RECIPROCITY

Preparing for a
GDPR audit
A Step-by-Step Guide

www.reciprocitylabs.com
The European Union’s General Data Protection
Regulation (GDPR) is a lengthy, complex set of rules,
so auditing your organization’s compliance is certain
to be an arduous process. But there are steps you
can take now and later to make the process easier
on your business and auditors and avoid costly and
burdensome findings.

The GDPR mandates 99 rules aimed at protecting the

privacy and security of European Union resident citizens’
data. All these rules can seem overwhelming, especially at
audit time. As with cooking a complicated dish, however, a
GDPR audit will be easier if you:

1. Gather all your “ingredients” in advance.

2.
Break the regulation’s many elements
into discrete categories.

3. Create a project plan to guide you through

audit preparations step-by-step.

2
The Ingredients

YOUR AUDITOR WILL NEED ALL YOUR DOCUMENTS,

WHICH—IDEALLY—YOU WILL HAVE CREATED AND
MAINTAINED OVER THE PRECEDING SIX MONTHS OR
YEAR IN ANTICIPATION OF THIS AUDIT. THE DOCUMENTS
SHOULD INCLUDE:

w Data classification records

w Record of processing
w Data collection and retention policies
w Retention management documents,
including emails and data tracking records
w Access management policies
w Risk management policies
w Business continuity and disaster recovery policies
w Third-party vendor contracts and policies
w Data security policies and protocols
w Breach management plan
w Privacy policies
w Register of Subject Access Requests

3
The Categories

The GDPR is essentially driven by two factors: DATA and RISK.

It lays down data processing rules to ensure the privacy of
data owners, rules for safeguarding data against breaches and
unauthorized use (risk), and rules for responding to breaches
and theft in a timely and effective manner.

TO BEGIN YOUR PROJECT PLAN, COMB THROUGH

THE RULES AND DIVIDE THEM INTO THE FOLLOWING
CATEGORIES, AS OUTLINED IN ARTICLE 5:

1 2 3 4 5 6

LAWFULNESS,
DATA MINI- STORAGE
FAIRNESS, AND
MIZATION LIMITATION
TRANSPARENCY
INTEGRITY
PURPOSE
ACCURACY AND CONFI-
LIMITATION
DENTIALITY

4
The Project Plan

With each of the GDPR’s rules

duly categorized, you can now
begin examining your documents
to determine which of your
collected data is regulated by
which rule, and how. Your auditor
will use this information as well
as the documents you have
gathered to determine your GDPR
compliance.

5
CATEGORY 1:

Lawfulness, Fairness,
and Transparency

“Personal data shall be processed lawfully, fairly and in a transparent

manner in relation to the data subject”
—GDPR article 5 (1)(a)

In the GDPR, the term “lawfulness” refers to your reasons or justifica-

tions for collecting and processing EU resident citizens’ data. Article 6
outlines the conditions necessary for lawful data collection:

w Consent: the data owner, or “data subject,” has given you permission to collect,
use, and store their data
w Performance of a contract
w Compliance with a legal obligation
w Protection of vital interests of the data subject or someone else
w Performance of a public interest task, such as for public administration
w Pursuit of legitimate interests, including direct marketing

“Fairness” applies to the ethics, including honesty and

good faith, under which the data has been processed.

“Transparency” means the data subject knows who has collected

their data, how it is being processed, and what it is being used for.

1 2 3 4 5 6
 YOU WILL NEED TO PROVIDE THE AUDITOR
WITH ANSWERS TO THE FOLLOWING
QUESTIONS:

w What specific data are you collecting?

w Why does your organization need it?
w What are you using it for?
w Have you received consent from the data subjects to collect,
process, use, and store the data?
w Have you notified the data subjects about what you are
collecting, and why?
w Have you given data subjects the ability to opt out of the
collection, processing, and storage of their information?
w Is the data properly classified according to how it is being
used (context), its level of sensitivity (content), and who
can access it (user)? Under the GDPR, certain types of data
are “restricted,” meaning they can be collected only when
certain requirements are met, while others are “prohibited”
from collection except under very specific circumstances.

Association of Privacy Professionals divides data

categorization into six areas: internal, external, historical,
financial, social, and tracking. Categorizing data helps to
ensure that your organization is handling it lawfully.

1 2 3 4 5 6
CATEGORY 2:

Purpose Limitation

“1. Personal data shall be…collected for specified, explicit and legitimate purposes
and not further processed in a manner that is incompatible with those purposes;
further processing for archiving purposes in the public interest, scientific or historical
research purposes or statistical purposes shall, in accordance with Article 89(1), not be
considered to be incompatible with the initial purposes”
—Article 5 (1) (b)

Why are you collecting personal data, and what will you do with
it? You will need to show the auditor that, from the moment of
collection, you have identified your purposes and made them
transparent to the people from whom you are collecting it—usu-
ally in a clear, concise privacy notice. You must review your data
processing policies and practices regularly. And if your purposes
or uses change, you must notify the data subjects again—unless
the new use is compatible with the original one.

THE NEW USE IS “COMPATIBLE”

IF IT IS FOR:

w Archiving in the public interest

 w Research, either scientific or historical

w Compiling or measuring statistics

1 2 3 4 5 6
 QUESTIONS YOU SHOULD ANSWER INCLUDE:

w What are the stated purposes for collecting personal

data? Does the enterprise actually use the data for these
purposes?
w Does your privacy policy state these purposes clearly and
concisely? Do data subjects see and consent to this policy
before you collect their information? Do they have the
opportunity to “opt out” of providing data for your stated
uses?
w How often do you review your data processing policies and
practices? How do you conduct this review? What are the
results?
w What procedures do you follow if you decide to change the
way you use your collected data?
w Have your data uses changed? Are the changes compatible
with your original purposes for collecting the data? If not,
have you notified the data subjects of the changes? How
have you notified them? Has everyone consented to the
changes? If not, have you erased or anonymized the disputed
data, or ensured that it is not used in the manner to which its
subjects have objected?

1 2 3 4 5 6
 IF YOU ARE UNSURE WHETHER A NEW USE
IS COMPATIBLE WITH THE ORIGINAL ONE,
YOU SHOULD ASK:

w Does a link exist between the new purpose and the original one?
w Is the data in question highly sensitive?
w How might the new use affect the data subjects?
w What is the context in which you originally collected the data? What
were the data subjects told to expect?
w How secure is the data in its new use?

If your uses of data have changed since you began collecting it,
you will need to provide documentation to your auditor show-
ing when the changed occurred, how it occurred, and why;
whether the new purpose is compatible with the original use,
and, if necessary, whether you have obtained the data sub-
jects’ consent for the new use.

1 2 3 4 5 6
CATEGORY 3:

Data Minimization

“Personal data shall be:

(c) adequate, relevant and limited to what is necessary in relation to the purposes for
which they are processed (‘data minimization’)”
—GDPR, Article 5 (1) (c)

The GDPR allows organizations to

collect only the personal data they
need from EU resident citizens—
not a single jot more—and to keep it
only for the time needed.

When you collect personal data, your responsibilities have

only just begun. Under the GDPR, data subjects are entitled
to review, revise, and even withdraw the information that
you have collected about them—the so-called “right to be
forgotten.”

1 2 3 4 5 6
 TO SHOW COMPLIANCE WITH DATA
MINIMIZATION RULES, YOU WILL NEED TO
PROVIDE THE AUDITOR WITH ANSWERS TO
THESE QUESTIONS:

w Why are you collecting the data? What are the specific
purposes for each item of information you possess?
w Are you collecting enough data to fulfill your stated
purposes?
w Are you collecting more data than you need?
w For what length of time are you storing data? Why do you
need to keep it for that length of time?
w How are you maintaining your records to ensure data
minimization? How often do you review stored data,
match it against your stated needs, and delete what is not
necessary?
w How many requests to review, amend, or erase personal
data have you received? Have those requests been met? If
not, why?




1 2 3 4 5 6
CATEGORY 4:

Accuracy

“1. Personal data shall be:

(d) accurate and, where necessary, kept up to date; every reasonable step must be
taken to ensure that personal data that are inaccurate, having regard to the purposes
for which they are processed, are erased or rectified without delay (‘accuracy’)”
—GDPR Article 5 (1) (d)

It is not uncommon for a database to contain mistakes—

perhaps caused by inputting errors, erroneous code, formatting
problems, or something else. If an error comes to your
organization’s attention, you must correct it.

For this requirement, you will

need to show the auditor that
your enterprise’s data records
are as accurate as can be—that
you have taken the necessary
precautions to ensure that they
are correct and up to date.

1 2 3 4 5 6
 QUESTIONS YOU WILL NEED TO ANSWER FOR
THE AUDITOR INCLUDE:

w Is the personal data your organization possesses accurate

and correct? How do you know?
w What do you do with Subject Access Requests (SARs)? Data
subjects may use SARs to update or correct the data you
have on file for them, exercising their right to rectification
under the GDPR.

w Have you received any SARs? If so, when did you receive
the requests, and for which information? What were the
changes, and when and how were they made? Your record
of processing should show how each SAR was handled. It
should also include the data subject’s acknowledgment that
they received the record of processing and are satisfied with
the results.
w Who records data into your systems? How do you ensure
that their work is error-free?
w What are your policies and procedures for notifying those
with whom you have shared personal data of any changes or
corrections in that data?
w What are your procedures for ensuring the accuracy and
integrity of sensitive and restricted data and intellectual
property?

1 2 3 4 5 6
CATEGORY 5:

Storage Limitation

“Personal data shall be:

(e) kept in a form which permits identification of data subjects for no longer than is
necessary for the purposes for which the personal data are processed; personal data
may be stored for longer periods insofar as the personal data will be processed solely
for archiving purposes in the public interest, scientific or historical research purposes
or statistical purposes in accordance with Article 89(1) subject to implementation of
the appropriate technical and organisational measures required by this Regulation in
order to safeguard the rights and freedoms of the data subject (‘storage limitation’)”
—GDPR Article 5 (1) (e)

For this category, you will need to provide your auditor with
your data storage and retention policies and procedures. The
GDPR allows you to store personal data only for as long as you
need it, and requires you to erase or anonymize it as soon as it is
no longer useful to your organization or the public interest.

The duration of data storage will depend largely on its

classification and purpose. As noted in Category 1 in this
document, each record in your system should be assigned a
tag (i.e., classification) such as “highly sensitive” or “restricted,”
earmarking it for deletion within a certain timeframe. Although
many organizations require this tagging and timely purging,
they often fail to comply.

1 2 3 4 5 6
 QUESTIONS REGARDING DATA STORAGE
AND RETENTION INCLUDE:

w What are your organization’s policies regarding data storage?

w Where is your data stored? Has all data been assigned a classification?
w What are your reasons for keeping personal data in storage?
w Are your third-party vendors storing personal data on your behalf?
w Are your stored data records identifiable—do they enable any viewer to
identify the associated data subjects? If so, why haven’t you masked that data?
w Which data have you disposed of, and when? What process did you use?
w Have you used third-party vendors to dispose of data? If so, what process
did they use to destroy it? What contractual agreements do you have with
vendors regarding data destruction?
w Have you anonymized your retained data? The GDPR defines anonymized
data as “data rendered anonymous in such a way that the data subject is not
or no longer identifiable.” This means stripping data records of identifying
features, such as names, addresses, and Social Security numbers, so that not
even the person who anonymized it can identify its subjects.
w Have you pseudonymized your retained data? Pseudonymizing differs from
anonymizing; instead of deleting identifying data, pseudonymizing replaces
one or more fields in the data record with false, or pseudonymous, data.
For instance, the credit card number in a record might be linked with a false
name or Social Security number. For the record’s subject to be identified, the
pseudonymous information must be reunited with its true data.

Anonymization and pseudonymization have an extra potential benefit for your en-
terprise. The GDPR allows properly masked records to be treated as “out of scope,”
meaning storage limitations may not apply. And Article 6(4)(e) allows your organiza-
tion to use pseudonymized data for purposes beyond those for which you originally
collected it—giving you the ability to have your proverbial cake and eat it, too.

1 2 3 4 5 6
CATEGORY 6:

Integrity and Confidentiality

“Personal data shall be:

(f) processed in a manner that ensures appropriate security of the personal data,
including protection against unauthorised or unlawful processing and against
accidental loss, destruction or damage, using appropriate technical or organisational
measures (‘integrity and confidentiality’).”
—GDPR Article 5 (1) (f)

For the purposes of your GDPR audit project plan, this category is the most complex
and broad, encompassing access controls, information security, disaster recovery,
breach response, and more.

You will need to provide documentation showing how your

organization protects the integrity and confidentiality of personal
data in its possession across the following categories:

 Access
 Who has access to personal data, and where is that data located?
 Is all personal data classified, and is access restricted to those who need the
data to do their job?
 How does your system determine access—with an Identity Access
Management (IAM) or Privilege Access Management (PAM) system, or in some
other way?
 What are your policies and procedures regarding access to data? Are those
rules being followed?
 When data needs to be edited or changed, who performs that task?
 How do you control access to special categories of personal data such as
“restricted” and “highly sensitive”?

1 2 3 4 5 6
Under the GDPR, not all data is created equal. Certain types of data,
including those that show subjects’ religious and political preferenc-
es, are “prohibited” and should not be in your enterprise’s system
except in select circumstances, and even then, the data must be an-
onymized. Some data, such as that of minors, is “restricted” and has
special requirements for processing, such as parental consent.

A robust classification system for the information you collect, process, share, and
store will make it easier to ensure that you are adhering to GDPR rules for special
categories of data. You will need to show the auditor your record of processing, which
should indicate how different data records are classified and whether they can be
shared throughout the organization and with external parties.

 Third-party processors
 Which third-party data processors have access to your organization’s data?
You will need to provide your vendor contracts, record of processing, vendor
lists, and other relevant documents.
 What information are those processors capturing?
 What are they doing with the information? What are they using it for?
 How are they managing the data? Are they using a supply chain or customer
relationship management system?
 How are they storing the data?
 Does the processor maintain a register of collected data? How often is it up-
dated?
 Who has access to the data the vendor processes for you? How is access grant-
ed and revoked? What IAM or PAM system does the processor use?
 How does the vendor handle SARs and requests to update or delete the data?
 How do you audit, monitor, and assess the vendor’s handling of the data you
provide? Having a contract is not enough; you must ensure that the vendor
lives up to contractual agreements. The GDPR holds both the controller and
processor responsible if a breach or other security incident occurs and EU res-
ident citizen data is compromised.

1 2 3 4 5 6
  If a security incident should occur, what protocols have you established with
the processor? Who notifies the authorities and the data subjects?
 What is the vendor’s GDPR policy? You will need to provide the auditor with
the vendor’s:
 Security policy
 Records management policy
 Business continuity and disaster recovery policy
 Breach management process and plan
 Privacy policies

 Network perimeter security

 How do you protect sensitive stored data, such as your customers’ credit card
information? Do you mask it? Are the servers behind a firewall? Are they seg-
mented?
 What deletion policies and procedures do you have in place? How diligently
are they followed?

 Privacy by design
 Do your system and software developers build data privacy into every step of
the process? When building new systems or upgrading existing ones, control-
lers and processors must incorporate privacy principles and adhere to them
throughout software development and management.
 What are your risk management principles?
 How is risk management set up in your organization? Who is responsible for
managing risk?
 How are risk management processes, governance, and policies established and
monitored? When are they updated?
 Do you have a register of risk management processes and policies? Who main-
tains it?
 Which processes associated with the GDPR does that register contain?
 Who is responsible for ensuring that the items in the risk management register
are properly ranked, closed, signed, or resolved?

1 2 3 4 5 6
 Data security and breach management
 What are your processes associated with security configuration and any
changes to it?
 How do you monitor asset and data changes? Do you conduct vulnerability
management on a regular basis? What about penetration testing?
 What are your breach management policies and procedures?
 How many breaches has your organization experienced, and how did you
handle them? What was your response time? What data was involved in each
breach?
 Across your enterprise, have breach management responsibilities been as-
signed to the departments responsible for each breach?
 How quickly were notifications issued after each breach? Who was notified?
Did you contact the appropriate local or European authorities as well as em-
ployees and affected data subjects? Did notification occur within the GDPR’s
mandatory 72-hour window? What kind of follow-up occurred?
 What was the impact of each breach? How was it contained?
 What kind of investigation followed each breach?
 How does your enterprise log breaches and track recurrences and patterns?
 Does your organization provide a breach management form? Is it online and
available for individuals to use to notify you if they suspect that their informa-
tion has been breached or otherwise compromised?
 Have your breaches been classified?
 Does your organization
train employees regarding
breach management, data
privacy, and the rules and
requirements of the GDPR?

1 2 3 4 5 6
Well Worth the Effort
Compiling all this information may seem an
onerous task—even overwhelming, at first.

Admittedly, the GDPR is a very complex regulation, with many parts. But with
some advance planning and organizing, controllers can make the auditor’s job
much easier, saving your enterprise time, effort, and money.

By following this checklist, you should have enough information to prepare for
next year’s audit—as well as the peace of mind that your organization is in full
compliance, avoiding the risk of hefty fines and penalties. Periodic self-audits
can be invaluable as well, perhaps conducted by your internal auditor or with a
quality governance, risk, and compliance (GRC) software. Then, confident that
you are in compliance with the GDPR, your customers and clients can rest
assured that you are effectively safeguarding their personal data and protecting
their privacy and security. Now, that’s customer service.

21
The Checklist
The Ingredients
Data classification records
Record of processing
Data collection and retention policies
Retention management documents, including emails
and data tracking records
Access management policies
Risk management policies
Business continuity and disaster recovery policies
Third-party vendor contracts and policies
Data security policies and protocols
Breach management plan
Privacy policies
Register of Subject Access Requests
CATEGORY 1:
Lawfulness, Fairness, and Transparency
What specific data are you collecting?
Why does your organization need it?
What are you using it for?
Have you received consent from the data subjects to
collect, process, use, and store the data?
Have you notified the data subjects about what you are
collecting, and why?
Have you given data subjects the ability to opt out of the
collection, processing, and storage of their information?
Is the data properly classified according to how it is
being used (context), its level of sensitivity (content),
and who can access it (user)? Under the GDPR, certain
types of data are “restricted,” meaning they can be col-
lected only when certain requirements are met, while
others are “prohibited” from collection except under
very specific circumstances.
Is the data properly categorized? The International
Association of Privacy Professionals divides data cat-
egorization into six areas: internal, external, historical,
financial, social, and tracking. Categorizing data helps
to ensure that your organization is handling it lawfully.
CATEGORY 2:
Purpose Limitation
What are the stated purposes for collecting personal
data? Does the enterprise actually use the data for
these purposes?
Does your privacy policy state these purposes clearly
and concisely? Do data subjects see and consent to this
policy before you collect their information? Do they
have the opportunity to “opt out” of providing data for
your stated uses?
How often do you review your data processing policies
and practices? How do you conduct this review? What
are the results?
What procedures do you follow if you decide to change
the way you use your collected data?
Have your data uses changed? Are the changes com-
patible with your original purposes for collecting the
data? If not, have you notified the data subjects of the
changes? How have you notified them? Has everyone
consented to the changes? If not, have you erased or
anonymized the disputed data, or ensured that it is not
used in the manner to which its subjects have objected?
If you are unsure whether a new use is compatible
with the original one, you should ask:
Does a link exist between the new purpose and the
original one?
Is the data in question highly sensitive?
How might the new use affect the data subjects?
What is the context in which you originally collected
the data? What were the data subjects told to expect?
How secure is the data in its new use?
CATEGORY 3:
Data Minimization
Why are you collecting the data? What are the specific
purposes for each item of information you possess?
Are you collecting enough data to fulfill your stated
purposes?
Are you collecting more data than you need?
For what length of time are you storing data? Why do
you need to keep it for that length of time?
How are you maintaining your records to ensure data
minimization? How often do you review stored data,
match it against your stated needs, and delete what is
not necessary?
How many requests to review, amend, or erase personal
data have you received? Have those requests been met?
If not, why?
22
CATEGORY 4:
Accuracy
Is the personal data your organization possesses accu-
rate and correct? How do you know?
What do you do with Subject Access Requests (SARs)?
Data subjects may use SARs to update or correct the
data you have on file for them, exercising their right to
rectification under the GDPR.
Have you received any SARs? If so, when did you receive
the requests, and for which information? What were
the changes, and when and how were they made?
Your record of processing should show how each SAR
was handled. It should also include the data subject’s
acknowledgment that they received the record of pro-
cessing and are satisfied with the results.
Who records data into your systems? How do you en-
sure that their work is error-free?
What are your policies and procedures for notifying
those with whom you have shared personal data of any
changes or corrections in that data?
What are your procedures for ensuring the accuracy and
integrity of sensitive and restricted data and intellectual
property?
CATEGORY 5:
Storage Limitation
What are your organization’s policies regarding data
storage?
Where is your data stored? Has all data been assigned a
classification?
What are your reasons for keeping personal data in
storage?
Are your third-party vendors storing personal data on
your behalf?
Are your stored data records identifiable—do they en-
able any viewer to identify the associated data subjects?
If so, why haven’t you masked that data?
Which data have you disposed of, and when? What
process did you use?
Have you used third-party vendors to dispose of data?
If so, what process did they use to destroy it? What con-
tractual agreements do you have with vendors regarding
data destruction?
Have you anonymized your retained data? The GDPR
defines anonymized data as “data rendered anonymous
in such a way that the data subject is not or no longer
identifiable.” This means stripping data records of iden-
tifying features, such as names, addresses, and Social
Security numbers, so that not even the person who
anonymized it can identify its subjects.
Have you pseudonymized your retained data? Pseud-
onymizing differs from anonymizing; instead of deleting
identifying data, pseudonymizing replaces one or more
fields in the data record with false, or pseudonymous,
data. For instance, the credit card number in a record
might be linked with a false name or Social Security
number. For the record’s subject to be identified, the
pseudonymous information must be reunited with its
true data.
CATEGORY 6:
Integrity and Confidentiality
 ACCESS
Who has access to personal data, and where is that
data located?
Is all personal data classified, and is access restricted
to those who need the data to do their job?
How does your system determine access—with an
Identity Access Management (IAM) or Privilege
Access Management (PAM) system, or in some other
way?
What are your policies and procedures regarding
access to data? Are those rules being followed?
When data needs to be edited or changed, who
performs that task?
How do you control access to special categories of
personal data such as “restricted” and “highly sensi-
tive”?
 THIRD-PARTY PROCESSORS
Which third-party data processors have access to
your organization’s data? You will need to provide
your vendor contracts, record of processing, vendor
lists, and other relevant documents.
What information are those processors capturing?
What are they doing with the information? What are
they using it for?
How are they managing the data? Are they using a
supply chain or customer relationship management
system?
How are they storing the data?
Does the processor maintain a register of collected
data? How often is it updated?
23
 Who has access to the data the vendor processes for
you? How is access granted and revoked? What IAM
or PAM system does the processor use?
How does the vendor handle SARs and requests to
update or delete the data?
How do you audit, monitor, and assess the vendor’s
handling of the data you provide? Having a contract
is not enough; you must ensure that the vendor lives
up to contractual agreements. The GDPR holds both
the controller and processor responsible if a breach
or other security incident occurs and EU resident
citizen data is compromised.
If a security incident should occur, what protocols
have you established with the processor? Who noti-
fies the authorities and the data subjects?
What is the vendor’s GDPR policy? You will need to
provide the auditor with the vendor’s:
Security policy
Records management policy
Business continuity and disaster recovery policy
Breach management process and plan
Privacy policies
 NETWORK PERIMETER SECURITY
How do you protect sensitive stored data, such as
your customers’ credit card information? Do you
mask it? Are the servers behind a firewall? Are they
segmented?
What deletion policies and procedures do you have
in place? How diligently are they followed?
 PRIVACY BY DESIGN
Do your system and software developers build
data privacy into every step of the process? When
building new systems or upgrading existing ones,
controllers and processors must incorporate privacy
principles and adhere to them throughout software
development and management.
What are your risk management principles?
How is risk management set up in your organization?
Who is responsible for managing risk?
How are risk management processes, governance,
and policies established and monitored? When are
they updated?
Do you have a register of risk management process-
es and policies? Who maintains it?
Which processes associated with the GDPR does
that register contain?
Who is responsible for ensuring that the items in
the risk management register are properly ranked,
closed, signed, or resolved?
 DATA SECURITY AND
BREACH MANAGEMENT
What are your processes associated with security
configuration and any changes to it?
How do you monitor asset and data changes? Do
you conduct vulnerability management on a regular
basis? What about penetration testing?
What are your breach management policies and
procedures?
How many breaches has your organization expe-
rienced, and how did you handle them? What was
your response time? What data was involved in each
breach?
Across your enterprise, have breach management
responsibilities been assigned to the departments
responsible for each breach?
How quickly were notifications issued after each
breach? Who was notified? Did you contact the
appropriate local or European authorities as well as
employees and affected data subjects? Did notifica-
tion occur within the GDPR’s mandatory 72-hour
window? What kind of follow-up occurred?
What was the impact of each breach? How was it
contained?
What kind of investigation followed each breach?
How does your enterprise log breaches and track
recurrences and patterns?
Does your organization provide a breach manage-
ment form? Is it online and available for individuals
to use to notify you if they suspect that their infor-
mation has been breached or otherwise compro-
mised?
Have your breaches been classified?
Does your organization train employees regarding
breach management, data privacy, and the rules and
requirements of the GDPR?
24
 About Reciprocity
Reciprocity provides ZenGRC to the world’s leading
companies. Our cloud-based solution with fast, easy
deployment, unified controls management, and a cen-
tralized dashboard offers simple, streamlined compli-
ance and risk management, including self-audits, with-
out the hassle and confusion of spreadsheets. Contact
a Reciprocity expert today to request your free demo,
and embark on the worry-free path to regulatory
compliance—the Zen way.

www.reciprocitylabs.com/resources
engage@reciprocitylabs.com
(877) 440-7971