Conducting a Pre-implementation Audit of the GDPR Project Part 2 of 4

by: Mitchell H. Levine, CISA
Audit Serve, Inc.

The General Data Protection Regulation (GDPR) project as discussed in our previous article should necessitate the compliance and audit departments to conduct pre-implementation reviews to ensure that they are proceeding at the proper pace to ensure that the GDPR project will be completed by May 25, 2018.

The previous part of article focused on the right to be forgotten and the extensive business process and IT changes which are required to remove all traces of individual identification from both the structured and unstructured data environment. This second and third part of this article will focus on the other key regulations on how they pre-implementation review should be approached to ensure that project initiatives are established to satisfactory address the requirements of the regulation. Understanding the project initiatives required for the GDPR project is based on thorough understanding each of the regulations and interpreting the minimum steps which need to be taken to achieve compliance with each of the regulations. These steps are included in the GDPR project assessment which will drive the implementation requirements. The outputs generated from the project assessment will include the functional design specifications to re-engineer the business process and the IT changes need to support the “overhaul” to the business which may be required to meet GDPR.

One of the issues with approaching the GDPR now 20 months (as of mid-September, 2016) is that many of the regulations are quite vague in terms of the scope of the project initiatives (e.g., non-defined criteria for the Data Protection Impact Assessment). It is understood that the EDBP (European Data Protection Board) is the central authority for issuing guidance but a large number of provisions allow the member states to set the rules for important contexts of individual regulations (e.g., member states broadly categorizing data as being used for national security purposes bypassing individual data protection rights). If the member states lower the bar as compared to other member states there will not be a consistent application of the protection of individual rights. Ultimately, the big unknown factor for the overall bar that needs to be set for the implementation of these regulations is the role of the courts when companies take the fines that they are levied to court.

Organizations unfortunately can’t wait till complete guidance is issued by EDBP and member states and must proceed with project initiatives based on their interpretation of the regulations.

The pre-implementation review should provide an opinion for the following areas:

  • Has an impact analysis been performed to identify whether the organization is in scope for some or all regulations set forth in the GDPR based on the manner in which conduct business with EU citizens (i.e., either directly or through business partnerships). As part of this analysis, has all third parties in which “in-scope” data is shared been identified and have management oversight initiatives been established to ensure these third parties will be compliant with GDPR prior to the required implementation date?
  • Has project assessment been performed to interpret the business process and IT changes that are need to support the minimum compliance to each regulation?
  • Is the project itself on track to meet the regulations within the required implementation dates? This would require periodic reports to be issued throughout the duration of the project.
  • Based on the audit or compliance group’s independent business and technical IT design walkthrough of initiatives established to meet the regulations set forth in GDPR, do they satisfactorily address the regulations?


If your organization has completed most of its GDPR initiatives, Audit Serve, Inc.  is scheduling GDPR Project Assessments to determine the degree in which your organization has completed these initiatives.  Contact me @ to discuss our proposal of services or visit our website   


One of the key initiatives that is a key input to establishing processes to meet the requirements of most of the regulations relate to understanding where data elements (i.e., which in combination are used to derive the identity of an individual and their associated activity which are governed by data protection laws) are stored, the manner in which they are stored (i.e., in a single data record or spread across a multitude of unlinked records) and who the data is shared with (i.e., need to track sharing of GDPR in-scope data to ensure these third parties implement measures to be GDPR compliant).

The pre-implementation review needs to focus on the inventory processes which are used to ensure all locations of where data relating to individual identification are identified. Using manual process such as relying on subject matter experts to identify the databases and tables which potential contain individual identifiable data elements is not sufficient to meet the regulation. Automated tools such as used to identify PII data needs to be considered for this critical project initiative. Knowing that GDPR provides “an out” for not complying with a regulation due to the difficulty of implementing a solution, it is critical that all a complete detailed design document is established which identifies all mechanisms used to store individual identifiable data elements which would then be tied to a business and technical justification of the reason a solution cannot be implemented.

The third portion of this article will be published in the October issue of Audit Vision.


Mitchell Levine, CISA, Founder and President of Audit Serve Inc. and his consulting team  conducts GDPR Impact Analysis and Project Assessments of organizations. Contact Mr. Levine for additional information.

AuditNet - The Global Resource for Auditors

Audit Vision

Since 1991
Join 3,500 other subscribers



Free Audit Serve Seminars Posted Online

25 minute extract from the seminar entitled "Alternate Control Design Approaches for z/OS" presented by Mitch Levine in London (at the Churchill War Rooms) March, 2018 which would be of interest to IT Audit, Security and GRC personnel

General Data Protection Regulation Seminar

Copyright © 2015. All Rights Reserved.