GDPR RACI Chart

Leverage this tool to identify and understand the owners of various GDPR requirements across the different work units. Th
clearly define each organizational team's roles and accountabilities.

For acceptable use of this tool, refer to Info-Tech's Terms of Use. These documents are intended to supply general informa
professional or personal advice, and are not intended to be used as a substitute for any kind of professional advice. Use th
whole or in part as a basis and guide for document creation. To customize this document with corporate marks and titles, s
Tech information in the Header and Footer fields of this document.
ross the different work units. This RACI chart will help

ended to supply general information only, not specific

d of professional advice. Use this document either in
ith corporate marks and titles, simply replace the Info-
GDPR RACI Chart

This tool will help you allocate ownership and responsibility for any new or existing GDPR and privacy efforts in your organiz
they are responsible and accountable for it. Individuals are also listed as consulted or informed.
• Responsible – The person(s) who does the work to accomplish the activity; they have been tasked with completing the act
• Accountable – The person(s) who is accountable for the completion of the activity. Ideally, this is a single person and is oft
• Consulted – The person(s) who provides information. This is usually several people, typically called subject-matter experts
• Informed – The person(s) who is updated on progress. These are resources that are affected by the outcome of the activit

Legend:

it
Un

am
R – Responsible

Te
s
es
O
A – Accountable

IO

PR
S

in

r
pe
C

CI
C – Consulted

us

O
G
-B
I – Informed

IT
IT
IT
Related
Regulation Actions
Article
Document (and manage documentation for)
each business unit's processing activities as A R C C
related to personal data.
Review existing data sets for opportunities to
Article 1(c) remove data that is no longer necessary or - A A -
purposeful.
Review current processing procedures to
Article 9 ensure that special/sensitive categories of I I R A
personal data are not processed.
Conduct risk assessment(s) to understand
Article 32 (1) - R R A
level of risk to data subject.
Article 32 (1) Identify state-of-the-art technology that will
adequately address risk.
Article 33 Assess existing incident response capabilities A A
for 72-hour breach notification.
Integrate GDPR requirements into incident
Article 33
response procedures.
Article 7 Where necessary, develop and manage a
- A A -
consent process.
Article 6 Ongoing review of data processing
- R R A
procedures.
Article 14 Management of data subject access
- R R A
requests. Include verification of identity.
Article 16 Develop and maintain a process for rectifying
I C C R
data when necessary.
Article 17 Develop and maintain a process that erases
data subjects' personal data. Create a record - - R R
of erasure for data subjects.

Article 20 Track data portability requests. Include

investigation of validity in each data portability - - R R
request.
Article 30 Document, retain, and maintain a record of
- - R R
processing for each processing activity.
Article 21 Collect, document, and act on data subjects'
objections to automated decision making.
Article 22 Identify current and ongoing processes,
business practices, marketing tactics, etc.
that rely on automated decision making or
profiling. Document the aligned business unit.
Article 24(1) Align any existing or upcoming projects that
may constitute "technical and organizational
measures" as means to protecting personal - - C C
data.
Article 24(2) Creation, approval, and enforcement of data
I - C C
protection policies.
Provide an incident update to the board of
- - C C
directors.
Determine if any regulatory, legal, or
compliance mandates are contradicted by
implementing GDPR processes. Document - - - R
exceptions.
Article 35, 36 Develop a process for creating (and when
necessary) circulating Data Protection Impact
Assessments.
Article 25 Integrate data privacy by design into all
upcoming IT and business projects.
Article 37 Document your analysis and decision
regarding appointing a data protection officer
(DPO).
cy efforts in your organization. Each action item has specific individuals allocate their time and effort to it;

d with completing the activity or getting a decision made.

single person and is often an executive or program sponsor.
d subject-matter experts (SMEs).
he outcome of the activities and need to be kept up to date.

ee
en

itt
em
ns

m
tio

al
ag

om

er
l

rn
ga
ra

HR

PR

an

th
C

te
pe

Le

O
g

Ex
O

r in
or
IT

ee
ni
Se

Work Units St

C - - - -

C C R -

- - - - -

R -

R C C C

C C R -

R - -

R -

C I - - I -

R - - - - -

R - - - - -
- - - - I -

C R C - A -

- - A - - -

- C - C A -

- R I - R -