Law firm Hedman has compiled this personal data protection self-assessment questionnaire to help organizations map uncovered activities. The purpose of the checklist is not to provide a complete solution for the protection of personal data, but to draw attention to which processes and activities should be focused on if assurance is to be sought that this topic is managed.
If answers to these questions are NO, then we suggest contacting our Specialist Data Privacy Counsel Andres Ojaver.
Personal data processing is mapped
NO: Carry out overall data mapping to identify which personal data is processed in which data flow (sources, retention, storage, transfer, deletion, access etc.). You can use service providers like GDPR Register to do this.
Records of processing document has been created
NO: The records of processing activities is a GDPR requirement basically for all entities and it must contain information about processing activities (not detailed log-file). Those records are compiled as a result of data mapping and should be also demonstratable to supervisory authority when requested. It is a written overview that mirrors everything that relates to the activities that involve personal data in the entity (data source, legal ground, purpose, data categories, related individuals, retention times, sub-processors, etc). You can use service providers like GDPR Register to do this.
The legal grounds of personal data processing are set
NO: Entity must understand and declare under which legal grounds the personal data processing is carried out, also, how data processing is divided between those legal grounds (legal obligation, contractual obligation, legitimate interest, individual’s consent, public interest, individual’s vital interest). This division between legal grounds should be reflected also in privacy notice and records of processing activities documents.
The purposes of personal data processing are set
GDPR compliant consents are collected from individuals
NO: First, you should be convinced that consent is the appropriate legal ground in particular case. Do not bind the possibility to sign contract/provide service with consenting to personal data processing. In such case the consent is not voluntary and is not GDPR compliant. If such data processing is not avoidable to sign the contract or provide the service, it means that the consent is not the correct legal ground. The correct legal ground would be contractual obligation and asking for individual’s consent is not needed.
Consent text should be clear and communicate entire activity that follows to consenting. Consent must be withdrawable. Note that the burden of proof of given consent relies on the entity and not on individual.
Privacy Notice is published
GDPR related rights are granted to individuals
NO: According to law, individuals have the right to request information regarding whether their personal data is processed or not and also copy of their personal data along with purposes, retention times etc. High quality data mapping and thought through individual request process is the fundament of coping with such requests in GDPR compliant way. Note that GDPR also gives list of other individual rights that can be requested from the entity (data portability, deletion, objection etc.).
Internal documentation/policies exist to demonstrate personal data protection implementation
NO: GDPR does not only require processing personal data according to applicable principles but it also requires entities to be able to demonstrate this. This means that you should draft and implement internal policies, employee rules of procedure, data protection and information security policy etc.
Data protection impact assessments (DPIA) are conducted if and where necessary
NO: Impact assessment needs to be conducted in case you are planning high risk data processing. High risks in this context are described in law and relevant guidelines. Depending on the planned activity, this can be rather complicated and cumbersome task as requirements to correct assessment are quite detailed in GDPR.
Employees are trained regarding GDPR requirements and data processing activities
NO: Majority of data breaches are caused by human factor. Often accidentally or from low level of awareness. Rising and keeping the level of awareness of employees through training are key factors on creating secure and compliant data processing environment.
Data processing agreements are signed with servise providers/sub-processors + if needed, clauses for peronal data transfers outside EU/EEA
NO: When entity uses service providers related to personal data processing, the entity is still responsible on data protection requirements towards its clients and employees. If service agreements do not include proper data processing clauses, the entity carries the whole risk of service provider data breaches/incidents with entity provided data and claims to service provider can be very difficult. According to GDPR, the entity is liable of requiring GDPR compliance from its personal data related service providers through contractual terms.
Data protection is compiled with risk management
NO: Risk management on systematic level but also on more abstract level in small businesses should also consider the personal data protection topic. As personal data breach can cause financial, regulatory and reputational damage and those risks are possible to successfully mitigate, the risk management and data protection should not be addressed as parallel worlds.
Data protection officer (DPO) is designated if required
NO: It is mandatory to designate internal data protection officer or to buy in external DPO service if the entity is a public sector body or if it is private entity with high-risk data processing activities. It is important to remember that DPO, either internal or external, should be expert on data protection field and there are sufficient guarantees implemented in the organization’s processes and structure for the DPO to be able to fulfil its tasks prescribed in GDPR.
Appropriate information security measures are implemented
NO: Information security is with fundamental importance to personal data protection. You may write policies but when doors are not closed and systems does not have access management, the policy will be useless. The higher the risk related to data, the higher level of information security should be implemented. Systematic approach is important. Starting from the decisions of how much data needs to be collected and whether some of the purposes could be achieved through anonymized data. Also, who can access the data and what is the readiness of coping malicious attacks on data.
You should also consider creating and implementing information security internal policy for employees.
Incident/data breach management process and supervisory authority notification process is implemented
NO: It is very important to, as quickly as possible, identify information security and personal data breaches and to address those through impact localization and fixing the root cause. On more serious cases, the mandatory notification to data protection authority and to affected persons also applies according to GDPR. The key to successfully resolve data breach/incident is high awareness level among employees, internal policy of how to act when incident has happened (process) and quick response with relevant measures. Every entity must also keep the personal data breach record.