GDPR, General Data Protection Regulation, GDPR Audit, GDPR Implementation, GDPR Consulting, GDPR Impact Analysis, GDPE Assessment

Obstacles in meeting GDPR Requirements Part 1 of 2

by: Mitchell H. Levine, CISA - Audit Serve, Inc.     

 

Those organizations that have self-identified themselves as being in-scope for GDPR should have progressed through the analysis phase of the project in which the key GDPR articles have been interpreted to determine how the organization needs to implement solutions to meet the “spirit” of the GDPR requirements.  Since specific guidance to interpret all of the implementation requirements has been promised from EDPB  (i.e., Issue  guidance, recommendations and best practices) but has not been delivered so far, organizations are left with setting the bar at a high enough level where they do not get “burned” later on when the  guidance is provided.  Refer to the web page established which was supposed to provide guidance, which has not been updated since March, 2016.

Organizations may want to consider dividing the GDPR Articles which translate into actual organizational mandates into three parts in order to establish the design of their GDPR project initiatives;

(1) those Articles within GDPR that require a request system to be established to allow data subject to initiate requests

Right to Access – Article 15
Right to Recertification – Article 16
Right to Erasure - Article 17
Right to Restrict Processing – Article 18
Right to Object to Processing – Article 21
Right to Object Automated Decision/Profiling – Article 22
Data Portability – Article 20

 

*****************************************************************************

Audit Serve offers the first detailed technical seminar to provide the information required by organizations to assess the impact of GDPR on their organization, design implementation strategies from a business process & IT standpoint and provide alternative approaches for auditing the GDPR project

Seminar Dates/Locations

Amsterdam September 27th

395 USD / £315 GBP / € 375 EUR
Registration & Information In USD 
Registration &  Information - In GBP   
Registration &  Information - In EUR  

*****************************************************************************

 

(2) those articles that are not subject to data subject visibility (i.e., through requests) but require significant project initiatives  such as Security of Processing – Article 32 and Data Protection by Design & Default - Article 25 and Data Protection Impact Assessment – Article 35

(3) those articles that require organizations who are controllers to directly contact customers

Information Controllers must provide to Data Subjects at the time when personal data is obtained – Article 13
Expressed Consent – Article 7
Data Breach Notification – Articles 33 & 34

As part of the analysis organizations are determining which Articles they have “wiggle room” and those articles which are definitive and solutions have to be established.  If the “wiggle room” is used, a permanent document needs to be established which details the explanation of the reason that technology is not available or if the costs are too prohibitive.

Alternatively, there are some articles where there is no “wiggle room” such as Expressed Consent.

This article will continue in the next edition of Audit Vision

 

_______________________________________________________________________________

Mitchell Levine, CISA, Founder and President of Audit Serve Inc. and his consulting team  conducts GDPR Impact Analysis & Assessment consulting services.    Contact Mitchell Levine Levinemh@auditserve.com for additional information.

AuditNet - The Global Resource for Auditors

Free
Audit Vision
Newsletter

Since 1991
Join 3,500 other subscribers

General Data Protection Regulation Seminar

Copyright © 2015. All Rights Reserved.