There is an accompanying GUIDANCE NOTE which runs to 10 pages and is too large to include as part of a blog. Please contact Tracey Wakelam at TraceyWakelam@www.probertlegal.com to get your free copy.
| Awareness and Training | |
| Notification to the board of the GDPR and its implications | |
| Appointment of senior staff with DP responsibilities | |
| Do we need to appoint a DPO? | |
| Reporting structure for DP compliance | |
| Will any budget or further budget be allocated? | |
| Roll out general DP training for all staff | |
| Is any additional training required for staff with specific DP responsibilities | |
| Procedure in place for new starters/refresher courses | |
|
Identify what Personal Information is held |
|
| Can you Identify all systems where personal information is held? | |
| If you cannot identify what personal information you hold – carry out a data protection audit | |
|
How did you collect the personal information and what do you do with it? |
|
| How did you collect the personal information? Have you documented this? | |
| Under what condition in the GDPR will you be processing the personal information? Have you documented this? | |
| What do you do with the information? Have you documented this? | |
| Who do you share it with? Have you documented this? | |
| Do you need a data processing register for controllers? | |
| Do you need a data processing register for processors? | |
| Do you have a process for keeping the registers up to date? | |
|
What legal basis do you have for processing the personal information? |
|
| Work out the legal basis for processing and document it | |
| If consent is the basis for processing, does the existing consent comply with the requirements of GDPR? | |
| Do you process any information relating to under 16s? If so consider additional consent issues | |
|
Privacy Notices |
|
| Identify and review current privacy notices (website and paper forms, customer and employee) | |
| Amend existing privacy notices in line with ICO guidance | |
| Draft new privacy notices | |
| Do you require any “just-in-time” notices for consent? | |
| Will a script be required for telephone calls? | |
| Do you require notices on emails or letters? | |
| Will the notices be aimed at children or vulnerable individuals | |
| Process for reviewing the privacy notices | |
|
The rights of individuals |
|
| Are procedures in place to comply with the rights of individuals: | |
|
a.) Right of Subject Access |
|
| · Do you have procedure for identifying and retrieving personal information relating to an individual? | |
| · Can you comply within the new timescales? | |
| · Can you provide the additional information required by the GDPR? | |
|
b.) Right to Rectification |
|
| Do you have systems in place to identify and rectify inaccurate personal information when requested and without undue delay? | |
| Do you have a system to notify the individual when the rectification has been carried out? | |
|
c.) Right to Erasure |
|
| Do you have systems in place to identify and erase personal data when requested and without undue delay? | |
| Do you have a system to notify the individual when the erasure has been carried out? | |
|
d.) Right to Restrict Processing |
|
| Do you have systems in place to restrict the processing of personal information when requested? | |
| Do you have a system to notify the individual when the restriction has been put into place or lifted? | |
|
e.) Right to Data portability |
|
| Have you assessed whether data portability is likely to apply? | |
| If data portability is likely to apply, can you provide personal information in a “structured, commonly used and machine-readable format”? | |
| If data portability is likely to apply, can you transmit the personal information to another organisation where technically feasible? | |
| If data portability is likely to apply, are procedures in place to receive personal information from other organisations (eg where an individual elects to move services to you from another organisation)? | |
|
f.) Right to object |
|
| Do you have processes in place to identify personal information and prevent any further processing if requested? | |
|
g.) Right to prevent automated decision making and profiling |
|
| Do you have processes in place to identify personal information that is subject to automated decision making and prevent any further processing if requested? | |
|
Data Protection Impact Assessments |
|
| Do you have a process in place to identify area of high risk processing and to carry out a data protection impact assessment where appropriate? | |
| Do you have a process in place to ensure that the need for a data protection impact assessment is considered when there is a change in processing activities or when a new processing activity commences? | |
| Can you put into place the measures identified by the data protection impact assessment? | |
| Do you have a process in place for informing the ICO if the measures cannot mitigate the risk of processing? | |
|
Data Protection by Design and by Default |
|
| Do you have procedures in place to document the fact that data protection compliance has been taken into consideration and the necessary measures put into place when undertaking new processing activities or using a new process or technology? | |
| Do you have procedures in place to ensure that only personal information necessary for the specific purpose is processed? | |
|
Data Security Breaches |
|
| Do you have a process in place to ensure that a data security breach is reported by staff members to the DPO or other nominated staff member without delay? | |
| Can you assess any reported data security breach in line with the GDPR to decide whether it should be reported to the ICO? | |
| Do you have agreements with your data processors to ensure that they can provide any necessary information and take remedial action within the deadlines? | |
| If it is decided that a data security breach must be reported to the ICO, can gather the necessary information within 72 hours of becoming aware of it? | |
| Is a process in place to document the facts and remedial action? | |
|
Data Processors |
|
| If you have third party organisations processing personal information on your behalf, do you have contracts in place that comply with the requirements of the GDPR? | |
| If you are a data processor can you comply with the contractual requirements laid down by the GDPR? | |
| If you are a data processor, do you need to appoint a DPO? | |
| If you are a data processor, have you put into place appropriate technological and organisational measures to ensure the security of the personal information? | |
| If you are a data processor, do you have processes in place to report data security breaches to the controller within the time limits and provide the information required by the ICO? | |
|
OTHER ISSUES TO CONSIDER |
|
| Joint Data Controllers | |
| If one or more organisations jointly determine the purpose of processing, have you clearly defined the responsibilities of each controller in complying with the GDPR? | |
|
International aspects |
|
| If the organisation is established in more than one member state, consider which supervisory authority will enforce the GDPR | |
| If any processing of EU citizens data is carried out outside of the EU, has a representative been appointed? | |
|
Codes and certification |
|
| Has the organisation considered joining any industry codes or certification schemes which may fulfil some of the requirements of the GDPR? | |
|
Co-operation with ICO |
|
| Are staff aware of what to do if they are contacted by the ICO and is a procedure in place to promptly deal with any requests for information by the Information Commissioner? | |
|
Automated decision making |
|
| If any automated decision making is taken place then have you considered the addition requirements of the GDPR? |
Leave A Comment