Companies have invested a lot of time and money in implementing the GDPR. After the initial implementation hustle and bustle has evaporated, companies should now subject their status quo to a critical review. The supervisory authorities support such critical self-observation.
For example, the State Commissioner for Data Protection of Lower Saxony has published the “Criteria Catalogue for Cross-Sectional Audits in Business 2018/19”.1 It does not only ask how the company prepared for the GDPR. The Supervisory Authority also wants to know how the company ensures that all business processes involving the processing of personal data are included in a register of processing activities and that the register is kept up to date. It also asks how the rights of those concerned are guaranteed.
A total of about 200 individual criteria are surveyed in the questionnaire. More unpleasant topics are also discussed, such as the measures taken to delete data and so-called technical data protection. Here, the company must not only prove that technical and organizational measures exist to protect personal data. It must also be documented that the processing risk has been determined beforehand and that the measures taken correspond to this risk. It must also be explained how to determine whether or not so-called data protection impact assessments are necessary for certain processing operations. The supervisory authority wants to know how cases are identified which pose a high risk to the rights and freedoms of the data subjects. Experience shows that not everything is documented in the company when it comes to these topics. In addition, numerous questions are asked about contracts with processors.
The Bavarian State Office for Data Protection Supervision has also already begun examining the implementation of the GDPR in small and medium-sized enterprises. A corresponding list of questions was also published.2 The sensitive payment obligations threatened by non-compliance with the GDPR can be read in the recently published concept of data protection supervisory authorities for the assessment of fines.3
Check the implementation of the GDPR in your company using the published questionnaires. We are happy to support you with the expert analysis of existing processes and documentation.
Published in Newsletter Confectionery Industry Special – 2020 edition.
1 lfd.niedersachsen.de/startseite/datenschutzreform/ds_gvo/kriterienquerschnittspruefung-179455.html; last accessed: 01/11/2019.
2 www.lda.bayern.de/media/pruefungen/201811_kmu_fragebogen.pdf; last accessed: 01/11/2019.
3 www.datenschutzkonferenz-online.de/media/ah/20191016_bu%C3%9Fgeldkonzept.pdf; last accessed: 01/11/2019.