GDPR, General Data Protection Regulation, GDPR Audit, GDPR Implementation, GDPR Consulting, GDPR Impact Analysis, GDPE Assessment

Obstacles in meeting GDPR Requirements Part 1 of 2

by: Mitchell H. Levine, CISA - Audit Serve, Inc.     


Those organizations that have self-identified themselves as being in-scope for GDPR should have progressed through the analysis phase of the project in which the key GDPR articles have been interpreted to determine how the organization needs to implement solutions to meet the “spirit” of the GDPR requirements.  Since specific guidance to interpret all of the implementation requirements has been promised from EDPB  (i.e., Issue  guidance, recommendations and best practices) but has not been delivered so far, organizations are left with setting the bar at a high enough level where they do not get “burned” later on when the  guidance is provided.  Refer to the web page established which was supposed to provide guidance, which has not been updated since March, 2016.

Organizations may want to consider dividing the GDPR Articles which translate into actual organizational mandates into three parts in order to establish the design of their GDPR project initiatives;

(1) those Articles within GDPR that require a request system to be established to allow data subject to initiate requests

Right to Access – Article 15
Right to Recertification – Article 16
Right to Erasure - Article 17
Right to Restrict Processing – Article 18
Right to Object to Processing – Article 21
Right to Object Automated Decision/Profiling – Article 22
Data Portability – Article 20



If your organization has completed most of its GDPR initiatives, Audit Serve, Inc.  is scheduling GDPR Project Assessments to determine the degree in which your organization has completed these initiatives.  Contact me @ to discuss our proposal of services or visit our website



(2) those articles that are not subject to data subject visibility (i.e., through requests) but require significant project initiatives  such as Security of Processing – Article 32 and Data Protection by Design & Default - Article 25 and Data Protection Impact Assessment – Article 35

(3) those articles that require organizations who are controllers to directly contact customers

Information Controllers must provide to Data Subjects at the time when personal data is obtained – Article 13
Expressed Consent – Article 7
Data Breach Notification – Articles 33 & 34

As part of the analysis organizations are determining which Articles they have “wiggle room” and those articles which are definitive and solutions have to be established.  If the “wiggle room” is used, a permanent document needs to be established which details the explanation of the reason that technology is not available or if the costs are too prohibitive.

Alternatively, there are some articles where there is no “wiggle room” such as Expressed Consent.

This article will continue in the next edition of Audit Vision



Mitchell Levine, CISA, Founder and President of Audit Serve Inc. and his consulting team  conducts GDPR Impact Analysis & Assessment consulting services.    Contact Mitchell Levine for additional information.

AuditNet - The Global Resource for Auditors

Audit Vision

Since 1991
Join 3,500 other subscribers



Free Audit Serve Seminars Posted Online

25 minute extract from the seminar entitled "Alternate Control Design Approaches for z/OS" presented by Mitch Levine in London (at the Churchill War Rooms) March, 2018 which would be of interest to IT Audit, Security and GRC personnel

General Data Protection Regulation Seminar

Copyright © 2015. All Rights Reserved.