SENTINEL leverages a rule-based engine (Recommendation Engine) to select and recommend various Organisatinal and Technical Measures (OTMs), based on each participating organisation's individual setup (SME profiling).
The rule-based engine evaluates a number of conditions (rules) in each organisation's profile and, based on the results, specific measures are selected, as part of the recommended policy.
The vast majority of OTMs are selected based on the risk level established for the organisations and each of its Personal Data Processing Activities (PAs). Note that organisation data and PA data are all part of the organisation profile.
In the subsections below, we shall attempt to present these rules, in plain human language, for the sake of explainability and transparency.
Please note that SENTINEL recommends OTMs with a risk-based approach, in the sense that OTMs appropriate to a low level of risk and will be recommended to all organisations and/or PAs. Medium- and high-level risk OTMs will only be additionally recommended when the oganisation and/or its PAs are assessed at the correspinding risk level.
You can browse a complete listing of the SENTINEL organisational and technical measures (OTMs), assorted by risk level.
Finally a number of special conditional rules are implemented for edge cases, as with some GDPR compliance-related requirements.
The rules below are conditional and fire speficic OTMs when specific conditions are met.
| No. | Condition (rule) | OTM triggered |
|---|---|---|
| 1 | IF lawful basis is (“consent OR “contract”) | O6.L.19 Data subjects shall be provided with the means to request the transfer of their personal data to themselves or another controller. Appropriate workflows shall be created to enforce data subjects requests to obtain and reuse their personal data for their own purposes, or for their personal data to be be made available to data subjects in a structured, commonly used and machine-readable format." |
| 2 | IF (PA_risk_level>low) | O6.M.7 Execute a DPIA (Data Protection Impact Assessment) for this Processing Activity before any actual processing takes place |
| 3 | IF [PA_privacy_risk_criteria INCLUDES (‘data processed on a large scale’) THEN IF [PA_privacy_risk_criteria INCLUDES (‘systematic monitoring’)] OR [[data_subject_category IS ANY OF (patients,children)] OR [any special_data_categories SELECTED]]] | O2.M.1 A Data Protection Officer (DPO) shall be nominated or appointed. The DPO is an independent role tasked with a) monitoring the organisation’s GDPR compliance; b) advising the organisation on its data protection obligations; c) providing advice on DPIAs and monitoring their performance; and d) acting as a contact point between data subjects and the relevant supervisory authority (e.g. DPA). |
| 4 | IF all the criteria above (in rule 3) are true AND the PA risk is HIGH | O2.H.1 The organisation shall formally appoint a Data Protection Officer (DPO) for a) monitoring the organisation’s GDPR compliance; b) advising the organisation on its data protection obligations; c) providing advice on DPIAs and monitoring their performance; and d) acting as a contact point between data subjects and the relevant supervisory authority (e.g. DPA), as well as the establishment, implementation, maintenance and continual improvement of the information privacy management system |
| 5 | IF (org_size > small) *also auto-recommended for all PAs with a risk of MEDIUM or higher | O6.M.8 A detailed digital Record of Processing Activities (ROPA) shall be created and maintained at all times, to include significant information about processing of personal data within this Processing Activity, including data categories, data subjects, the purpose of the processing, the data recipients, data transfers, processing risk criteria and other pertinent information. This ROPA must be completely made available to authorities upon request. |
| 6 | IF ((recipient_type == ‘recipient outside the EU’) &&(transfer_country INCLUDES ANY (non_eu_countries)&&(NO guarantees are provided) ) | O6.M.6 Ensure that the GDPR rules and safeguards for transferring personal data outside the EU/EEA have been properly enforced (BCR, CCDT, SCCs, commission decision adequation, certification, etc). If such guarantees don’t accompany the transfer, personal data may still be transferred with a) court judgement; b) explicit data subject consent; c) transfer necessary to a contract with the data subject or regarding their interest, d) transfer necessary to public interest, e) transfer necessary for the of defence of legal claims, f) transfer necessary to protect vital interests of the data subject, or, g) the data is public and open for consultation. |