Corinna Kulp
The EU General Data Protection Regulation (GDPR) and the new German Federal Data Protection Act (BDSG) present companies with the challenge of adapting their data protection-relevant procedures and measures - these requirements not only contain a legal component, but in many cases are aimed at established processes and measures ("controls"), which must be (verifiably!) implemented and documented. The processing of personal data regularly involves several departments/business units and is therefore a challenge for many companies. At the same time there is an increasing need for an audit of these technical and organizational processes and measures by an auditor.
The IT & Controls Assurance department supports the data protection officer by auditing these procedures and measures. Our audits are based, among others, on the auditing standard of IDW PS 860 combined with IDW PH 860.1. The IDW Auditing Notice: Auditing of the principles, procedures and measures according to the EU Data Protection Basic Regulation and the Federal Data Protection Act (IDW PH 9.860.1) specifies the application of the principles of IDW PS 860 with regard to data protection-specific audits and is intended to support the profession in these audits.
These examinations do not only relate to the data protection organization or procedures and measures in your company, but also to service providers to whom you have outsourced (sub)processes (e.g. IT service providers, accounting or payroll). Here we support you with our interdisciplinary team with assessments of the service-related internal control system (ICS) with a focus on data protection requirements. We also carry out a data protection impact assessment in accordance with Art. 35 EU-DSGVO together with you, which is required before you start processing risky data or processes.
The requirements of the EU-DSGVO also include the "right to be forgotten" according to Art. 17 EU-DSGVO. In order to comply with this requirement, you need a deletion concept for all applications in which you process personal data; in addition, appropriate deletion functionalities must be implemented in the applications. We help you to evaluate and optimize the conformity of your concepts, processes and measures.