Every new product and service must be checked against the GDPR on the processing of Personal Data. This check, or DPIA light, should bring to light what Personal Data is used for what, for how long, by whom, where, and what will happen when the consent ends or is revoked.
For advice and management services Shared responsibility applies. This means that nothing extra needs to be arranged to do business. The client’s agreement with PNO (In Dutch Overeenkomst van Opdracht or OvO) together with the General Terms & Conditions in combination with the Privacy Statement covers it all. For most financing mechanisms PNO NL works with like WBSO, MIT, etc. a DPIA light is available.
Still, some clients want PNO to sign a Processing Agreement, for which a standard is available.
All PNO business processes around Compliance service has been bundled in ffiqs. To become ISO 27001 certified, ffiqs prepared a ‘Draaiboek’ (Storybook) and a DPIA. See further using the first link.
PNO offering SaaS service to clients is under construction
When PNO acts as Beneficiary in EU consortium, most of the time it will become Controller of Personal Data. More guidance in the first link.