This article provides a list of questions sent to companies by the German Data Protection Authority to get an overview of the status of GDPR preparation and compliance. It is a good starting point for audits of GDPR compliance.
By: Jessica Jacobi
On 29 June 2018, the local Data Protection Authority (DPA) of Niedersachsen announced that it has published a questionnaire. This had recently been sent to 20 large and 30 mid-sized companies of various industry sectors located in the German state of Niedersachsen. The local DPA has pointed out that they do not plan to send the questionnaire to small companies such as carpenters or bakeries.
The purpose of the questionnaire is to give the DPA an overview of the status of GDPR preparation and compliance in various companies. At this point, the focus is not to find mistakes or to impose fines. The plan is to support companies, make them more aware of the GDPR and give advice. However, in cases of serious breaches, there will be fines nevertheless.
The list of questions covers the following topics:
1. Preparation for the GDPR
How have you as a company prepared for the GDPR? Briefly explain the approach, which departments were involved and what measures have been taken. If these measures are not completed yet, please explain the status of implementation.
2. Register of Processing Activities
Have you ensured that there is a register in place of all activities in which personal data are being processed? How do you ensure it is updated regularly? Please provide us with an overview of the registered activities and with a sample process description.
3. Legal Basis
On what legal basis do you process personal data? If you are using consent, please provide us with your template.
4. Data Subject Rights
How are you making sure that data subjects are informed about their data subject rights (e.g. information, answer to data subject access requests, deletion, restriction and portability)? Please describe the applicable processes and provide us with templates.
5. Technical Data Protection
a) How do you ensure that your own and your processors’ technical and organisational means of data protection provide a security level which is in line with the risk involved in the processing?
b) How do you ensure that your technical and organisational measures are kept updated?
c) Do you have a documented and compliant process in place to ensure that data access is and will continue to be appropriately restricted on the basis of job roles?
d) How do you ensure that the principles of Privacy by Design and Privacy by Default are being taken into account from the start when IT products or services are changed or developed?
6. Data Protection Impact Assessment
a) Do you perform a Data Protection Impact Assessment for processing with high risk to the rights and freedoms of data subjects?
b) Have you identified, within your company, any processing activities that may result in a high risk to the rights and freedoms of data subjects? Which?
7. Data Processing
Have you updated your contracts with data processors based on the requirements of the GDPR? If you are using a template, please provide us with this, along with your current processing contract with one of your processors.
8. Data Protection Officer
How is your Data Protection Officer involved in your organisation? What proof of competence does s/he have?
9. Data Breach Reporting Duty
How have you made sure that any data breaches will be reported to the DPA in due time? Describe the processes.
Regarding documentation relating to GDPR compliance, how are you able to demonstrate compliance with questions 2 to 9 above?
There have been previous questionnaires by other Data Protection Authorities, such as a questionnaire published by the Bavarian Data Protection Authority in September 2017 in German and in English, which was intended to help companies prepare for the GDPR. This new list of questions is somewhat shorter and better structured. It is good starting point for any self-contained audit of GDPR compliance.