The Lower Saxony Data Protection Authority (Lower Saxony DPA) has audited 50 large and medium-sized organizations over the last couple of months regarding their implementation of the requirements of the General Data Protection Regulation (GDPR), and is currently finalising the audits. On 7 August 2019, the Lower Saxony DPA released the checklist that it used in assessing the organisations’ GDPR readiness (Checklist; available in German here).

The Checklist

In total, the Checklist consists of 10 categories of questions and about 200 GDPR compliance criteria. These include, for example:

Category of questions Main GDPR compliance criteria include
GDPR readiness · How did your organisation prepare for GDPR?

· Which departments of your organisation have been involved in GDPR preparation?

Records of processing activities (ROPAs) · How did your organisation ensure that it created ROPAs for all necessary processing activities?
Legal bases for data processing · What are the legal bases for your organisation’s processing activities?
Data subject rights · What processes does your organisation have in place to ensure that data subjects can assert their rights under GDPR?

· Please explain, in particular, how your organisation complies with its information obligations.

Data security · How does your organisation ensure that it has implemented the technical and organisational measures (TOMs) necessary to ensure a level of security appropriate to the risk?

· How does your organisation ensure that the TOMs are state of the art?

· How does your organisation ensure that it has a documented authorisation concept for current and future IT applications?

· How does your organisation ensure that the concepts of privacy by design and privacy by default are implemented in the process of creating or changing goods or services?

Data protection impact assessment (DPIA) · How does your organisation ensure that it recognises that a processing activity requires a DPIA?

· For what processing activities did your organisation determine that a DPIA is necessary?

Data processing agreements · Did your organisation update existing agreements with data processors?
Data protection officer (DPO) · How is the DPO integrated within your organisation?

· Has your organisation documented that the DPO has sufficient data protection knowledge?

· Was the DPO notified to the supervisory authority?

Data breach notifications · What is your organisation’s process for ensuring notification of data breaches within the statutory deadline?
Accountability · How does your organisation demonstrate compliance with the requirements listed above?

Comment

According to the Lower Saxony DPA (see statement from last year here), the main objective of its audits was not issuing fines, but determining where organisations still have compliance gaps and raising awareness of GDPR requirements. These audits and the publication of the Checklist show that, one year after the GDPR entered into force, supervisory authorities are becoming more active (e.g., by conducting general audits of organisations’ GDPR readiness), and so organisations should be finally prepared.

The Checklist is a helpful tool for organisations to review their own GDPR readiness as it highlights the main topics that supervisory authorities might focus on.