06/30/2022 11:00 PM
This is practically an audit obligation, during which a company reviews its data management activities. There may be several reasons why a particular data management activity should be modified: managing new and discontinued data; Which can have many causes; Managing data related to the business branch or field of activity that has been terminated in the meantime, or managing new data related to a new field of activity, entering remote work (home office), etc.
What do I do?
The audit obligation primarily covers data management, so the bottom line that needs to be done is for the company to take into account the data management that the company does and examine them one by one to see if data management is (still) really necessary. A record of data management activities is one part of the GDPR, and a review of this will also be a requirement. However, during the review, it is advisable to review the entire Regulation and, if appropriate, amend it, to incorporate the practice of past years into the Regulations.
How many years do companies have to keep audit related documents?
The audit must be documented and the legislation requires a 10-year retention commitment, which the company must make available at the request of the National Data Protection and Freedom of Information (NAIH).
Who should review?
Legislation does not impose an obligation in this respect, however, just as companies typically use an outside expert to develop GDPR regulations, it is therefore recommended that the review be conducted with the participation of an outside expert and a joint assessment of perception. For the purpose of data management – Dr. Zsidi Roland, ICT LEGAL, Senior Advocate for Dr. Termel Law Office.
A fine may be imposed if the company does not perform the mandatory audit!
The audit will be important when the company cannot provide audit documents at the request of the authority. In the absence of an audit, during a potential audit, the chance of data management not complying with legal requirements increases, and data management being performed without an appropriate purpose and legal basis. In the event of a violation, the Authority is likely to assess the non-review as an aggravating circumstance, which will be taken into account when imposing (amount) of the fine.
In such a case, the authority would likely oblige the company in its decision to review its data management (the missed mandatory review procedure) and bring the data management operations into line with legislation, for which the authority may impose a fine. If the review has not been carried out since the entry into force of the General Data Protection Regulation, that is, May 25, 2018, it is recommended to replace it as soon as possible, which not only allows to identify changes in data management practice, but also increases the likelihood of filtering possible illegal data management — Dr. Zedi Rowland, Senior Advocate at ICT LEGAL, and Dr. Termel Law Office point out.