With the GDPR in force for more than a year, most companies have spent a lot of time and money to implement the new requirements under data protection law.
Now that the initial hectic pace of implementation has subsided,
businesses should take their time to subject the results to a
critical review. This serves to avoid surprises when a data subject
files a complaint or the supervisory authority initiates an
audit.
In a highly useful move, the supervisory authorities have
published the questions they are asking in connection with their
initial audits. The Lower Saxony State Commissioner for Data
Protection published the "2018/19 criteria catalogue for
cross-sectional audits in business" (https://lfd.niedersachsen.de/startseite/datenschutzreform/ds_gvo/kriterien-querschnittspruefung-179455.html).
It not only contains standard questions on the records of
processing activities or on the rights of data subjects, but also
in-depth information on about 200 individual criteria. Questions
include, for example, the requirements for data erasure or the
risk-based approach and the associated assessment process in the
area of technical data protection.
The audit of the data protection impact assessment not only covers
the status quo. In fact, it starts at one stage earlier and
examines the decision process as to whether or not a data
protection impact assessment must be carried out for processing
operations. In addition, there are many other detailed
questions.
The Bavarian State Office for Data Protection Supervision has also
already started audits of the implementation of the GDPR in small
and medium-sized enterprises. It has likewise published a relevant
questionnaire (https://www.lda.bayern.de/media/pruefungen/201811_kmu_fragebogen.pdf).
Practical tip:
Make sure to review how the GDPR has been implemented in your company by using the published questionnaires. We will gladly support you with our expert analysis of your existing processes and documentation.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.