Conducting a Pre-implementation Audit of the GDPR Project Part 1 of 4

by: Mitchell H. Levine, CISA
Audit Serve, Inc.

The General Data Protection Regulation (GDPR)  project as discussed in our previous article, not only impacts companies operating in the EU which have a customers which are citizens of the EU but extends to companies and organizations around the world who have data on their systems comprised of EU citizens.   Also as stated in our previous article, this is no ordinary regulation which can be ignored based on the corporate view that it is not enforceable or they will not be exposed as not being GDPR compliant.

Having less than 21 months to meet all of the requirements set forth in the GDPR is a difficult task to perform for all organizations.  If organizations have not at least performed an impact analysis of the GDPR project as of this time the company is behind schedule which should be raised as an audit issue  

Auditors are required to escalate issues which impact the assets of their organization.  Due to the penalties that can be levied for non-compliance with GDPR, this project should be rated as the highest risk project that has confronted an organization since the Y2K project (i.e., risk of business failure due non-functional systems).  The best approach to escalate issues of non-GDPR compliance is through a pre-implementation audit of the entire GDPR project initiative. Unfortunately, most Audit groups no longer conduct pre-implementation audits due to the following reasons: 

1) Amount of resources which are required to be invested in this type of audit

2) The auditors inability to detect inadequacies of SDLC deliverable (e.g., missing component of functional requirements or user stories) or missing test conditions  which is attributed the auditor not approaching the pre-implementation review from an integrated audit standpoint and therefore not having the proper business knowledge to detect the missing component.  Without the commitment of including the integrated aspects of the audit, the quality of the pre-implementation review is impacted

Most pre-implementations audits have been reduced to ensuring all deliverable components were established as part of the SDLC and to ensure effective project management disciplines are being utilized After the determining whether an organization is inscope to be compliant with GDPR, the next step is to perform an impact analysis to determine the business impact to the organization’s business in order to be compliant with GDPR.  For some companies, GDPR bears a direct impact to the business model.  For example, if a business model is based on providing analytic data to companies in which the basis of the analytic data is the tracking of individuals, then the GDPR right to be forgotten project component would require the removal of these individuals from these tracking databases which is the basis of the company’s business.


If your organization has completed most of its GDPR initiatives, Audit Serve, Inc.  is scheduling GDPR Project Assessments to determine the degree in which your organization has completed these initiatives.  Contact me @ to discuss our proposal of services or visit our website


Another example would be the case in which an individual may be the key components of a business process such as a guarantor of a loan in which if their identity needs to be removed from the system which violates a key business rule.  These possible impacts to the business model must be identified in the early stages of the project since they will take longer to implement.  It should be noted that GDPR does have a provision which allows for non-compliance if the regulation proves too difficult to implement.

Once changes to the business processes are identified to meet GDPR requirements they need to be translated into a business and technical requirements which will drive the remaining part of the project.  The pre-implementation audit needs to focus on these critical stages of the project to ensure that they are proceeding at the proper pace to ensure that the GDPR project will be completed by May 25, 2018.  One of the most difficult aspects of the project is to identify all third parties that an organizations shares data with because these organizations also must achieve GDPR compliance.  Failure of these third party vendors to achieve compliance impacts the organization’s GDPR compliance and who will be held to the penalties set forth in GDPR.

The audit department as part of conducting this pre-implementation review should be issuing periodic reports throughout the next 21 months to provide management a view as to the progress of the project and whether they will achieve full GDPR compliance.  Compliance Departments should also be initiating a project to track the progress of the GDPR project.

The determination of whether an organization is required to meet GDPR must be determined immediately because the GDPR project initiatives may take more than the remaining 21 months available to complete the project.  The Audit Departments need to be at the forefront of spreading the awareness of the GDPR project because at this time there is a general lack of awareness in the industry especially with companies and organizations that are not based in the EU.

The next part of this article will go through each of the critical regulations of the GDPR and provide insights on how to approach the pre-implementation audit.       


Mitchell Levine, CISA, Founder and President of Audit Serve Inc. and his consulting team  conducts GDPR Impact Analysis and Project Assessments of organizations.   Contact Mr. Levine for additional information.


AuditNet - The Global Resource for Auditors

Audit Vision

Since 1991
Join 3,500 other subscribers



Free Audit Serve Seminars Posted Online

25 minute extract from the seminar entitled "Alternate Control Design Approaches for z/OS" presented by Mitch Levine in London (at the Churchill War Rooms) March, 2018 which would be of interest to IT Audit, Security and GRC personnel

General Data Protection Regulation Seminar

Copyright © 2015. All Rights Reserved.