Here are 23 questions that you really should know the answers to:
- Do you understand what data flows through your business and record:
- what personal data you hold,
- where it came from,
- who you share it with and
- what you do with it?
- Have you recorded at least one of the six legal reasons for processing the data?
- If you use consent
- it is good consent,
- Do you record how it has been given; and
- Do you record and manage ongoing consent?
- If you are relying on legitimate interests
- Have you done the three-part test, and
- Can you demonstrate that you have fully considered and protected individual’s rights and interests?
- If you use consent
- Are you are currently registered with the Information Commissioner’s Office?
- Do you provide privacy information to individuals, e.g. clients, customers, employees and suppliers?
- Can you deal with a Subject Access Request i.e. requests from people to access their personal data within one month?
- Do you make sure that the personal data you hold remains accurate and up to date?
- Do you securely dispose of personal data that is no longer required or where an individual has asked you to erase it?
- Do you know what to do when someone asks you to restrict the processing of their personal data?
- Can someone move, copy or transfer their personal data from your system to another safely?
- Can you deal with an individual’s objection to the processing of their personal data?
- Do you know if you carry out automated decision making and if so, do you have procedures in place to deal with the requirements?
- Do you have a data protection policy, and demonstrate your compliance with it?
- Do you regularly review the effectiveness of your data handling and security controls?
- Do you provide data protection awareness training for all staff?
- If you have third parties that process your personal data, do you have a written contract with them which meets the legal requirements?
- Do you know the information risks you have and their business impact so that you can manage them in a structured way?
- Have you have implemented technical measures and policy to integrate data protection into your data processing?
- Do you understand when you must conduct a Data Protection Impact Assessment?
- Have you nominated a data protection lead, or a Data Protection Officer if you are required or prefer to? Note this role can be outsourced)?
- If you have a Data Protection Officer have you notified the Information Commissioner’s Office?
- Do you champion a positive culture of data protection compliance in your business?
- Do you have an information security policy supported by suitable security measures?
- Do you record all personal data breaches no matter how trivial?
- Can you manage and resolve them?
- Do you know which must be reported to the Information Commissioner’s Office
- Do you know which must be reported to the data subject?
- Do you know what must be done if any personal data processed by others on your behalf is transferred outside the European Economic Area?