By: Mitchell H. Levine, Audit Serve, Inc.
With the May 25th GDPR compliance date only a few months away many organizations are facing the realities that they will not be able to complete all of the required project initiatives required to meet all of the Articles within GDPR. Knowing that many organizations especially in the US have only completed their impact analysis in the last six months (i.e., to identify the project initiatives that need to be completed), this three- part article is intended to provide a roadmap for GDPR compliance for those areas of GDPR that present the most risk to an organization if these initiatives are not completed.
One of the key items that have contributed to the uncertainty of how far organizations need to take these project initiatives is the minimal guidance that has been provided by the Working Party 29, and for those guidance documents issued (e.g., guidelines on personal breach notification) there is a lack of overall detail on how far these initiatives need to be taken.
The basis for determining areas of GDPR compliance which are the highest importance is based on areas of GDPR in which non-compliance would result in fines issued by the Supervisory Authority or the basis of a lawsuit by a data subject (i.e., could be a class-action lawsuit) as specified in Article 82 (Right to Compensation & Liability) in which the data subject has suffered damages based on a Controller’s or Processor’s non-compliance with GDPR.
Upcoming Audit Serve GDPR Seminar entitled Assessment, Implementation and Auditing Approaches
April 11th Greater Hartford ISACA & IIA Southern NE Chapter Hartford, CT
April 16 – 17 Chicago ISACA Chapter Chicago
April 24th Detroit ISACA Chapter Novi MI (near Detroit)
April 26th Kansas City ISACA Chapter Overland Park, KS (Near KC)
May 1st NY Metro ISACA Chapter Manhattan
May 3rd Middle Tennessee ISACA Chapter Nashville
May 15th Vancouver ISACA & IIA Chapters Vancouver
May 17 - 18 Cincinnati ISACA Chapter Cincinnati registation to open April 15th
Since it is stated nowhere within GDPR that the Supervisory Authority will initiate random reviews of an organization to assess their GDPR compliance, unlike OCR audits by HHS to determine a Covered Entity’s or Business Associates compliance with HIPAA regulations, it is most likely that inquiries by the Supervisory Authority of an organization’s GDPR compliance will be based on complaints registered by the data subject. The following list represents the most likely types of complaints that will be registered by data subjects to the Supervisory Authority which are also fall under areas where data subjects have specific GDPR granted rights:
- Not being provided a disclosure of the use of a data subject’s personal data by a Controller or Processor at the inception of the relationship (Article 13 & 14) which also ties to the Data Subject providing their Expressed Consent (Article 7 & 8)
- A controller not providing a mechanism to allow for the submission of a Subject Access Rights (SAR) Request
- A controller not providing all of the required components (i.e., tied to data subject rights) within their SAR request form
- A controller not processing a SAR request in a timely basis
- Instances in which data subjects data has been provided to a third party in which expressed consent has not been provided or data subject has issued a cease to perform this action as part of SAR issued request which relates to Right to Object (Article 21)
- A Controller or Processor not having a lawful basis for storing and processing the data subject’s data which includes Controllers or Processors retaining data beyond what is required to support business processing requirements (as determined by Article 25)
- Data subject becoming aware that there personal data held by the Controller or Processor has become public based on a potential security breach
This list of complaint types will also be used as the basis for lawsuits by data subjects as specified in Article 82.
The two remaining parts of this article will discuss in detail each of these complaint types. The two remaining parts of this article will also discuss the GDPR Articles which will less likely result in fines by the Supervisory Authority or lawsuits from data subjects.
Mitchell Levine, CISA, Founder and President of Audit Serve Inc. and his consulting team conducts GDPR Impact Analysis and Implementation Services and Project Assessments of organizations and IT Audit Consulting Services. Contact Mr. Levine Levinemh@auditserve.com for additional information.