Obstacles in meeting GDPR Requirements Part 2 of 2
by: Mitchell H. Levine, CISA - Audit Serve, Inc.
The first part of this article discussed (1) those articles within the GDPR that require a request system to be established to allow data subject to initiate requests (2) those articles that are not subject to data subject visibility (i.e., through requests) but require significant project initiatives and those articles that require organizations who are controllers to directly contact customers.
The major project initiatives which relate to most of the information that data subjects must be provided at the inception of the relationship with the controller is providing the data subject the data map of exactly what data they have stored and how it is processed so that the data subject can identify errors in which they can make requests to correct or provide a basis for which they may want to restrict processing partially or entirely.
The second major initiative is the data structure mapping (Required by Article 30 – Record of Processing Activities) that needs to be provided to the data subject when the relationship is established which ties the services that used by the data subject to the processing and data movements through the controller, processors and third-party systems which include the location of processing. Most organizations do not realize this is the largest project initiative that would be required to meet Article 7 – Expressed Consent in which the data subject must consent to all processing of data movements of the data subjects’ data. Since the level of information that needs to be provided to the data subject has increased significantly, former consents that data subjects provided are no longer valid and therefore organizations need to obtain the re-consent from the data subjects. The situations gets more complicated after the 25 May 2018 compliance date because any changes that are made to the data structure will require subsequent expressed consents to be provided by the data subject. This will require organizations to track the re-consents on an individual data subject basis in order to identify which aspects of the data structure changes were provided expressed consent by the data subject.
If your organization has completed most of its GDPR initiatives, Audit Serve, Inc. is scheduling GDPR Project Assessments to determine the degree in which your organization has completed these initiatives. Contact me @ Levinemh@auditserve.com to discuss our proposal of services or visit our website
This requirement to obtain all of these updated expressed consents is complicated by the fact that many controllers do not have the basis to force the data subject to perform the re-consent based on the workflow of their system in which customers may not have the need to access the controller’s system on a frequent basis. Controllers will need to make decisions on whether they will adjust their workflows that prevents the data subject to use the services of controller until they provide their expressed consent. Alternatively, the business process can take the passive route that the next time the data subject uses the controller’s service they must go through the process of issuing their expressed consent. The only complication is that this contact between the data subject and controller might not occur for many years at which time the controller needs to have an accurate compilation of all the structural changes that occurred that based on the last time the data subject initiated their expressed consent. For those organizations that employ EU citizens they are also considered data subjects and are given the same rights as customer. Obviously, the business processes used by a customer and the background processing the controllers and processor perform for employee type functions are different from customer facing processes. This demonstrates the magnitude of the scope of the GDPR project because actual data use and the structure in which they are used for both customers and employees need to have a detailed structural mapping. In addition, employees that leave an organization will most certainly take advantage of the data subject requests to restrict processing and delete data.
The one scenario that will prevent compliance with Article 7 expressed consent is when the controller and processor are retaining data subject data and there is no mechanism to contact the data subject. Business decisions will need to be made as to whether processing will still occur in the future for these types of data subjects which will translate into changes in business processes.
As the GDPR project articles are analyzed for implementation, organizations in different industries are realizing that they have permanent obstacles that prevent them from achieving full GDPR compliance. Establishing a permanent project binder which documents these obstacles and details the reasons for non-compliance is the obvious approach to be used by most organizations. For some articles there is “wiggle room” for meeting GDPR compliance but for some articles there is no “wiggle room”.
Based on the obstacles discussed in this article, it would be fair to say that no organization will be completely GDPR compliant but they need to have documented trail to support all of the decisions that were made where GDPR compliance cannot be achieved. Court cases after the May 25, 2018 mandated compliance date will determine whether organizations have progressed far enough in their GDPR compliance efforts.
Mitchell Levine, CISA, Founder and President of Audit Serve Inc. and his consulting team conducts GDPR Impact Analysis & Assessment consulting services. Contact Mitchell Levine Levinemh@auditserve.com for additional information.
Join 3,500 other subscribers
Advertise with Us