Audit for compliance with regulations regarding personal data protection

GDPR, California Consumer Privacy Act, UK GDPR, and the Personal Data Protection Act are the main acts that any CIS business that processes its users’ data may be faced.

You need to understand that if you have a website and use Google analytics, you are already a controller in the terms used in GDPR. Please keep in mind, that below we will focus on GDPR, but many requirements and concepts under Regulation are similar to other personal data protection acts, which apply in jurisdictions other than the EU.

Regardless of whether you operate in the market for several years or you have just started the online activities – you need to have a full GDPR compliance audit (if you work with EU citizens or your company is registered in the EU) or for compliance with other acts. This audit includes a comprehensive analysis of company’s processes for GDPR violations, with further recommendations that can be practically implemented without disrupting your business operations.

Legarithm team always strives for the best result, but never sacrifices the business processes that take place in the company. Often lawyers’ recommendations are a whole list of unworkable items, but not in our case. Understanding that nothing can be changed, we help to update the interactions with personal data what is taking place in your company.

The audit consists of checking the company’s mechanisms of interaction with personal data:

• Availability of legal bases for obtaining and processing PD in accordance with Art. 6 of GDPR.

Here we find what types of personal data and for what purpose you process. Determine whether or not there is data subject’s consent to process and, if not, check whether the other 5 points apply as a legal basis for obtaining and processing personal data. Legarithm provides guidance on extending to certain types of processing the requirement for consent and policy changes.

• The relevance and compliance with GDPR of the amount of PD that is processed by the company.

In this part, the GDPR prescribes “fuzzy” rules and only lawyers specialized in the implementation of its requirements are able to determine what is meant by “relevance” and “sufficient scope”. For this purpose lawyers use EDPB guidelines and understanding the industry in which you work.

• The length of time PDs are stored and removed after the appropriate deadline.

“Sufficient period” is different for each type of personal data processing, so based on the goals set forth in the policies, we determine what period would be relevant for GDPR purposes.

• Ensuring the data subjects’ rights on access, forget, clarify.
• The company’s ability to demonstrate compliance with privacy regulations.

What happens if authorities ask you to explain why you process, for example, the data subjects’ addresses or your business partners want you to demonstrate GDPR compliance, buying software from them? To make sure your answers are legally sound, we’ll do a full analysis of your company’s ability to demonstrate GDPR compliance.

• There is an effective personal data protection system in compliance with the best practices.
• This point covers not only the legal analysis, but also the technical analysis.
• Compliance with national laws and other legislative acts in the field of personal data protection.

Every EU country has its own particularities regarding the protection of personal data, especially in certain industries, e.g. in Malta licensed online operators are required to follow guidelines issued by the MGA. Most of the non-EU member states have also adopted personal data protection laws, which are very similar to GDPR, but have their own specificities and, as a rule, not so high level of enforcement.

As a result, after conducting an audit you will receive a full response on all identified violations. Moreover, we will grade them, allowing you to focus on the primary issues and minimize the negative impact in business processes.