05 09 2019
With the changes that have occurred in recent months, today we will explain what does the new GDPR audit consist of, and most importantly, if your company is obliged to perform it.
The GDPR audit is an instrument through which the personal data processing managed by the company is evaluated, who are the controllers and for what purpose is the data collected.
Conducting an audit will facilitate the adaptation of your company to the GDPR, since due to it you will know in depth the character of data that you manage and its adequate processing and the security measures that you must implement.
The audit is performed to check the level of security and adapt the level of security of the personal data that is managed.
Once the audit is conducted, the auditors will provide you with a report. In this document you will be informed about security measures that your company must adopt to comply with the regulation. Among these measures, it will be explained which faults occur and which improvements can be implemented. Also, you will be informed about how to prepare your workers in the field of data protection or if there is a requirement to appoint a data protection officer.
In short, the objectives of the audit are:
Performing a GDPR audit itself is not mandatory. Nonetheless, for having peace of mind and ensuring that our organization complies with the new regulation we must analyze what level of security does our company present and whether it is sufficient or not.
In Spain, currently there is an obligation that the companies with a medium level of security must perform an audit, at least every two years.
The sanctions may occur when the data processing does not comply with the European Data Protection Regulation or any personal data leakage is detected, among other reasons.
One of the novelties with respect to the previous LOPD (Spanish Organic Law on personal data protection) is the monetary increase of the sanctions. Fines may reach up to 20,000,000 euros, with the possibility between 10 and 20 million or between 2 and 4% of the company’s global turnover. However, we would like to clarify that not performing the audit is not the reason for the sanction itself.