Data protection audits by the BayLDA
Since 06.11.2018, 15 small (from 100 employees) and medium-sized (from 500 employees) companies have been audited by the BayLDA on the basis of Article 5 (2) DSGVO. Here, the so-called “accountability” is specified, which means that the company’s compliance with the legal requirements must be presented to the supervisory authority (in this case, the BayLDA) during the inspection.
Also, according to the statement of the BayLDA, on-site inspections of at least 5 of the 15 SMEs are planned here. Of these 15 companies, 8 companies were selected at random; for the other 7 companies, there have been clustered data protection complaints to the BayLDA in the past.
Since 01.10.2018, 3 (large) corporations in Bavaria have also been audited with the aim of determining whether compliance with the General Data Protection Regulation is anchored in the company’s day-to-day operations and whether three core processes should be effectively designed in the so-called process organization:
- Data protection-compliant processing
- Dealing with data subjects’ rights
- Dealing with data privacy violations
In addition, since 12.10.2018, medical practices of various medical specialties have been audited to control their handling and prevention of attacks by means of encryption Trojans and resulting ransomware. Here, the insertion of an encryption Trojan can quickly lead to a lack of access to sensitive patient and treatment data, which means that timely treatment can no longer be guaranteed.
At 15 other larger companies, the processing of personal data in application procedures is currently being investigated. The focus of this investigation is the correct implementation of companies’ duty to inform applicants and to educate them about how their data is handled.
The BayLDA has published that a review of the following question will take place at a further 15 larger companies with many service providers in the international environment: Why was the cause of risk in the reporting of “data breaches” so far almost exclusively with the responsible company in Bavaria, but hardly with (international) service providers. On the basis of the GDPR, it is necessary that breaches of security at service providers (also in the case of further subcontracting!) also constitute a reporting obligation for the responsible parties.
The BayLDA already conducted a review of patch management for content management systems for websites in the spring, with a focus on WordPress. In the process, 172 websites were checked.
The questions posed by the audits and the resulting findings are helpful guidelines for preparing for possible inquiries from the supervisory authorities on the audited topics.
Source BayLDA: Report of the BayLDA on data protection audits