The Lower Saxony Data Protection Authority (Lower Saxony DPA) has audited 50 large and medium-sized organizations on their implementation of the requirements of the GDPR since June 2018. On November 5, 2019, the Lower Saxony DPA released a report summarizing its findings (Report; available in German here).

Summary of findings in the Report

We previously reported on our blog that the Lower Saxony DPA has released the checklist it used in assessing the GDPR readiness of the audited organizations (Checklist). This Checklist is a helpful tool for determining where organizations have GDPR compliance gaps.

The Lower Saxony DPA has now summarized its findings of the audits. It has grouped the audited organizations based on a traffic light system:

  • Green (= mainly satisfactory): 9 organizations
  • Yellow (= some deficiencies): 32 organizations
  • Red (= major deficiencies): 8 organizations

The Report also highlights the GDPR compliance items that still raise the most and the least concerns:

  • Most deficiencies: IT security, data protection impact assessments (DPIA)
  • Medium deficiencies: records of processing activities (ROPA), consent, data subject rights
  • Low deficiencies: data processing agreements, data protection officers (DPO), notification of data breaches, accountability

Continue Reading German DPA releases findings of GDPR readiness audits of 50 organizations

The Lower Saxony Data Protection Authority (Lower Saxony DPA) has audited 50 large and medium-sized organizations over the last couple of months regarding their implementation of the requirements of the General Data Protection Regulation (GDPR), and is currently finalising the audits. On 7 August 2019, the Lower Saxony DPA released the

According to a press release of the Bavarian Data Protection Authority dated 3 November 2016 (“Press Release”), 10 German Data Protection Authorities (“DPAs”) have commenced a coordinated written audit and assessment of international data transfers, i.e., transfers to non-EU countries. Five hundred German companies will be asked to complete a comprehensive