GDPR audits are performed to verify the actual level of personal data protection and to evaluate how an organization is prepared for changes that should be implemented according to General Data Protection Regulation (GDPR).
During the audit we will:
- determine the information to which GDPR regulations are applicable
- determine the position of personal data processing bodies (controller, joint controller, processor, sub-processor)
- verify the indications for personal data processing determined in GDPR in terms of legality of all processes performed by customers on their daily basis routine
- review the clauses of consent applied by customer
- review the mandatory informative clauses applied by customer
- analyze the contents of personal data processing agreements of entrust applied by customer
- determine the procedures of third party’s rights execution (e.g. data access rights)
- determine the procedures of controller/processor’s responsibilities (e.g. notification about infringements)
- analyze technical (IT-related, physical) and organizational measures applied by customer dedicated to keep data secure, in terms of compliance to GDPR regulations.
The final result of audit pre-implementation report which identifies and describes inconsistencies (including law violations), provides proofs of the inconsistencies and recommendations how to eliminate them.
In addition, in the report we indicate what actions need to be taken to achieve compliance to GDPR, in particular we will:
- propose risk assessment methodology and perform risk assessment
- evaluate whether data protection impact assessment is required and indicate how to handle this process, if needed
- determine the conditions of Data Protection Officer (DPO) designation, if necessary
- establish the customer’s area of responsibilities in accordance to GDPR regulations
- present our recommendations on how to adapt IT environment to GDPR requirements
- prepare implementation schedule proposal
GDPR implementation covers two steps:
- data processing process adjustment
- ICT environment adjustment
Within the data processing process adjustment the customer will receive the documents covering the complex security policy (the final scope depends on the audit results and risk assessment) including:
- risk assessment procedure
- personal data protection impact assessment
- risk handling plan
- procedure of cooperation with third parties including development of a new draft of entrustment agreement of personal data processing and implementation of administrative solutions in order to demonstrate that the obligation of processor selection was fulfilled properly
- record of personal data processing activities
- procedure of cooperation with supervisory authority and reporting infringements
- clauses dedicated to personal data collection and mandatory informative obligations
- position and responsibilities of Data Protection Officer (DPO)
- procedure for consideration of subject data requests directed to Data Protection Officer (DPO)
- policy for IT systems development process that includes implementation of data protection solutions in design phase (privacy by design) and default data protection (privacy by default)
- prior consultation with President of Personal Data Protection Office, if required
- selection of applicable transfer mechanisms in the event of personal data transfers to third countries or international organizations.
For IT environment adjustment reasons applicable procedures will be developed and provided. In particular procedures related to users management as well as authorization for backup management and security issues handling.
The subject service may be expanded by proposal to implement useful IT tools which would support conformity to GDPR requirements in terms of IT security, especially:
- data classification system
- data leakage prevention system (DLP)
- security information and event management platform (SIEM)