Services: Mystery audit
Many organizations are concerned with how they are perceived by their customers and how well they or their processors meet the demands set out by GDPR. We offer this service within a controlled environment of your organization (with a very limited amount of people being informed).
After inserting a specific set of personal data about a number of real life data subjects, we let these data subjects execute on their rights in various manners and through various channels.
Our Mystery Audit scenarios cover the following requests:
- Existing customer (preferably with a different customer status for multiple brands/products/services performs a SAR (subject access request).
- Employee (who is or was holding other roles in the past (like customer, 3th party, contact person,…) request his/her data.
- Request to be forgotten, followed by a request to obtain the data (again).
- Request to rectification and restriction of processing until rectification has been proved.
- Request for full transparency on purpose, services/products, retention periods, channel and data/time of the consent.
Additionally, audits (internal and external) can be offered for:
- Data Breach/incident management handling (data breach reported by an employee or reported by an external data subject or other organization).
- Consent management of an existing customer (including consent migration and frequent changes on consent.)
This exercise is often an effective indicator of your organisation’s readiness to manage certain aspects of your GDPR capabilities.
This can range from the ability to adhere to the rights of the data subject, to the ability to handle a data breach, or deal with frequently changing consents and transparency requests of data subjects.