With a press release of 29 June 2018, the local Data Protection Authority (DPA) of Niedersachsen has published a questionnaire. The questionnaire has recently been sent to 20 large and 30 mid-sized companies of various industry sectors which are located in the German state of Niedersachsen. The local DPA has pointed out that they will not send the questionnaire to small companies such as carpenters or bakeries.
The intent is to get an overview of the status of GDPR preparation and compliance in the various companies. At this point in time, the focus is not to find as many mistakes as possible and to award fines. The plan is to support companies, make them more aware of the GDPR and give advice. In case of serious breaches, however, there will be fines awarded nevertheless.
In a convenience translation by the author, the list of questions includes the following subjects:
1. Preparation for the GDPR
How have you as a company prepared for the GDPR? Briefly explain the approach, which departments were involved and what measures have been taken. If these measures are not completed yet, please explain the status of implementation.
2. Register of Processing Activities
Have you ensured that there is a register in place of all activities where personal data are being processed? How do you ensure it is being updated on a regular basis? Please provide us with an overview of the registered activities and with one sample process description.
3. Legal Basis
On which legal basis do you process personal data? If you are using consent, please provide us with the template.
4. Data Subject Rights
How are you making sure that data subjects are being informed about their data subject rights (information, answer to data subject access requests, deletion, restriction, portability)? Please describe the applicable processes and provide us with templates.
5. Technical Data Protection
a) How do you ensure that your own and your processors’ technical and organizational means for data protection provide a security level which is in line with the risk involved in the processing?
b) How are you ensuring that your technical and organizational measures are updated on the applicable state of the art?
c) How do you ensure that you have a documented and compliant role concept and data access concept for your current or future IT applications?
d) How do you ensure that the principles of Privacy by Design and Privacy by Default are being taken into account from the start when IT products or IT services are being changed or newly developed?
6. Data Protection Impact Assessment
a) Do you perform a Data Protection Impact Assessment for any processing with a likely high risk for the rights and freedoms of data subjects?
b) Have you identified, within your company, any processing activities that result in a high risk for the rights and freedoms of data subjects? Which?
7. Data Processing
Have you updated the applicable contracts in place with any data processors based on the requirements of the GDPR? If you are using a template, please provide us with an example. Also please add your current processing contract in place with one of your processors.
8. Data Protection Officer
How is your Data Protection Officer involved in your organization? What proof of competence does he/she have?
9. Data Breach Reporting Duty
How have you made sure that any data breaches will be reported to the DPA in due time? Describe the applicable processes.
10. Documentation
Regarding the documentation of GDPR compliance, how are you able to demonstrate compliance with of the above questions No. 2 to No. 9?
There have been previous questionnaires by other Data Protection Authorities, such as the questionnaire published by the Bavarian Data Protection Authority in September 2017 in German and in English, which was, according to a press release, intended to help companies prepare for the GDPR. This new list of questions is somewhat shorter and well structured. It is good starting point for any small audit of GDPR compliance.