Complications arise in achieving GDPR compliance Part 1 of 3

by: Mitchell H. Levine, CISA - Audit Serve, Inc. 

Establishing the GDPR compliance is a term in which each organization represents that it meets all of the requirements of GDPR.   However, as part of Article 28 (Processors) the controller is only allowed to use processors which provide sufficient guarantees that they have established appropriate organizational and technical measures to meet GDPR.  This raises a prevailing question in the industry as to the level of due diligence which is required to ensure these critical processors are GDPR compliant.

In order to establish a roadmap on how to become GDPR compliant an organization needs to perform a walkthrough of all of its business processes to determine which ones are impacted by GDPR.  The impact analysis needs to include the identification of all the processes that use a data subject’s PI data which has had to be accounted for in the inventory that is included in the disclosure to the data subject at the time the relationship is established with the data subject as required in Article 13 & 14 and forms the basis of obtaining the data subject’s Expressed Consent (Article 7).  In addition, all the requirement for maintaining this record of processing is required as part of Article 30.  The other key output from identifying processing activities related to the handling of a data subject’s PI data is the ability to identify those processes which can be discontinued as part of the data subject’s rights to Object Processing (Article 21).

One of the key components is to understand the business processes that an organization is a controller and or processor.  Based on the structure of an organization, it is conceivable for two organizations can be joint processors based on the party who stores the data, who processes the business, and who has direct contact with the data subject.  This scenario is typical of US-based companies who have international operations in which the local EU decentralized components of the global organization has the closest relation with the data subject but the central organization based outside the EU also has communication with the data subjects.   The complication arises when the data subject makes a request to access data (Article 15 – Right to Access), in which separate responses need to come from both the local EU organization and the global central processor.  The complications become even further complex based on whether the global organization will take the initiative and provide one level of reporting which covers both the central and local reporting responsibilities or alternatively the central organization could just report on how they store and process data and refer the data subject to the decentralized organization to have them make a separate request.

If the alternative is performed in which the central organization will provide a single response to the data subject then the size of the analysis phase of the GDPR project will be expanded significantly because the central organization must obtain all of the information from the EU local organizations.

*****************************************************************************

If your organization has completed most of its GDPR initiatives, Audit Serve, Inc.  is scheduling GDPR Project Assessments to determine the degree in which your organization has completed these initiatives.  Contact me @ Levinemh@auditserve.com to discuss our proposal of services or visit our website

*****************************************************************************

Alternatively, if the central organization is classified strictly as a processor, the distributed EU organization needs to gather from the central organization components which are a huge undertaking.  In addition, project management “gates” must be established during the software development life cycle to ensure any changes to the business process which handle PI data are identified or if PI is used by business processes that were never included in the disclosure to the data subject (Article 13 & 14) and included in the Expressed Consent (Article 7).

Having worked on three separate GDPR projects establishing an Impact Analysis and detailed project plan which provides the roadmap for an organization to become GDPR compliant one of the key areas that these experience provide is to identify the areas which require business decisions as it relates to roles and responsibilities throughout the organization in order to meet all of the Articles set forth in GDPR.  In addition, based on a thorough understanding of the GDPR articles, GDPR provides compliance flexibility which needs to be taken advantage of by organizations in order to reduce the overall size of the GDPR project.

The next part of this article, in the next monthly edition of the Audit Vision newsletter, will continue to provide specific cases which impacts most organization’s ability to achieve GDPR compliance.

  _______________________________________________________________________________

Mitchell Levine, CISA, Founder and President of Audit Serve Inc. and his consulting team  conducts GDPR Impact Analysis and Project Assessments of organizations and IT Audit Consulting Services.   Contact Mr. Levine Levinemh@auditserve.com for additional information.