GDPR, General Data Protection Regulation, GDPR Audit, GDPR Implementation, GDPR Consulting, GDPR Impact Analysis, GDPE Assessment

Conducting a Pre-implementation Audit of the GDPR Project Part 3 of 4

by: Mitchell H. Levine, CISA

Audit Serve, Inc.     

The General Data Protection Regulation (GDPR) project as discussed in our previous two articles should necessitate the compliance and audit departments to conduct pre-implementation reviews to ensure that they are proceeding at the proper pace to ensure that the GDPR project will be completed by May 25, 2018.

The third portion of this article focuses on the regulations previously not discussed in which the pre-implementation should focus its attention to ensure that proper project initiatives have been established within the organization to meet the requirements of these regulations.  With the General Data Protection Regulation (GDPR) set to replace the Data Protection Directive 95/46/ec  (referred to as “former directive” hereafter) effective May 25, 2018, many of the regulations discussed in this article were included in the former directive but the “bar” was set much lower.  In addition the directive did not have any enforcement penalties that are part of the GDPR.

Expressed Consent

GDPR has much higher standard of explicit consent as compared to the former directive for the processing of special categories of personal data which relates to the fundamental rights and freedoms such as data which reveals ethnicity, religion or racial origin of the data subject.

As part of the expressed consent, controllers cannot request open-ended consent to cover future processing.  The controller is required to provide full disclosure of the data that will be processed, the purpose of the processing and the identity of all third parties that the controller shares data with which includes the output from the processing of the subject data.

GDPR also introduces additional protections for children by requiring parental authorization prior to collecting and processing the child’s data.

Data subjects are also given the right to withdraw consent and have their personal data erased which offers business and technical challenges as discussed in the first part of this article. 

*****************************************************************************

Audit Serve offers the first detailed technical seminar to provide the information required by organizations to assess the impact of GDPR on their organization, design implementation strategies from a business process & IT standpoint and provide alternative approaches for auditing the GDPR project

Seminar Dates/Locations

Amsterdam September 27th

395 USD / £315 GBP / € 375 EUR
Registration & Information In USD 
Registration &  Information - In GBP   
Registration &  Information - In EUR  


 *****************************************************************************

Since the controller did not provide the proper mechanism to collect the expressed consent which meets the requirements set forth in the new GDPR, a project initiative will be required to collect these expressed consents.  Since the methods of processing of the data in question and the third parties in which the data is shared may change periodically in the future, a system needs to be in place which will tracks all of these events which is tied to each data subject.

The pre-implementation audit needs to ensure that the project initiatives have been established to track these expressed consents. 

Right To Access

Data subjects are provided the right of access to their data, and be provided the detailed specifications of how their data was processed.  Controllers will have to set up a mechanism to respond to these access requests.  In addition, a process will need to be established to validate the identity of the data subjects who request access to their data.

The pre-implementation audit needs to ensure that the project initiatives have been established to track these requests and the methods used to authenticate the requestor’s identity.

The fourth part of this article which covers data breaches and data portability will be covered in the next issue of Audit Vision.

 

AuditNet - The Global Resource for Auditors

Free
Audit Vision
Newsletter

Since 1991
Join 3,500 other subscribers

General Data Protection Regulation Seminar

Copyright © 2015. All Rights Reserved.