German DPA Releases GDPR Audit Checklist

The Lower Saxony Data Protection Authority (DPA) in Germany earlier this month released the General Data Protection Regulation (GDPR) checklist that it used in an audit of 50 organizations (large and medium-sized). The document is in German, but for organizations that wish to perform a self-audit, it may be worth translating.

Here is a brief overview of the ten areas that were the basis for the privacy audits:

1. GDPR Preparations – How did your organization get ready for GDPR?

2. Processing Activities – How did your organization create its list of the Records of Processing Activities (ROPA) and how does it get updated?

3. Lawful Basis for Processing – What are the lawful basis for your organization’s data processing?

4. Data Subject Rights – How does your organization ensure data subjects can exercise their rights?

5. Data Protection (Security) – How does your organization implement the technical and organizational measures necessary for a level of security appropriate to the data risks?

6. Data Protection Impact Assessments (DPIAs) – How does your organization ensure that DPIAs are carried out when appropriate?

7. Data Processing Agreements – Do you have contracts with data processors that meet the GDPR requirements?

8. Data Protection Officer – How does your DPO function within the organization?

9. Breach Notifications – What is the organization’s process for ensuring timely data breach notifications?

10. Accountability – Can your organization document compliance with the above requirements?