GDPR AUDIT - data management operation review
We register on the website, play the role of the customer, and examine the operation of the organization from the perspective of the stakeholders. You get a real picture of your organization's operation according to GDPR. During our GDPR consulting, we prepare an action plan and a specific task list, which you can use to correct any errors.
Many chose independent preparation, many used the help of a lawyer, and there are also those who still haven't started the preparation. We believe that Law, business process organization and IT are equal players in the preparation project. With more than 20 years of process organization and information security experience, we embarked on GDPR training.
During the preparation, we had a lot of partners who said that they only wanted to comply at the administrative level first and we'll see what happens after that. The Authority received the legal authorization, the results of the official investigations of the reported incidents will be published in the next 2-3 months. In Germany, the first penalty of 12,500 Euros has already been issued. In these cases, the authority not only examines administrative compliance, but also the day-to-day operations of the organization.
Check whether your organization is able to comply with the provisions of the data protection regulations and whether it meets the requirements of the GDPR regulation during operation.
Who do we recommend?
For those organizations that have prepared themselves to meet the requirements of the regulation. For those whose IT review was missed during GDPR preparation. Those whose website does NOT communicate on https: basis. Those who created their regulations, but would prevent the official investigation with an internal audit.
Website GDPR review
-
Website GDPR check
-
Creating a data management information sheet or commenting on an existing one
-
Comparison of the data management and data processing register with the data indicated in the data management information sheet(s).
GDPR revision of regulations
-
Review of Data Management Regulations and related records
-
Revision of Article 32 of the GDPR regulation and Information Security regulations
GDPR check
-
Website IT compliance check
-
Website registration and trial purchase
-
Optimization of data management information
-
Comparison of data management and data processing records with the organization's data management processes
GDPR incident simulation
-
Management of notification of interested parties
-
In the case of a retail store, you test the data management processes on site in the store (trial purchase)
-
Testing the recruitment process by submitting a test CV
-
Data protection incident simulation
Details of services
Website GDPR review
-
Website verification
-
Web registration process check
-
Examination of the required information obligation according to the GDPR regulation
-
Logical examination - all communication channels must meet the same information and administration requirements.
-
Data management information review
-
Verification of compliance with paragraphs 12, 13 and 14 of the GDPR regulation
-
Regarding employees, customers, wholesale and retail web store partners
-
Comparison of the data management and data processing register with the data indicated in the data management information sheet(s).
Result product:
-
You will receive an easy-to-follow action plan, based on which you can correct any errors.
-
For example:
-
On the registration page, the pre-marked check box must be removed.
-
The link to the data management information sheet must be placed in the same place.
-
When checking the data management information, we mark the points that must be supplemented in order to meet all the requirements of Articles 12, 13 and 14 of the GDPR regulation.
GDPR revision of regulations
-
Review of Data Management Regulations
-
Definition of roles and responsibilities for individual data management processes
-
Process-based task definitions
-
Risk analyses
-
Documentation of impact studies
-
Review of data management, data processing and incident records
-
Appointment of data protection officer / official, definition of role
-
Review of paragraph 32 of the GDPR regulation and the Information Security regulations
-
Organization of information security
-
Security of human resources
-
Management of assets
-
Access control
-
Physical and environmental security
-
Safety of operation
-
Security of communication
-
Acquisition, development and maintenance of systems
-
Management of information security incidents
-
Information security aspects of ensuring business continuity
-
Result product:
-
We interpret the data management policy prepared by you and compare it with the requirements of the GDPR and the Info trv.
-
We are preparing an action plan to change the regulation
-
We list the unregulated areas
-
We indicate the lack of responsibilities
-
We make a suggestion for improvement
-
-
In the event that the organization has an IT or information security policy, we examine the compliance of the completed policy with the requirements of Article 32.
-
If the Data Management Policy also includes compliance with Article 32, we examine these documents from the point of view of information security regulation.
-
Risk analysis and commenting on impact assessments
-
Action plan for improvement - Concrete proposals
-
GDPR check
-
Monitoring and optimization of GDPR operation
-
Website IT compliance check
-
Checking the use of secure communication channels
-
Log file storage, management, saving, access
-
Website verification
-
Website or webshop registration, trial purchase if necessary
-
Opinion on data management information
-
Examination of legal bases - has your organization chosen an appropriate legal basis for data management purposes
-
Optimization suggestions
-
Comparison of data management and data processing records with the organization's data management processes
-
With the help of interviews, we check the currently registered data management processes and whether the organization processes data in addition to the registered data management processes.
GDPR incident simulation
-
Management of notification of interested parties
-
Communication
-
Technical implementation
-
In the case of a retail store, you test the data management processes on site in the store (trial purchase)
-
Testing the recruitment process by submitting a test CV
-
Data protection incident simulation:
-
Adapting and preparing the realistic content of the simulation to the data management processes of the Organization.
-
Coordination of the data management and/or data processing incident in the framework of a workshop.
-
Based on the simulated case study, testing the operation of the organization is an exercise in a data protection incident management situation.
-
When testing the established alarm chain, we check whether the actors specified in the chain are really available.
-
We test reaction times: how long does it take for the information to reach the decision-makers and the legal advisor after the incident is detected. In how much time is the organization able to deliver the completed form to the authority and implement the stakeholder notifications required by the GDPR regulation.