By: Mitchell H. Levine, Audit Serve, Inc.
This is the second article of a three part article intended to provide a roadmap for GDPR compliance for those areas of GDPR that present the most risk to an organization if these initiatives are not completed
As discussed in the first article the basis for fines issued by the Supervisory Authority will be based on complaints by the data subjects. The most likely reason for a data subject’s complaint are Controllers that do not provide the means for data subjects to issue a Subject Access Rights (SAR) Request.
SAR Requests are based on rights granted to data subjects to provide them access to their personal data (Article 15), correct inaccuracies of personal data (Article 16), erase personal data (Article 17) and object to certain ways in which organizations share their personal data with other organizations (Article 21). In order for an organization to reach the stage of the GDPR project to be able to process SAR Request to meet these various rights granted to a data subject, a complete analysis of the organizations business processes need to occur to identify those business processes that utilize a data subject’s personal data. This mapping of personal data to business processes also forms the basis of meeting the data inventory requirements of Article 30. Once the this step is completed, organizations need to go through the process of filtering what data they are making available to the SAR Requests understanding that any circumstances in which data is not being made available, corrected or erased on request by the data subject has to be substantiated (e.g., cost). One additional project dependency is the cooperation of the Processors who store and process the data subject’s personal data on behalf of the Controller. If a Processor refuses to correct or erase data as requested by the data subject, then the Controller will not be able to fulfil its obligations in processing the SAR request.
Upcoming Audit Serve GDPR Seminar entitled Assessment, Implementation and Auditing Approaches
June 13 - 14 Phoenix ISACA Chapter Tempe AZ (near Phoenix)
June 25th Virginia ISACA Chapter Norfolk, VA
The next step in processing the SAR Request are all of the potential extracts of data that will need to be established and the processes established for correcting & erasing data. For organizations that expect a small number of SAR Requests, manual processes will be used to extract, correct and erase data. However, for those organizations that are not so fortunate, automated processes will need to be established which include the coordination with the Processors.
The next area in which data subjects will be sending complaints to the Supervisory Authority will be for not being provided a proper disclosure from the Controller of their use of a data subject’s personal data at the inception of the relationship as required by Article 13 & 14. Organizations need to evaluate all of customer inception processes to ensure that these disclosures are provided. This is especially important since most organizations are tying their disclosure processes with gaining the data subjects Expressed Consent to store and process their data as required by Article 7 & 8. Without gaining the Expressed Consents, Controllers and Processors do not have a lawful basis for storing and processing the data subject’s personal data.
One of the key remaining decisions that Controllers need to make is whether they feel they have a proper data subject Expressed Consent prior to the May 25th GDPR compliance date. Knowing that most organizations did not have an Expressed Consent and Disclosure that met GDPR requirements, these Expressed Consents and Disclosures have been updated and now the challenge is to have the data subjects provide their Expressed Consents. This is a challenge for many industries because based on their business models they do not have the leverage to force the data subject to provide their Expressed Consents or may not even have a basis for even contacting the data subjects. This will force Controllers and Processors to make hard decisions of whether they will be deleting data for instances in which data subjects are not providing their Expressed Consents.
The third installment of this article will discuss the GDPR Articles which will less likely result in fines by the Supervisory Authority or lawsuits from data subjects.
Mitchell Levine, CISA, Founder and President of Audit Serve Inc. and his consulting team conducts GDPR Impact Analysis and Implementation Services and Project Assessments of organizations and IT Audit Consulting Services. Contact Mr. Levine Levinemh@auditserve.com for additional information.