General Data Protection Regulation Questionnaire for Businesses

Transcription

1 General Data Protection Regulation Questionnaire for Businesses

2

3 This short questionnaire is a useful tool to help begin the process of identifying how your organisation collects, processes, and stores personal data. We hope that it may help you identify certain short-falls in your data processing activities and narrow down key areas of focus on. GENERAL MANAGEMENT Please circle the most appropriate choice 1. Do you have a policy that covers data protection matters? 1A. If the answer to the above question is Yes, how do you judge that policy? e.g.) 1 = Clear, useful, up to date 5 = Unclear, useless, out of date 1B. If Yes, when was your policy last reviewed? e.g.) 1 = Less than one year ago 5 = More than four years ago 2. Is your data protection policy adequately resourced, and supported by a management infrastructure that can sustain, monitor and review your policy and generate reports on its effectiveness? 2A. If the answer to the above question Yes, then how well do you think your policy is promoted and supported by management? e.g). 1 = Actively supported 5 = Unsupported 3. Is there an identifiable person responsible for data protection matters?

4 3A. If the answer to the previous question is Yes then how well do you think that person is supported by management? e.g.) 1 = Actively supported 5 = Unsupported 4. Do all individuals who are authorised to process personal data receive appropriate training, instruction or guidance on data protection matters? 4A. If the answer to the above question is Yes, how do you judge the training given? e.g.) 1 = All individuals receive appropriate training/instruction/guidance 5 = Individuals do not receive any training/instruction/guidance 4B. Are you confident that all individuals who process personal data understand their data protection obligations associated with that processing? e.g.) 1 = Very confident 5 = Very unsure 5. If there are contracts, associated with the processing of personal data, which allow contractors and other third parties access to personal data, do these contracts specify adequate data protection requirements? 5A. If the answer to the above question is Yes, then how well do you judge the effectiveness of the monitoring and/or auditing of contractual controls? e.g.) 1 = Compliance with contracts is audited/monitored regularly 5 = No auditing/monitoring is undertaken

5 6. Is there a folder of documents, or other documentation, which will help to manage and demonstrate compliance with your data protection obligations? 6A. If the answer to the above question is Yes, then what is your view on the quality of the information in the folder or in other documentation? e.g.) 1 = Clear, complete, up to date 5 = Unclear, incomplete, out of date LAWFULNESS OF PROCESSING 7. Has the full extent of processing, which is authorised by law or regulation, been identified? 8. Has proof of lawful processing been retained? 9. Are data subjects made aware, before they provide personal data, of why personal data is being collected and which organisations will use their data? 10. Are there significant practical or technical difficulties in providing the details identified in the above question? 11. Are there reasons (e.g. public interest) for not providing such information? 12. When personal data about a data subject are provided to you by other organisations or individuals, are these data subjects made aware of why personal data is collected and which organisations will use that data? Always Sometimes Never Don t Know

6 13. Is there a significant practical or technical difficulty in providing the details identified in the previous question? 14. Are there reasons (e.g. public interest) for not providing such information? QUALITY OF PERSONAL DATA 15. Is personal data assessed as to whether it is adequate, relevant and not excessive in the context of each particular purpose? Always Sometimes Never Don t Know 16. Are there significant practical or technical difficulties in meeting the above criteria in all circumstances? 17. Are there reasons (e.g. in the public interest) retaining the personal data since the data might become relevant in the future? 18. Is personal data assessed for accuracy and checked whether it is up to date? At appropriate intervals Sometimes Never Don t Know 19. Are there significant practical or technical difficulties in carrying out such assessments? 20. Before action is taken against a data subject, is the accuracy of the personal data checked? Always Sometimes Never Don t Know 21. Are there practical or technical difficulties in carrying out such checks?

7 22. Do formal criteria/procedures for the deletion of personal data exist? 23. Are there significant practical or technical difficulties in deleting personal data? 24. Are there reasons (e.g. in the public interest) for not deleting some or all of the personal data? SECURITY 25. Is there a security policy that covers all aspects of the processing and collecting of personal data? 25A. If the answer to the above question is Yes, how do you judge the security policy? e.g.) 1 = Clear, concise, useful 2 = Unclear, verbose, useless 25B. If the answer to the above question is Yes, how well is the security policy promoted and supported by management? e.g.) 1 = Actively supported 5 = Wholly unsupported 26. Do security controls or procedures include measures to ensure the integrity of the personal data and of its processing?

8 26A. How effective do you consider these controls/procedures to be? e.g.) 1 = Very effective 2 = Wholly ineffective 27. Do security controls or procedures include measures to permit user identification and authorisation for processing? 27A. How effective do you consider the controls/procedures to be? e.g.) 1 = Very effective 5 = Wholly ineffective 28. Do security controls or procedures include measures to safeguard operating procedures? 28A. How effective do you consider the controls/procedures to be? e.g.) 1 = Very effective 5 = Wholly ineffective 29. Do security controls or procedures include measures that include encryption? 30. Do security controls or procedures include measures to invoke a business continuity/ disaster recovery plan? 30A. Are there significant practical or technical difficulties in forming such a plan?

9 31. Do security controls or procedures include measures to establish adequate audit and monitoring arrangements? 31A. How effective do you consider these arrangements to be? e.g.) 1 = Very effective 5 = Wholly ineffective 32. Do security controls or procedures include measures to safeguard the physical security of the processing environment? 32A. How physically secure do you consider your processing of personal data to be? e.g.) 1 = Very secure 5 = Wholly insecure 33. Are staff trained in the necessary security controls and procedures? 33A. If the answer to the above question is Yes, then how do you judge the training given? e.g.) 1 = Staff receive appropriate security training 5 = Staff wholly untrained 33B. When did you last receive training/instruction on IT security requirements? e.g.) 1 = Less than one year ago 5 = More than four years ago

10 DATA SUBJECTS RIGHTS Data Protection Seminar 34. Do procedures allow for data subjects to be informed of the nature of the processing of personal data, and to receive confirmation as to whether or not personal data about them is processed? Yes Sometimes No Don t Know 35. Are there significant practical or technical difficulties in providing such information? 36. Are there reasons (e.g. in the public interest) for not providing such information? 37. Do procedures allow data subjects to exercise their right of access to personal data which relate to them? Yes Sometimes No Don t Know 38. Are there significant practical or technical difficulties in providing such data to the data subject? 39. Are there reasons (e.g. in the public interest) for not providing such data? 40. Do procedures allow for data subjects to be informed of the logic underpinning any automated decision-making processing which significantly impacts on them and to challenge such decision? Yes Sometimes No Don t Know 41. Are there significant practical or technical difficulties in providing such information? 42. Are there reasons (e.g. in the public interest) for not providing such information?

11 43. Do procedures have the capability to correct, block or erase personal data (e.g. in compliance with requests from data subjects and/or from data protection authorities or courts) and to notify third parties who have received data subject s personal data? Yes Sometimes No Don t Know 44. Are there significant practical or technical difficulties in providing such information? 45. Do procedures allow data subjects to object to the processing of personal data? 46. Are there reasons (e.g. in the public interest) for not allowing such objection? 47. Has a comprehensive census of the processing of personal data been carried out? 47A. When was the last census carried out? e.g.) 1 = Less than one year ago 5 = More than four years ago 48. Do procedures anticipate the need to notify details of the processing to a data protection authority (e.g. the Information Commissioner s Office)? SYSTEM DESIGN 49. Are data protection considerations taken into account during the development, purchase or acquisition of hardware and software?

12 50. Are changes to the software or processing environment considered in the context of data protection obligations? Interpreting the results of the Questionnaire Each question is based on one or more of the statutory obligations in the Data Protection Act 1998 which the data controller has towards the protection of personal data of a data subject. It is important to double check that you are not overlooking something which could make your processing of personal data unlawful. Although this questionnaire uses the Data Protection Act 1998 as the basis for its questions, it is important to understand that if you identify deficiencies in your organisation based on this questionnaire then it is highly unlikely that you will be compliant with the General Data Protection Regulation because the upcoming legislation incorporates and further develops the existing legal framework. Each No answer, or a Yes answer which scores 4 or 5, identifies a potential exposure in your data protection procedures. Although lower scores cannot be ignored and should also be investigated, it would be advisable to focus on the highest scoring aspects of the questionnaire first because these are likely the source of the greatest deficiencies in your current data handling procedures. An answer that indicates a significant practical or technical problem in meeting an obligation needs further consideration. If an obligation cannot be satisfied because it is impossible or involves disproportionate effort, then in some cases the legislation permits the derogation from the obligation. That said, it is likely that the test of what is or what isn t disproportionate will more than likely increase under the General Data Protection Regulation with the addition of the Accountability Principle and the higher standard of consent that must be obtained prior to undertaking the processing of personal data, particularly in light of the increased fines regime. Any Sometimes answer, or any matter associated with the processing of personal data in the public interest, needs careful attention before you decide whether or not an exemption from a data protection obligation applies. It is crucial to understand that the exemptions are very narrow in scope and will only apply to a very small sub-set of organisations, for example, GCHQ or MI5. It cannot, and should not, be used as an excuse to try and avoid your legal obligations, particularly in light of the upcoming General Data Protection Regulation. We would be grateful if you could provide us a copy/scan of your answers by ing either Graham Millar (gmillar@) or John Kielski (jkielski@).

13 Your Contacts Derek Hamill Partner Head of Corporate T +44 (0) M +44 (0) E dhamill@ Graham Millar Partner Head of Employment T +44 (0) M +44 (0) E gmillar@ John Kielski Solicitor Corporate T +44 (0) M +44 (0) E jkielski@

14