Top 12 Questions EU GDPR Assessment for Compliance Preparation

Try the top 12 questions EU GDPR assessment for preparing for compliance using the form below. The assessment is based on guidance provided by the UK ICO and has been adapted for online use.   At the end of the assessment, your score out of 12, as well as your percentage achievement against these questions, will be displayed.

EU GDPR Assessment Top 12 Questions

  • Detailed Advice [showhide type="a1" more_text="Show more..." less_text="Show less..."] You should make sure that decision makers and key people in your organisation are aware that the law is changing to the EU GDPR. They need to appreciate the impact this is likely to have and identify areas that could cause compliance problems under the EU GDPR. It would be useful to start by looking at your organisation’s risk register, if you have one. Implementing the GDPR could have significant resource implications, especially for larger and more complex organisations. You should particularly use the first part of the GDPR’s two-year lead-in period to raise awareness of the changes that are coming. You may find compliance difficult if you leave your preparations until the last minute. [/showhide]
  • IACT-Africa Comments [showhide type="a2" more_text="Show more..." less_text="Show less..."]1. Arrange a EU GDPR briefing for your policy makers. 2. Initiate the development of a business case for the EU GDPR. [/showhide]
  • Detailed Advice [showhide type="a3" more_text="Show more..." less_text="Show less..."] You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit, across the organisation, or within particular business areas. The EU GDPR updates rights for a networked world. For example, if you have inaccurate personal data and have shared this with another organisation, you will have to tell the other organisation about the inaccuracy so it can correct its own records. You won’t be able to do this unless you know what personal data you hold, where it came from and who you share it with. You should document this. Doing this will also help you to comply with the EU GDPR’s accountability principle, which requires organisations to be able to show how they comply with the data protection principles, for example by having effective policies and procedures in place. [/showhide]
  • IACT-Africa Comments [showhide type="a4" more_text="Show more..." less_text="Show less..."] 1. Use the IACT-Africa Personal Information Diagnostic Tool for an audit of personal information you hold. [/showhide]

  • Detailed Advice [showhide type="a5" more_text="Show more..." less_text="Show less..."] You should review your current privacy notices and put a plan in place for making any necessary changes in time for EU GDPR implementation. When you collect personal data you currently have to give people certain information, such as your identity and how you intend to use their information. This is usually done through a privacy notice. Under the GDPR there are some additional things you will have to tell people. For example, you will need to explain your legal basis for processing the data, your data retention periods and that individuals have a right to complain to the ICO if they think there is a problem with the way you are handling their data. Note that the GDPR requires the information to be provided inconcise, easy to understand and clear language. The ICO Privacy notices code of practice reflects the new requirements of the GDPR.. [/showhide]
  • IACT-Africa Comments [showhide type="a6" more_text="Show more..." less_text="Show less..."] Review your Privacy Notices using the checklist for EU GDPR privacy notice provided by IACT-Africa based on ICO guidance"Privacy notices, transparency and control", ICO, October 2016. This is covered in more detail on the tab "EU GDPR Privacy Notices" in this tool. [/showhide]

  • Detailed Advice [showhide type="a7" more_text="Show more..." less_text="Show less..."] You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format. The main rights for individuals under the EU GDPR will be: subject access, to have inaccuracies corrected, to have information erased, to prevent direct marketing, to prevent automated decision-making and profiling, and data portability. On the whole, the rights individuals will enjoy under the EU GDPR are the same as those under the DPA but with some significant enhancements. If you are geared up to give individuals their rights now, then the transition to the EU GDPR should be relatively easy. This is a good time to check your procedures and to work out how you would react if someone asks to have their personal data deleted, for example. Would your systems help you to locate and delete the data? Who will make the decisions about deletion? The right to data portability is new. This is an enhanced form of subject access where you have to provide the data electronically and in a commonly used format. Many organisations will already provide the data in this way, but if you use paper print-outs or an unusual electronic format, now is a good time to revise your procedures and make any necessary changes.[/showhide]
  • IACT-Africa Comments [showhide type="a8" more_text="Show more..." less_text="Show less..."] 1. Review your existing Records Managementprocesses. 2. Use the IACT-Africa Records Management Assessment Tool and records Management Policy to support this area. [/showhide]

  • Detailed Advice [showhide type="a9" more_text="Show more..." less_text="Show less..."] You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information. The rules for dealing with subject access requests will change under the EU GDPR. In most cases you will not be able to charge for complying with a request and normally you will have just a month to comply, rather than the current 40 days. There will be different grounds for refusing to comply with subject access request – manifestly unfounded or excessive requests can be charged for or refused. If you want to refuse a request, you will need to have policies and procedures in place to demonstrate why the request meets these criteria. You will also need to provide some additional information to people making requests, such as your data retention periods and the right to have inaccurate data corrected. If your organisation handles a large number of access requests, the impact of the changes could be considerable so the logistical implications of having to deal with requests more quickly and provide additional information will need thinking through carefully. It could ultimately save your organisation a great deal of administrative cost if you can develop systems that allow people to access their information easily online. Organisations should consider conducting a cost/benefit analysis of providing online access.[/showhide]
  • IACT-Africa Comments [showhide type="a10" more_text="Show more..." less_text="Show less..."]1. Ensure your PAIA Manual and supporting processes are up-to-date for this requirement. Use the IACT-Africa PAIA Manual template as your starting point. 3. Use the IACT-Africa Data Subject Request Log to track requests. [/showhide]

  • Detailed Advice [showhide type="a11" more_text="Show more..." less_text="Show less..."] You should look at the various types of data processing you carry out, identify your legal basis for carrying it out and document it. Many organisations will not have thought about their legal basis for processing personal data. Under the current law this does not have many practical implications. However, this will be different under the EU GDPR because some individuals’ rights will be modified depending on your legal basis for processing their personal data. The most obvious example is that people will have a stronger right to have their data deleted where you use consent as your legal basis for processing. You will also have to explain your legal basis for processing personal data in your privacy notice and when you answer a subject access request. The legal bases in the EU GDPR are broadly the same as those in the DPA so it should be possible to look at the various types of data processing you carry out and to identify your legal basis for doing so. Again, you should document this in order to help you comply with the EU GDPR’s ‘accountability’ requirements.[/showhide]
  • IACT-Africa Comments [showhide type="a12" more_text="Show more..." less_text="Show less..."]1. Use the IACT-Africa Personal Information Diagnostic Tool for an audit of personal information you hold including the legal basis for processing. [/showhide]

  • Detailed Advice [showhide type="a13" more_text="Show more..." less_text="Show less..."] You should review how you are seeking, obtaining and recording consent and whether you need to make any changes. Like the DPA, the EU GDPR has references to both ‘consent’ and ‘explicit consent’. The difference between the two is not clear given that both forms of consent have to be freely given, specific, informed and unambiguous. Consent also has to be a positive indication of agreement to personal data being processed – it cannot be inferred from silence, preticked boxes or inactivity. If you rely on individuals’ consent to process their data, make sure it will meet the standards required by the EU GDPR. If not, alter your consent mechanisms or find an alternative to consent. Note that consent has to be verifiable and that individuals generally have stronger rights where you rely on consent to process their data. The EU GDPR is clear that controllers must be able to demonstrate that consent was given. You should therefore review the systems you have for recording consent to ensure you have an effective audit trail. [/showhide]
  • IACT-Africa Comments [showhide type="a14" more_text="Show more..." less_text="Show less..."]1. Use the IACT-Africa Personal Information Diagnostic Tool for an audit of personal information you hold including the confirmation of consent. 2. Use the IACT-Africa contract templates as the basis for obtaining consent from your data subjects. [/showhide]

  • Detailed Advice [showhide type="a15" more_text="Show more..." less_text="Show less..."]You should start thinking now about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity. For the first time, the EU GDPR will bring in special protection for children’s personal data, particularly in the context of commercial internet services such as social networking. In short, if your organisation collects information about children – in the UK this will probably be defined as anyone under 13 – then you will need a parent or guardian’s consent in order to process their personal data lawfully. This could have significant implications if your organisation aims services at children and collects their personal data. Remember that consent has to be verifiable and that when collecting children’s data your privacy notice must be written in language that children will understand. [/showhide]
  • IACT-Africa Comments [showhide type="a16" more_text="Show more..." less_text="Show less..."]1. Use the IACT-Africa Personal Information Diagnostic Tool for an audit of personal information you hold including the processing of information on children. 2. Use the IACT-Africa contract templates as the basis for obtaining consent from parents or guardians. [/showhide]

  • Detailed Advice [showhide type="a17" more_text="Show more..." less_text="Show less..."] You should make sure you have the right procedures in place to detect, report and investigate a personal data breach. Some organisations are already required to notify the ICO (and possibly some other bodies) when they suffer a personal data breach. However, the EU GDPR will bring in a breach notification duty across the board. This will be new to many organisations. Not all breaches will have to be notified to the ICO – only ones where the individual is likely to suffer some form of damage, such as through identity theft or a confidentiality breach. You should start now to make sure you have the right procedures in place to detect, report and investigate a personal data breach. This could involve assessing the types of data you hold and documenting which ones would fall within the notification requirement if there was a breach. In some cases you will have to notify the individuals whose data has been subject to the breach directly, for example where the breach might leave them open to financial loss. Larger organisations will need to develop policies and procedures for managing data breaches – whether at a central or local level. Note that a failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself.[/showhide]
  • IACT-Africa Comments [showhide type="a18" more_text="Show more..." less_text="Show less..."]1. Use the IACT-Africa POPI NIST Incident Response Recommendations Tool to aasess your readiness for a data breach. 2. Use the IACT-Africa POPI Security Compromise Management Guidelines whgen managing a data breach. 3. See supporting documents in the folder Security Compromise Management guidance in the IACT-Africa POPI Compliance Toolkit. [/showhide]

  • Detailed Advice [showhide type="a19" more_text="Show more..." less_text="Show less..."]You should familiarise yourself now with the guidance the ICO has produced on Privacy Impact Assessments (PIAs) and work out how to implement them in your organisation. This guidance shows how PIAs can link to other organisational processes such as risk management and project management. You should start to assess the situations where it will be necessary to conduct a DPIA. Who will do it? Who else needs to be involved? Will the process be run centrally or locally? It has always been good practice to adopt a privacy by design approach and to carry out a privacy impact assessment as part of this. A privacy by design and data minimisation approach has always been an implicit requirement of the data protection principles. However, the EU GDPR will make this an express legal requirement. Note that you do not always have to carry out a PIA – a PIA is required in high-risk situations, for example where a new technology is being deployed or where a profiling operation is likely to significantly affect individuals. Note that where a PIA (or DPIA as the GDPR terms it) indicates high risk data processing, you will be required to consult the ICO to seek its opinion as to whether the processing operation complies with the EU GDPR. [/showhide]
  • IACT-Africa Comments [showhide type="a20" more_text="Show more..." less_text="Show less..."]1. Use the IACT-Africa POPI Privacy Impact Assessment Key Questions document. 2. Review the Privacy By Design videos in the toolkit. 3. Read the ICO Privacy impact assessment code of practice in the toolkit. 4. Use the POPI Privacy Impact Assessment Assessment template in the IACT-Africa toolkit. [/showhide]

  • Detailed Advice [showhide type="a21" more_text="Show more..." less_text="Show less..."] You should designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. The EU GDPR will require some organisations to designate a Data Protection Officer (DPO), for example public authorities or ones whose activities involve the regular and systematic monitoring of data subjects on a large scale. The important thing is to make sure that someone in your organisation, or an external data protection advisor, takes proper responsibility for your data protection compliance and has the knowledge, support and authority to do so effectively. Therefore you should consider now whether you will be required to designate a DPO and, if so, to assess whether your current approach to data protection compliance will meet the GDPR’s requirements.[/showhide]
  • IACT-Africa Comments [showhide type="a22" more_text="Show more..." less_text="Show less..."]1. Appoint your Information Officer with the dual title of Data Protection Officer using the IACT-Africa appointment letter template. 2. Ensure your DPO is adequately skilled by using training available from IACT-Africa. [/showhide]

  • Detailed Advice [showhide type="a23" more_text="Show more..." less_text="Show less..."] If your organisation operates internationally, you should determine which data protection supervisory authority you come under. The EU GDPR contains quite complex arrangements for working out which data protection supervisory authority takes the lead when investigating a complaint with an international aspect, for example where a data processing operation affects people in a number of Member States. Put simply, the lead authority is determined according to where your organisation has its main administration or where decisions about data processing are made. In a traditional headquarters (branches model), this is easy to determine. It is more difficult for complex, multi-site companies where decisions about different processing activities are taken in different places. In case of uncertainty over which supervisory authority is the lead for your organisation, it would be helpful for you to map out where your organisation makes its most significant decisions about data processing. This will help to determine your ‘main establishment’ and therefore your lead supervisory authority. [/showhide]
  • IACT-Africa Comments [showhide type="a24" more_text="Show more..." less_text="Show less..."]1. Confirm the registered office location of your holding company or operating company. 2. Ensure you are registered with the Information Regulator for the POPI Act if you based in South Africa. 3. Consult IACT-Africa for headquarters in other countries. [/showhide]

  • Please provide your name and email address below so that your results can be sent to you. We reserve the right to send related news and updates to you. Your email address will not be shared with any other party and will be protected in line with our Privacy Policy.

The content for the EU GDPR assessment has been provided by the Information Commissioner’s Office, Data Protection Self Assessment Tooklit, licensed under the Open Government Licence.

SCORE INTEPRETATION

0-3: DANGER ALERT: This indicates you fail to reach compliance to a very large extent. Recommendation: Act now by completing a full assessment and implement a remedial action plan

4-6: HEALTH-CHECK ALERT: You have made some progress but there are still a lot of areas that are non-compliant. Recommendation: Act now by completing a full assessment and implement a remedial action plan

7-9: YOU ARE GETTING THERE: Well done, you are on the road to achieving compliance. Recommendation: Focus on those areas which scored zero

10-12: WELL DONE: You are in good shape but still have some work to do. Recommendation: Make sure you have all the proof to justify your score and focus on achieving the same performance in level in the remaining areas. And remember, achieving and maintaining compliance is a journey, not a destination.