In this issue of “Lexing Insights,” the members of the network focus on “GDPR Compliance Audits by DPAs.”.
How to be prepared for a GDPR audit?
Since the GDPR started to apply on 25 May 2018, the powers of the European data protection authorities (DPAs) have been extended.
They may carry out audits that may take various forms (onsite audit, desk audit, hearing, online audit) on the processing carried out by controllers (private-law bodies, associations, local government authorities, public-law bodies) and processors to verify the proper application of the applicable laws and regulations on the protection of personal data.
If the audit reveals an infringement or in case a complaint is filed, DPAs may impose penalties on controllers and/or processors.
In particular, they may impose a financial penalty of up to €20 million or, in the case of an undertaking, up to 4% of the worldwide turnover, whichever is higher. The fine may be made public.