests Assessment (LIA) template
processing
3. Rights of the L☐K☐J☐ ☐ Privacy Request Register (template)
data subject ☐ Sample responses (examples)
4. Consent L☐K☐J☐ ☐ Consent (checklist)
☐ Consent (template)
5. Transparency L☐K☐J☐ ☐ Privacy Notice (checklist)
and notification ☐ Privacy Notice (template)
6. Data Inventory / L☐K☐J☐ ☐ List of personal data (example)
Records of ☐ Records of processing activities (checklist)
Processing
Activities ☐ Records of processing activities (template)

7. Data Retention L☐K☐J☐ ☐ Data retention policy (template)

8. Third-party L☐K☐J☐ ☐ Data processing agreement (checklist)
management ☐ Data processing agreement / Standard
Contractual Clauses (template)
☐ Third-party register (template)
☐ Sample questionnaire for third parties
9. Data protection L☐K☐J☐ ☐ New process assessment / DPIA lite (template)
by design and by
default
10. DPIA/PIA L☐K☐J☐ ☐ Data Protection Impact Assessment (template)
☐ DPIA Register (template)
11. Security L☐K☐J☐ N/A
12. Breach L☐K☐J☐ ☐ Data breach assessment (template)
Notification ☐ Data breach notification (template)
☐ Data Breach Register (template)
13. Codes of L☐K☐J☐ N/A
conduct and
Certification
14. Data Transfer L☐K☐J☐ ☐ Data Transfer Impact Assessment (template)
☐ Binding corporate rules, BCR (examples)
15. Special cases: L☐K☐J☐ ☐ CCTV (checklist)
Employee ☐ CCTV warning sign (template)
monitoring
16. Special cases: L☐K☐J☐ ☐ Cookie Policy and Consent (checklist)
Cookies ☐ Cookie Policy and Banners (examples)
See also: Privacy Implementation Toolkit - [Link]

by Andrey Prozorov, CISM, CIPP/E, CDPSE, LA 27001

[Link]/AndreyProzorov