Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

GDPR Short Assessment template


Published on

The document can help you understand current level of compliance, find painful points and plan improvements...

Published in: Law
  • Be the first to comment

GDPR Short Assessment template

  1. 1. By Andrey Prozorov, GDPR Short Assessment v.1.0, 2019-08-08 Company: Website: Date: Self-Assessment options: SA00 Hard to comment, no information SA0 No compliance (0%) SA1 More No than Yes (30%) SA2 More Yes than No (70%) SA5 Full compliance (100%). All required documents, procedures and records are available. N/A No applicable # Topic GDPR Self- Assessment Understanding the organisation and its context 1. Legislation • The organisation is under the scope of GDPR. • The specifics of local legislation have been identified (including ePrivacy, Privacy in Working Life, Labor Legislation), a list of requirements is documented. • The role / roles of the organisation in personal data processing are defined (Controller, Joint Controller or Processor). Art.1, 2, 3, 24, 26, 28 2. Special requirements The special requirements and conditions of personal data processing are defined and understood (if applicable): £ Processing on a large scale £ Processing of special categories of personal data (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation) £ Processing of personal data of a children £ Processing of personal data relating to criminal convictions and offences £ Transferring of personal data to third countries or international organisations £ Processing by micro, small and medium-sized enterprises (fewer than 250 employees, SME) Or / And using: £ Video devices (CCTV and other) £ Cookie identifiers £ Automated individual decision-making, including profiling £ IoT / Wearable devices Art. 35, 37, 8, 9, 10, 44, 45, 46, 21, 22, 30 3. Data Protection Authority (DPA, SA) • Local DPA is defined, its recommendations were studied. • Examples of fines for the country and the industry were studied. • Prior consultation with DPA was conducted (if applicable). Art. 51, 31, 35, 36, 39 4. Gap Assessment • GDPR Gap Assessment was conducted, improvement plan is prepared. -
  2. 2. By Andrey Prozorov, # Topic GDPR Self- Assessment Leadership and Management Support 5. Leadership • Top management demonstrates leadership and commitment with respect to Data Protection. • Top management ensures the resources needed for the Data Protection are available. Art. 38, 12 6. Roles and Responsibilities • Roles, responsibilities and powers related to data protection are defined, documented, assigned and communicated. • Privacy Committee is assigned (if applicable). • Representative in the Union is assigned (if applicable). Art. 38, 39, 27 7. Data Protection Officer (DPO) • The DPO is assigned (if applicable), there are no conflicts of interests. • The contact details of the DPO are published and are communicated to the supervisory authority (DPA) (if applicable). • The DPO reports directly to the highest management level in a regular manner. Art. 37, 38, 39 8. Data Protection Policy • Data Protection Policy (or Privacy Policy) is defined and published. • Data Protection Framework or/and Data Protection Programme are prepared. Art.12, 24 Processing and Rights of the data subjects 9. Information Systems and Storages • All personal data storages and information systems are identified, their owners are assigned (information assets register). Art. 5, 25 10. Purpose Limitation • Purposes and Lawfulness of all personal data processing activities are defined and documented. • Storage periods of all personal data are defined and documented. • All personal data is processed according to Data minimisation, Storage Limitation and Purpose Limitation principles. Art. 5, 6, 25 11. Records of Processing Activities • Records of processing activities are maintained and available to the supervisory authority upon request (if applicable): - the name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer; - the purposes of the processing; - a description of the categories of data subjects and of the categories of personal data; - the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations; - where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards; - where possible, the envisaged time limits for erasure of the different categories of data; - where possible, a general description of the technical and organisational security measures. Art. 30
  3. 3. By Andrey Prozorov, # Topic GDPR Self- Assessment 12. Notification and Consent • All the necessary notifications about data processing are provided to the data subjects in a timely manner. Relevant templates of the notifications are prepared. • All cases of requesting consent are identified. Relevant templates of consents are prepared. • All filled out consent forms are collected and stored responsibly. • Data processing is transparent for the data subjects. Art. 7, 12, 13, 14 13. Third parties • List of third parties (suppliers) and their role in data processing (Controller, Joint Controller or Processor) are identified and documented. • All applicable NDA and other additional contractual agreements are signed. • All relevant information security requirements are established and coordinated with each supplier. • Contacts of suppliers’ DPOs are received. • The organisation monitors, reviews and audits supplier service delivery in a regular manner. Art. 24, 26, 28 14. Data Subject Respond Procedure • Data Subject Respond Procedure is defined and documented, relevant templates are prepared. • Right of access by the data subject is available upon request: - the purposes of the processing; - the categories of personal data concerned; - the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; - where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; - the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; - the right to lodge a complaint with a supervisory authority; - where the personal data are not collected from the data subject, any available information as to their source; - the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. - + the appropriate safeguards relating to the transfer to a third country or to an international organisation (if applicable). Art. 15 15. Right to erasure and Right to data portability • Right to erasure and Right to data portability are technically possible upon subjects’ request. Art. 17, 20 Risk Management and Data Protection 16. Risk Assessment and data protection impact assessment (DPIA) • Risk assessment for data processing was conducted. • Data protection impact assessment was conducted (if applicable). Art. 24, 25, 32, 35, 36 17. Security of processing • Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the organisation implements appropriate technical and Art. 5, 25, 32
  4. 4. By Andrey Prozorov, # Topic GDPR Self- Assessment organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: - the pseudonymisation and encryption of personal data; - the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; - the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; - a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. • Data protection by design and by default is applied. 18. Incident management and notification • Incident Management Procedure is defined and documented. • Relevant templates for notifications of a personal data breach to the supervisory authority and data subjects are prepared. Art. 33, 34 19. Awareness, Education and Training • Individuals tasked with data protection matters have the necessary skills to discharge their duties. The data protection officer (DPO) and staff demonstrate appropriate levels of qualification and knowledge. • All employees of the organisation involved in processing operations receive appropriate awareness education and training and regular updates in organisational policies and procedures, as relevant for their job function. • Awareness education and training stimulate corporate privacy behavior. Art. 38, 39 20. Compliance and Accountability • Roles and responsibilities for data protection reviews and continual improvement are defined and documented. • Independent information security (data protection) audits are conducted in a regular matter. • All audits’ records (programme, plans, reports, MoMs) are stored responsibly. • The organisation is able to demonstrate compliance with GDPR (accountability). • Information security / Data protection certificate is obtained (if applicable). Art. 5, 39, 42