The Bavarian Data Protection Authority released a GDPR implementation questionnaire 12 months before the GDPR applies to businesses in Europe.
On 25 May 2017, 12 months before the General Data Protection Regulation (“GDPR”) applies to businesses throughout Europe, the Bavarian Data Protection Authority (Bayerisches Landesamt für Datenschutzaufsicht, “BayLDA”) released a questionnaire which it sent to 150 randomly selected companies in Bavaria. The questionnaire raises detailed issues about the current implementation status of GDPR procedures as well as responsibilities regarding security and accountability, record of processing operations, involvement of third parties, transparency, information requests and data subject rights, accountability, and treatment of data breaches.
The questionnaire (available in German from the BayLDA website at https://www.lda.bayern.de/media/dsgvo_fragebogen.pdf and in English (as prepared by CMS) at https://cms.law/en/content/download/306931/7742260/file/GDPR-BayLDA-Fragebogen-English.pdf) covers all relevant areas of the GDPR and in most cases requires detailed answers. In its press release (in German, https://www.lda.bayern.de/media/pm2017_04.pdf) the BayLDA stated that the questionnaire is intended as a test to prepare for future enforcement and that it may be used for future audits. The BayLDA clarified that, at this point, companies are not required to reply to the questionnaire and that it is willing to provide guidance to companies regarding its assessment of the companies' GDPR compliance.
This questionnaire is one of the first official documents provided by a data protection authority regarding possible data protection audits and enforcement actions after May 2018. As many companies are still working to fully implement the GDPR requirements, the questionnaire may be a useful tool for assessing the status of requirement implementation.