GDPR, General Data Protection Regulation, GDPR Audit, GDPR Implementation, GDPR Consulting, GDPR Impact Analysis, GDPE Assessment

Conducting a Pre-implementation Audit of the GDPR Project Part 3 of 4

by: Mitchell H. Levine, CISA

Audit Serve, Inc.     

The General Data Protection Regulation (GDPR) project as discussed in our previous two articles should necessitate the compliance and audit departments to conduct pre-implementation reviews to ensure that they are proceeding at the proper pace to ensure that the GDPR project will be completed by May 25, 2018.

The third portion of this article focuses on the regulations previously not discussed in which the pre-implementation should focus its attention to ensure that proper project initiatives have been established within the organization to meet the requirements of these regulations.  With the General Data Protection Regulation (GDPR) set to replace the Data Protection Directive 95/46/ec  (referred to as “former directive” hereafter) effective May 25, 2018, many of the regulations discussed in this article were included in the former directive but the “bar” was set much lower.  In addition the directive did not have any enforcement penalties that are part of the GDPR.

Expressed Consent

GDPR has much higher standard of explicit consent as compared to the former directive for the processing of special categories of personal data which relates to the fundamental rights and freedoms such as data which reveals ethnicity, religion or racial origin of the data subject.

As part of the expressed consent, controllers cannot request open-ended consent to cover future processing.  The controller is required to provide full disclosure of the data that will be processed, the purpose of the processing and the identity of all third parties that the controller shares data with which includes the output from the processing of the subject data.

GDPR also introduces additional protections for children by requiring parental authorization prior to collecting and processing the child’s data.

Data subjects are also given the right to withdraw consent and have their personal data erased which offers business and technical challenges as discussed in the first part of this article. 


If your organization has completed most of its GDPR initiatives, Audit Serve, Inc.  is scheduling GDPR Project Assessments to determine the degree in which your organization has completed these initiatives.  Contact me @ to discuss our proposal of services or visit our website 

Since the controller did not provide the proper mechanism to collect the expressed consent which meets the requirements set forth in the new GDPR, a project initiative will be required to collect these expressed consents.  Since the methods of processing of the data in question and the third parties in which the data is shared may change periodically in the future, a system needs to be in place which will tracks all of these events which is tied to each data subject.

The pre-implementation audit needs to ensure that the project initiatives have been established to track these expressed consents. 

Right To Access

Data subjects are provided the right of access to their data, and be provided the detailed specifications of how their data was processed.  Controllers will have to set up a mechanism to respond to these access requests.  In addition, a process will need to be established to validate the identity of the data subjects who request access to their data.

The pre-implementation audit needs to ensure that the project initiatives have been established to track these requests and the methods used to authenticate the requestor’s identity.

The fourth part of this article which covers data breaches and data portability will be covered in the next issue of Audit Vision.


AuditNet - The Global Resource for Auditors

Audit Vision

Since 1991
Join 3,500 other subscribers



Free Audit Serve Seminars Posted Online

25 minute extract from the seminar entitled "Alternate Control Design Approaches for z/OS" presented by Mitch Levine in London (at the Churchill War Rooms) March, 2018 which would be of interest to IT Audit, Security and GRC personnel

General Data Protection Regulation Seminar

Copyright © 2015. All Rights Reserved.