GDPR, General Data Protection Regulation, GDPR Audit, GDPR Implementation, GDPR Consulting, GDPR Impact Analysis, GDPE Assessment
By: Mitchell H. Levine, Audit Serve, Inc.
With the May 25th GDPR compliance date only a few months away many organizations are facing the realities that they will not be able to complete all of the required project initiatives required to meet all of the Articles within GDPR. Knowing that many organizations especially in the US have only completed their impact analysis in the last six months (i.e., to identify the project initiatives that need to be completed), this three- part article is intended to provide a roadmap for GDPR compliance for those areas of GDPR that present the most risk to an organization if these initiatives are not completed.
One of the key items that have contributed to the uncertainty of how far organizations need to take these project initiatives is the minimal guidance that has been provided by the Working Party 29, and for those guidance documents issued (e.g., guidelines on personal breach notification) there is a lack of overall detail on how far these initiatives need to be taken.
The basis for determining areas of GDPR compliance which are the highest importance is based on areas of GDPR in which non-compliance would result in fines issued by the Supervisory Authority or the basis of a lawsuit by a data subject (i.e., could be a class-action lawsuit) as specified in Article 82 (Right to Compensation & Liability) in which the data subject has suffered damages based on a Controller’s or Processor’s non-compliance with GDPR.
Upcoming Audit Serve GDPR Seminar entitled Assessment, Implementation and Auditing Approaches
June 13 - 14 Phoenix ISACA Chapter Tempe AZ (near Phoenix)
June 25th Virginia ISACA Chapter Norfolk, VA
Since it is stated nowhere within GDPR that the Supervisory Authority will initiate random reviews of an organization to assess their GDPR compliance, unlike OCR audits by HHS to determine a Covered Entity’s or Business Associates compliance with HIPAA regulations, it is most likely that inquiries by the Supervisory Authority of an organization’s GDPR compliance will be based on complaints registered by the data subject. The following list represents the most likely types of complaints that will be registered by data subjects to the Supervisory Authority which are also fall under areas where data subjects have specific GDPR granted rights:
This list of complaint types will also be used as the basis for lawsuits by data subjects as specified in Article 82.
The two remaining parts of this article will discuss in detail each of these complaint types. The two remaining parts of this article will also discuss the GDPR Articles which will less likely result in fines by the Supervisory Authority or lawsuits from data subjects.
Mitchell Levine, CISA, Founder and President of Audit Serve Inc. and his consulting team conducts GDPR Impact Analysis and Implementation Services and Project Assessments of organizations and IT Audit ConsultingServices. Contact Mr. Levine Levinemh@auditserve.com for additional information.
Join 3,500 other subscribers
Advertise with Us