In the early days of GDPR preparation, how the General Data Protection Regulation (GDPR) would be enforced and how strict Member States’ Data Protection Authorities (DPAs) would be was left to speculation. Germany, however, implemented GDPR directives before the May 25, 2018 deadline, clearly indicating to many organizations that the country would be a serious enforcer.
Six months after implementation, Germany’s DPAs for the Lower Saxony and Bavaria regions have begun conducting GDPR audits to determine organizations’ levels of compliance. Since May, organizations’ priorities have shifted (or should have) from GDPR readiness to GDPR operationalization, and audits are the primary way DPAs can evaluate whether organizations have taken compliance with the regulation seriously. In this post, we will focus on the German DPAs’ use of GDPR audits and why this new development is noteworthy.
The Purpose Behind the DPAs' GDPR Audits
DPAs monitor organizations’ application of the regulation for two key reasons: 1) to ensure the fundamental rights and freedoms of natural persons are protected when it comes to data processing and to facilitate the free (secure) flow of personal data across the EU. Article 58 1(a)-(f) of the GDPR gives DPAs the authority to investigate controllers and processors through data protection audits, obtaining documentation on the use of personal data and the equipment used to process and retain data.
DPAs are responsible for enforcing the regulation within their own regions. The Lower Saxony DPA kicked off the GDPR audit process in July when it sent 50 companies a questionnaire to determine their level of compliance, looking at how they use the different lawful bases of processing, how they respond to data subject requests, the role of their DPO, their breach notification procedures, and more. Now that questionnaires have been distributed, Lower Saxony stated that it will begin conducting onsite audits soon.
Bavaria’s DPA began onsite GDPR audits in September and stated that it will provide a notice to in-scope companies with a description of the audit 4 to 6 weeks in advance.
The goal of these GDPR audits is to identify where there may be gaps in compliance and how these two DPAs could assist and provide further guidance on how to implement the GDPR. Neither DPA has elaborated on the measures they will take if an organization fails to comply in a number of areas.
What is a GDPR Audit?
A GDPR audit assesses an organization’s ability to respond to data subject requests (i.e., deletion, portability, access) in a timely and effective manner; policies and procedures; the maturity of the DPO role; an organization’s data protection impact assessment (DPIA) program; breach response processes; and the effectiveness of the organization’s de-identification and encryption methods.
In order to conduct a proper audit, a DPA may ask an organization for specific documents, such as data processing agreements, consent templates, records of processing, retention policies, as well as access to data subject requests and the company’s response.
Performing Your Own GDPR Audits to Evaluate Your Organization's Compliance
In the same way that Germany’s DPAs are using audits to assess an organization’s compliance, organizations can be proactive and conduct their own GDPR audits to self-assess their compliance programs before the regulators do. GDPR enforcement is expected to become more stringent over time, and GDPR audits are a practical way of measuring whether the GDPR-related policies and processes an organization implemented are compliant and operating effectively.
Many regulators consider audits to be the most efficient way for EU Member States to validate organizations’ compliance with the GDPR. It is likely that the use of GDPR audits will rise across EU Member States over this inaugural year of GDPR implementation. Therefore, organizations should conduct their own GDPR audits regularly to monitor their compliance.
GDPR audits are not only a tool for DPAs, but also for organizations actively seeking to identify any issues or gaps before regulators decide to conduct an audit, which could result in greater consequences. To learn more about how to perform GDPR audits (and microaudits), check out our webinar on operationalizing your GDPR program.
Get more insights into the latest GDPR news.
Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. You can unsubscribe at any time.