The Bavarian Data Protection Authority (“Bavarian DPA”) has published an English-language version of a GDPR implementation audit questionnaire (“Questionnaire”). The Questionnaire is available here. The Questionnaire has been previously released in German.

Content of the Questionnaire

The Questionnaire includes questions on six topics:

  1. Structure and responsibility in the company
    • For example, is there awareness in the company that data protection is management’s responsibility?
  2. Overview of processing activities
    • For example, do you have records of your processing activities according to Article 30 GDPR?
  3. Involvement of third parties
    • For example, have you entered into the necessary agreements containing minimum content of Article 28 (3) GDPR with all your processors?
  4. Transparency, information duties, and assurance of data subject rights
    • For example, have you adapted your texts providing information regarding data protection for data subjects in the course of data collection, to the requirements of Article 13 and 14 GDPR?
  5. Accountability and risk management
    • For example, have you adapted your existing security review processes to the new requirements of Article 32 GDPR?
  6. Data breaches
    • For example, have you ensured that the notification of a personal data breach to the supervisory authority can be performed within 72 hours, according to Article 33 GDPR?

Comment

The Bavarian DPA has sent the Questionnaire to 150 randomly chosen organizations. It did not expect organizations to respond to the Questionnaire, but rather wanted to provide an opportunity for organizations to assess their progress in implementing the requirements under the GDPR.

We expect that the data protection authorities will be very active in the second half of 2018. Organizations had two years to prepare for the GDPR. The authorities will likely conduct audits of many organizations. The Questionnaire provides a good indication of what should be on top of every organization’s agenda, and what data protection authorities will particularly look for in the upcoming audits.