Cookies on Pinsent Masons website

This website uses cookies to allow us to see how the site is used. The cookies cannot identify you. If you continue to use this site we will assume that you are happy with this

If you want to use the sites without cookies or would like to know more, you can do that here.

Spoof audit gives Bavarian businesses taste of life under the GDPR

A data protection watchdog in Germany has asked 150 businesses to complete a "fictitious audit report" to detail how prepared they are for new EU data protection laws.12 Jun 2017

The Bavarian State Office for Data Protection (BayLDA) said the exercise is aimed at giving businesses "a feeling" for how it will apply new powers which it will have under the General Data Protection Regulation (GDPR) from 25 May 2018. 

Data protection authorities will be able to "carry out investigations in the form of data protection audits" under the GDPR. 

The BayLDA said the 150 companies it has asked to complete its survey were "randomly selected". 

Thomas Kranig, president of the BayLDA, said that his office wants to ensure that businesses meet their legal obligations and that "as much transparency as possible" over the way data is collected and used is achieved. 

Kranig warned businesses that they face potential sanctions if they are found to be non-compliant with the GDPR after the new legislation begins to apply next year. Businesses face fines of up to 4% of their annual global turnover, or €20 million, whichever is highest, if they fail to comply with the new rules. 

Recent research by Varonis Systems found that many businesses do not view it "as a priority" to be compliant with the GDPR by 25 May 2018 – the date on which the legislation will begin to apply. Varonis Systems said that 42% of IT decision makers at large companies based in the UK, France, Germany and the US that it surveyed said they do not view compliance with the GDPR by then "as a priority". 

The UK's information commissioner, Elizabeth Denham, recently said that businesses that cannot show that "good data protection is a cornerstone" of their "business policy and practices" will leave themselves "open to enforcement action" under the GDPR

Data protection law expert Laura Gillespie of Pinsent Masons, the law firm behind, said the GDPR will bring about major changes that businesses need to adapt to, from tougher rules on processing personal data, new duties to carry out data protection impact assessments, maintaining records of the steps they take towards compliance, and reporting major data breaches. 

Gillespie said businesses should conduct a data protection audit as a first step towards preparing for the reforms. 

"An audit can help identify any weaknesses in the organisational or technical measures organisations currently deploy which relate to their handling of personal data, and align them towards the particular requirements of the GDPR," Gillespie said. 

"The audit can help organisations understand what data they hold and where it is held. Knowing what type of information is held, specifically whether it constitutes personal data, and if so, whether it is particularly sensitive personal information, can help businesses manage that data properly. Businesses that know where their personal data is stored around the world will also be better placed to comply with the GDPR's rules on the international transfer of such data. The process can also involve a review of existing data processing contracts with third parties to ensure they are fit for the GDPR-age," she said. 

Munich-based data protection law specialist Stephan Appt of Pinsent Masons recently explained that new data protection legislation is in the final stages of being finalised in Germany which look set to expand on the provisions set out in the GDPR. 

"The proposed new Federal Data Protection Act (FDPA) addresses issues such as when businesses will need to appoint a data protection officer, conditions for processing employee data, and restrictions on the rights enjoyed by data subjects," Appt said. "It is also set to introduce a new criminal offence related to the disclosure of personal data as part of an enhanced sanctions regime."