GDPR, General Data Protection Regulation, GDPR Audit, GDPR Implementation, GDPR Consulting, GDPR Impact Analysis, GDPE Assessment
by: Mitchell H. Levine, CISA - Audit Serve, Inc.
Those organizations that have self-identified themselves as being in-scope for GDPR should have progressed through the analysis phase of the project in which the key GDPR articles have been interpreted to determine how the organization needs to implement solutions to meet the “spirit” of the GDPR requirements. Since specific guidance to interpret all of the implementation requirements has been promised from EDPB (i.e., Issue guidance, recommendations and best practices) but has not been delivered so far, organizations are left with setting the bar at a high enough level where they do not get “burned” later on when the guidance is provided. Refer to the web page established which was supposed to provide guidance, which has not been updated since March, 2016.
Organizations may want to consider dividing the GDPR Articles which translate into actual organizational mandates into three parts in order to establish the design of their GDPR project initiatives;
(1) those Articles within GDPR that require a request system to be established to allow data subject to initiate requests
Right to Access – Article 15 Right to Recertification – Article 16 Right to Erasure - Article 17 Right to Restrict Processing – Article 18 Right to Object to Processing – Article 21 Right to Object Automated Decision/Profiling – Article 22 Data Portability – Article 20
*****************************************************************************
If your organization has completed most of its GDPR initiatives, Audit Serve, Inc. is scheduling GDPR Project Assessments to determine the degree in which your organization has completed these initiatives. Contact me @ Levinemh@auditserve.com to discuss our proposal of services or visit our website
(2) those articles that are not subject to data subject visibility (i.e., through requests) but require significant project initiatives such as Security of Processing – Article 32 and Data Protection by Design & Default - Article 25 and Data Protection Impact Assessment – Article 35
(3) those articles that require organizations who are controllers to directly contact customers Information Controllers must provide to Data Subjects at the time when personal data is obtained – Article 13 Expressed Consent – Article 7 Data Breach Notification – Articles 33 & 34
As part of the analysis organizations are determining which Articles they have “wiggle room” and those articles which are definitive and solutions have to be established. If the “wiggle room” is used, a permanent document needs to be established which details the explanation of the reason that technology is not available or if the costs are too prohibitive.
Alternatively, there are some articles where there is no “wiggle room” such as Expressed Consent.
This article will continue in the next edition of Audit Vision
_______________________________________________________________________________
Mitchell Levine, CISA, Founder and President of Audit Serve Inc. and his consulting team conducts GDPR Impact Analysis & Assessment consulting services. Contact Mitchell Levine Levinemh@auditserve.com for additional information.
Free Audit Vision Newsletter Since 1991 Join 3,500 other subscribers
Advertise with Us