Do you understand what data flows through your business and have recorded:
what personal data you hold;
where it came from;
who you share it with; and
what you do with it?
Have you recorded at least one of the six legal reasons for processing the data?
If you use consent
it is good consent;
you record how it has been given; and
you record and manage ongoing consent.
If you are relying on legitimate interests
you have done the three-part test; and
you can demonstrate that you have fully considered and protected individual’s rights and interests.
Are you are currently registered with the Information Commissioner’s Office?
Do you provide privacy information to individuals, e.g. clients, customers, employees and suppliers?
Can you deal with a Subject Access Request i.e. requests from people to access their personal data within one month?
Do you make sure that the personal data you hold remains accurate and up to date?
Do you securely dispose of personal data that is no longer required or where an individual has asked you to erase it?
Do you know what to do when someone asks you to restrict the processing of their personal data?
Can someone move, copy or transfer their personal data from your system to another safely?
Can you deal with an individual’s objection to the processing of their personal data?
Do you know if you carry out automated decision making and if so, do you have procedures in place to deal with the requirements?
Do you have a data protection policy, and demonstrate your compliance with it?
Do you regularly review the effectiveness of your data handling and security controls?
Do you provide data protection awareness training for all staff?
If you engage third parties to process your businesses personal data on your behalf (e.g. email marketing companies, database providers, cloud-based service providers), do you have a written contract with them which meets the legal requirements and carry out suitable and sufficient diligence?
Do you know the information risks you have and their business impact so that you can manage them in a structured way?
Have you have implemented technical measures and policy to integrate data protection into your data processing?
Do you understand when you must conduct a Data Protection Impact Assessment?
Have you nominated a data protection lead, or a Data Protection Officer (DPO) if required or preferred (note this role can be outsourced)?
If you have a DPO have you notified the ICO?
Do you champion a positive culture of data protection compliance in your business?
Do you have an information security policy supported by suitable security measures?
Do you record all personal data breaches no matter how trivial?
Can you manage and resolve them?
Do you know which must be reported to the ICO?
Do you know which must be reported to the data subject?
Do you know what must be done if any personal data processed by others on your behalf is transferred outside the European Economic Area?
If you don’t know an answer you had better find out fast!