Finally, the GDPR highlights the situations of disorganization. We are witnessing the attempts to carry out what has not been done so far, especially from the point of view of operational concreteness.
In drafting the treatment register, emerges the problem of the assessment regarding the appointments of external data processor.
I have observed that some controllers ‘spam’ their suppliers, by filing a declaration of compliance of their products / services to GDPR, moving the responsibility towards external data processors.
In my opinion this approach is immature and husty: this is not accountability. Perhaps this is how it is still demonstrated not to attack the problem according to the risk assessment perspective, contravening the spirit of GDPR, because it starts from a solution without having previously analyzed the process risk.
How can possible a partnership and a cultural growth from these bases?