Press "Enter" to skip to content

5 hints to prepare for GDPR investigations

If one can read in the last activity reports of the state data protection commissioners, examinations are done more frequently, fines are imposed and a multitude of complaints have been received by the authorities. That is why we have to prepare ourselves for an inquiry and an examination:

5 tips for the preparation of examinations

I once put together 5 important hints for you.

  1. Solid DSGVO structures – Structure of a DPMS

In a first step of an effective and successful answer/defense against a violation committed by you is the establishment of a data protection management system (DPMS) that is always up to date.

For this, there are ready-made solutions from various providers, which you only have to fill with content. For example the Audatismanager or you can build your own Wiki. You can build this Wiki for example in a SharePoint Online Sitecollection with the Subsite (Wiki). It is important that you can assign editing and viewing rights.

The content of the DPMS should meet the following requirements:

  • Responsibilities of the departments, department heads, employees
  • operational functions
  • audit capabilities
  • Processes (e.g. information, emergency)
  • Data protection impact assessments, if required.
  • Procedural and processing inventories
  • Documentation of the IT systems (e.g. Which attributes are synced into the cloud by AAD Connect?)
  • Legal basis of processing
  • Contracts and risk management of IT solutions

The documentation should be kept in such a way that it contains as much information as possible and is a basis for effective defence.

2. GDPR – process-oriented documentation

In addition to the general documentation with regard to the GDPR under point 1, documentation should be prepared in the sense of accountability according to Art. 5 para. 2 GDPR . In concrete terms, this means that you can either supplement the documentation prepared under point 1 or provide additional documentation, which you can also publish or pass on to supervisory authorities in the event of enquiries. In this case, you must check together with the data protection officer and your legal advisor and create this variant and update it quarterly.

3. risk management for compensation of immaterial damages

With regard to the GDPR and a possible liability you have to take a closer look at art. 82 GDPR . In this article, those affected are granted the right to sue for compensation for immaterial damages. Specifically, in this point we are talking about the compensation of moral damages or emotional suffering that the person concerned can claim. Some law firms have already specialised in this point and are actively approaching potential clients. Here it is also important to be extremely careful in the area of internal and external communication in order not only to fertilize future claims for damages.

4. identification of gaps/weaknesses and execution

You can’t work off all “construction sites” right now. Therefore it is important to list all gaps and weak points and to prioritize them according to the GDPR. Processing must be assigned to the appropriate persons and provided with deadlines. A person from the data protection team should keep the overview and, if necessary, ask for it.

5. reputation effects

It depends on the company, the industry and its position in the market. For example, a credit card company is already accused of losing its personal data extremely critically. However, merchants could also suffer losses in terms of turnover and immediate profit. Here, processes should be created and played through together with the press and marketing department. In this case, the public communication should ultimately also be coordinated with the responsible data protection authority.