With the GDPR applicable for more than a year, most companies have spent a lot of time and money to implement the new requirements under data protection law.

Now that the initial hectic pace of implementation has subsided, businesses should take their time to subject the results to a critical review. This serves to avoid surprises when a data subject files a complaint or the supervisory authority initiates an audit.

In a highly useful move, the supervisory authorities have published the questions they are asking in connection with their initial audits. The Lower Saxony State Commissioner for Data Protection published the “2018/19 criteria catalogue for cross-sectional audits in business” (https://lfd.niedersachsen.de/startseite/datenschutzreform/ds_gvo/kriterien-querschnittspruefung-179455.html). It not only contains standard questions on the records of processing activities or on the rights of data subjects, but also in-depth information on about 200 individual criteria. Questions include, for example, the requirements for data erasure or the risk-based approach and the associated assessment process in the area of technical data protection.

The audit of the data protection impact assessment not only covers the status quo. In fact, it starts at one stage earlier and examines the decision process as to whether or not a data protection impact assessment must be carried out for processing operations. In addition, there are many other detailed questions. The Bavarian State Office for Data Protection Supervision has also already started audits of the implementation of the GDPR in small and medium-sized enterprises. It has likewise published a relevant questionnaire

(https://www.lda.bayern.de/media/pruefungen/201811_kmu_fragebogen.pdf)

Practical tip: Make sure to review how the GDPR has been implemented in your company by using the published questionnaires. We will gladly support you with our expert analysis of your existing processes and documentation.