In a press release dated June 29, 2018, the State Commissioner for Data Protection -Niedersachen, Barbara Thiel, announced that she plans to audit 20 large and 30 medium-sized companies on the subject of the GDPR as of the end of June as part of a cross-sectoral cross-sectional audit.
Specifically, it is just a matter of asking companies how they have implemented the new basic data protection regulation in their company.
So says the press release:
Educate, sensitize, help
"First of all, I would like to get an overview of how companies have used the two-year transition period until the GDPR came into force," says Barbara Thiel. "My main concern here is to identify whether there is still catching up to do among the responsible bodies. I also want to use this audit to raise awareness of data protection in general and the provisions of the GDPR in particular. So at this stage, the priority is not to find as many errors as possible and impose fines. Instead, we want to educate, raise awareness and provide valuable advice. Nevertheless, there may of course be appropriate proceedings if we find violations of the GDPR during the audit."
The questionnaire "DS-GVO cross-sectional audit" contains 10 questions:
"1. preparation for the GDPR
How did you as a company prepare for the GDPR? Describe (briefly) the procedure, which areas were involved and which measures were initiated. If not all measures have been fully implemented yet, please also explain the implementation status.
2. directory of processing activities
How have you ensured that all your business operations involving the processing of personal data are included in a register of processing activities? How do you ensure that it is up to date? Please attach an overview of your documented procedures and a sample procedure.
3. permissibility of processing
On what legal basis do you process personal data? If you also process personal data on the basis of consent, please enclose the samples you used.
4. data subject rights
How do you ensure compliance with data subject rights (to information, access, rectification, erasure, restriction of processing, data portability)? Outline your processes in this regard and, in particular, go into detail about how you comply with your information obligations. Please attach any existing sample information.
5. Technical data protection
a) How do you ensure that your technical and organizational measures or those of your service providers guarantee a level of protection appropriate to the processing risk?
b) How do you ensure that your technical and organizational measures are adapted to the respective state of the art?
c) How do you ensure that you have a documented data protection-compliant roles and authorization concept for the IT applications you currently use or will use in the future?
d) How do you ensure that data protection requirements are taken into account from the outset when modifying or developing new products or services (privacy by design and by default)?
6. data protection impact assessmenta)
a) How do you ensure that processing operations likely to present a high risk to the rights and freedoms of data subjects are identified and that a data protection impact assessment is carried out for them?
b) Have you identified any processing operations in your company that are likely to present a high risk to the rights and freedoms of data subjects? Which ones? Please attach the respective documentation for the data protection impact assessment.
7. order processing
Have you adapted your existing contracts with processors to the new regulations of the GDPR? If you use model contracts, please attach them; in addition, please attach a current example contract with one of your processors.
8. data protection officer
How is your data protection officer integrated into your organization? What professional qualifications does he or she have?
9. reporting obligations
How do you ensure that your company reports data protection breaches to the supervisory authority in a timely manner? Outline your processes in this regard.
10. documentation
How will you be able to demonstrate compliance with all of the obligations set forth in paragraphs 2 - 9 above?"
The results will be compiled in a final report May 2019.
Important: The LfD has clarified that no small craft businesses or corner bakers are to be audited. A complete audit of individual industries is also not planned.
This confirms our suspicion: the supervisory authorities initially do not want to punish, but to help. By now, it is clear to everyone that much is unclear. If the GDPR "project" is to be implemented properly, companies will also need all the help they can get.
