Title Page
-
This report is prepared to provide advice in relation to achieving, or maintaining, compliance with Data Protection Act 2018 (DPA18) and the General Data Protection Regulation (GDPR). (Certain organisations might well be subject to FOI / FOISA too). The advice is provided based upon our understanding of relevant laws and guidance as they stood on the date of audit and in reliance upon the information provided to us, by you, during the audit at that date. You are advised to review the relevant regulations on a regular basis.
-
Data Protection Compliance Audit for:
-
Audit undertaken and prepared by:
-
Contact Name(s) at Organisation:
-
When:
-
Describe core business functions / What does the organisation exist to do?
Preliminaries
-
Is your organisation registered with the ICO as a Data Controller?
-
Why not?
-
Have you done the test on the ICO website to ascertain whether, or not, you are liable to pay a data protection fee?
-
What is your Registration Number?
-
What is the expiry date?
-
Why?
-
Have you done the test on the ICO website to ascertain whether, or not, you are liable to pay a data protection fee?
-
Do you believe you require or need a Data Protection Officer (DPO)?
-
Why?
-
Why?
-
Why?
-
RECOMMENDATIONS: Describe any recommendations regarding registration with the ICO and/or the appointment of a DPO, or, DPO services etc.
Information Asset Audit / Data Mapping
-
The purpose of the audit is to establish an understanding of the personal data being controlled and processed. During the audit our discussions included the following: What categories of personal data you hold ? What processing of personal data takes place ? What legal bases you are relying on when you process personal data. Who processes data on your behalf (third party processors) ? Where your personal data is held. How you secure your personal data, and How long you are retaining personal data. This has allowed us to identify the data protection risks that your organisation is facing, establish data protection priorities and make recommendations on what is required for ongoing GDPR compliance. From this, you should be able to establish: Your priorities to work towards GDPR compliance, and The processes and work required to try and attain ongoing compliance
-
Have you yet carried out a Personal Data Audit / Data Mapping exercise?
-
With regard to Personal Data, have you documented: What you hold? Where it came from? What you do with it? Who you share it with? When you delete it? etc.
-
If not, why?
-
Having done it, has anything raised any concerns with you?
-
Do you have a Record of Processing Activities (GDPR Article 30)?
-
What types of processing do you undertake / What is the purpose?
-
RECOMMENDATIONS: Describe recommendations for data audit / data mapping
Legal Basis for Processing
-
Organisations must identify the legal basis for processing personal data. Valid consent is very difficult to obtain under the GDPR, particularly if the organisation is in a position of power i.e. an employer or public sector organisation. Therefore, consent should only be used for processing if no other legal basis is available. There is a requirement that, for all personal data, the processing is necessary, and you must identify at least one of the following conditions: Consent. The data subject has given their consent to the processing for one or more purpose. (This will likely form the legal basis for marketing) Contract. Processing is necessary for the performance of/or to enter into a contract Legal Obligation that the data controller is subject to Vital Interests of the data subject or other person Public Interest, or in the exercise of official authority Legitimate Interests. This can be used where the processing is necessary for the purposes of the legitimate interests pursued by an organisation, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subjects which requires protection of personal data; a lawful and fair balance must be struck
-
Have you identified your legal bases for processing?
-
Why not?
-
Are you happy the legal bases are correct and 'mirror' your data map and privacy notice(s)?
-
Do you rely upon 'consent' for any of your processing?
-
For what processing do you rely upon consent? Describe....
-
Subsequently, if a data subject withdrew their consent, what would you do?
-
Can you demonstrate how, where, why, when you obtained consent?
-
Are you sure? (Marketing / Surveys / Photographs on website / Promotional Articles...
-
Do you rely upon 'legitimate interest' for any of your processing?
-
Have you completed Legitimate Interest Assessments?
-
Can you easily find the Legitimate Interest Assessments and refer to them?
-
RECOMMENDATIONS: Describe recommendations for legal bases of processing. If legitimate interest has been used, have legitimate interest assessments been undertaken?
Data Subjects
-
Under the overarching principle of Accountability, you will be required to demonstrate compliance with the following data protection principles: Lawfulness, Fairness and Transparency - processed lawfully, fairly and in a transparent manner in relation to the data subject. Purpose Limitation - collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Data Minimisation - adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Accuracy - accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are identified as inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay. Storage Limitation - kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Integrity and Confidentiality - processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
-
Staff / employees
-
Approx. how many?
-
Where based?
-
What categories of data? (name/address/DOB/phone/NOK etc.)
-
Customers / Tenants / Owners / Clients / Service Users etc.
-
Approx. how many?
-
Where based?
-
What categories of data? (name/address/DOB/phone/NOK etc.)
-
Suppliers / Consultants / Processors?
-
Approx. how many?
-
Where based?
-
What categories of data? (name/address/DOB/phone/NOK etc.)
-
Is any of the above processing undertaken outside of the EEA?
-
Outside of the EEA, What other countries?
-
Are you relying upon a contract or OTHER legal basis to send personal data outwith the EEA?
-
RECOMMENDATIONS: Describe whether any documents, policies, procedures, contracts etc. might or will be required.
Special Category Data
-
There are additional conditions required to process special categories of personal data. Special categories of personal data are data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs and Trades Union membership. It also includes the processing of biometric or genetic data, health related data and data concerning a person’s sex life or sexual orientation. To process special categories of personal data you must identify one of the processing conditions above and one of the following: Explicit Consent is provided by the data subject. Processing is necessary for employment and social security and social protection law as long as the processing is necessary for compliance with a legal obligation. Processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving consent; Certain activities carried out by not-for-profit bodies with a political, philosophical, religious or trade union aim, where appropriate safeguards are in place and the processing takes place in relation to members or former members or persons who have regular contact in connection with its purposes and the information is not disclosed beyond the organisation. The processing relates to personal data which are manifestly made public by the data subject. Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity. Processing is necessary for reasons of substantial public interest on the basis of EU or UK law. Processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems. Processing is necessary for reasons of public interest in the area of public health which is carried out under the supervision of a health professional or by another person who owes a duty of confidentiality under an enactment or rule of law; or Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes with appropriate safeguards in place including data minimisation, e.g. pseudonymisation. The legal basis for processing personal data must be stated in Privacy Notices and in the Record of Processing.
-
Do you process any special category data?
-
Racial or Ethnic Origin
-
Racial or Ethnic Origin processing = What / Why?
-
Political Opinions
-
Political Opinion processing = What / Why?
-
Religious or Philosophical beliefs
-
Religious or Philosophical processing = What / Why?
-
Health Data
-
Health data processing = What / Why?
-
Trade Union Membership
-
Trade Union processing = What / Why?
-
Sexual Orientation
-
Sexual orientation processing = What / Why?
-
Biometric Data
-
Biometric processing = What / Why?
-
Genetic Data
-
Genetic processing = What / Why?
-
Location Data
-
Location processing = What / Why?
-
Criminal Convictions or Offences data
-
Criminal convictions or Offences processing = What / Why?
-
Do you SHARE any of the above information with other parties?
-
Sharing of Special Category data = With Who / Why?
-
Do you use CCTV?
-
CCTV use = For what purpose/Why?
-
CCTV use = Do you have signage?
-
CCTV use = Have you stated as such within Privacy Notices?
-
Do you use Voice Recordings?
-
Voice recording use = For what purpose?
-
Voice recording use = Do you tell people you record?
-
Voice recording use = Have you stated as such within Privacy Notices?
-
RECOMMENDATIONS: Describe special category data processed and/or details for either CCTV or audio voice recordings
Data Processors
-
Organisations must establish whether they are Data Controllers or Data Processors for each category of personal data processed. Definitions: Data Controller: the organisation that decides why data is being processed, how it is being processed and what is happening to personal data. Data Processor: the organisation that carries out processing on behalf of the controller and on the instructions of the controller. Joint Controller: both organisations act together to decide the purposes and manner of data processing.
-
Do you use any Processors who act (or process data) on your behalf? (HR / Payroll / Pension / IT / Welfare Services etc.)
-
Describe what Processors you work with...
-
Do you have written contracts in place with your Processors (Data Processing Agreements)?
-
Were contracts agreed before 25 May 2018, i.e. when GDPR became enforced?
-
Have contract addendums been sent / agreed since?
-
Have the addenda been checked against the Article 28 requirements?
-
Do contracts have relevant provisions that incorporate GDPR requirements within them?
-
Why Not?
-
Do you have a centralised contractor/supplier register which records whether DPAs or DSAs are in place?
-
Are YOU a data processor for any other organisations?
-
What organisations do you act as a data processor for?
-
What processing do you do for them?
-
Is there a Data Processing (or Sharing) Agreement in place with the organisations for whom you act as a processor?
-
RECOMMENDATIONS: Describe whether written Data Processing Agreements or Data Sharing Agreements are in place, along with Addendums (if contracts were agreed pre-GDPR). Is there a centralised list of processors / contractors / suppliers with current contractual status recorded?
Privacy Notices / Fair Processing Notices
-
GDPR specifies that certain information, e.g. the purpose and legal basis for the processing, must be supplied to the data subject when you are collecting personal data obtained directly from them unless they already have this information. This information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language, especially if you are processing the data of a child or vulnerable person - these are known as 'Fair Processing Notices' or 'Privacy Notices'
-
Do you have Privacy Notices?
-
Privacy Notices = Where and in relation to what aspect of your processing?
-
Do you give information to 'data subjects' as to how you handle personal data at the point their data is collected?
-
Do you have processes in place to ensure Privacy Notices are made easily available?
-
Describe how you make Privacy Notices easily available:
-
RECOMMENDATIONS: Describe any recommendations regarding Privacy Notices or Fair Processing Notices...
Data Subject Rights
-
The GDPR provides enhanced and new rights for data subjects. Any communication with a data subject should be in a concise, transparent, intelligible and easily accessible form, using clear and plain language. You have to respond without undue delay to any request made by a data subject within one calendar month although this can be extended once by two more months depending on the complexity of the request or the number of requests. There should generally be no fee charged to the requester/data subject unless their request is manifestly unfounded or excessive, for example, due to their repetitive nature. If you have reasonable doubts about the identity of the requester/data subject, you should use all reasonable measures to confirm the identity of the person making the request, before taking action. Data Subject Rights requests include the following: Subject access. Data portability. Rectification. Erasure (‘right to be forgotten’). Object to processing (including direct marketing). Restrict processing. Object to automated decision making. The above are not absolute rights in every circumstance and may not be applicable depending on the identified lawful basis for processing the personal data
-
Do you have a procedure to comply with data subject rights (Data Subject Rights Policy)?
-
What system / policy?
-
Were you not aware of the requirement to notify data subject of their rights?
-
Can you deal with a subject access request within 1 month, free of charge?
-
Who would deal with a Subject Access Request?
-
Right to Rectification: Do you have a mechanism to ensure the accuracy of the data you hold?
-
What is the mechanism, explain...
-
Are you sure? Why?
-
Right to Erasure: Do you have a mechanism to dispose of personal data no longer required?
-
Do you have a Retention Schedule?
-
Are you sure ? Do you ever delete / erase / destroy data?
-
Right to Restrict: Do you have a mechanism to restrict processing upon request?
-
How would / might / when you 'restrict' processing? Explain...
-
Right to Object: Do you have a mechanism to handle objections to processing personal data?
-
Do you know the occasions when a data subject can Object?
-
Describe...
-
Data Portability: Do you have a mechanism to transfer data to another controller?
-
How might you accomplish this?
-
Automated Decision Making: Do any of your processing rely upon automated decision making and do you have a mechanism in place to deal with the requirements?
-
Describe any automated decision making processes you have...
-
RECOMMENDATIONS: Describe recommendations for Data Subject Rights, i.e. Policy / Procedure / SAR request form etc.
Data Storage & Retention
-
The previous provisions under the Data Protection Act, that data should not be kept for longer than necessary, should be accurate and, where necessary, kept up to date, have been extended under the GDPR. Data subjects must now be provided with detailed information about the retention of data at the point of collection of that data. The general principles on retention of personal data are: You must not keep personal data for longer than you need it. You need to consider – and be able to justify – how long you keep personal data. (This will depend on your purposes for holding the data.) You need a policy setting standard retention periods wherever possible, to comply with documentation requirements. You should also periodically review the data you hold, and erase or anonymise it when you no longer need it. You must carefully consider any challenges to your retention of data. Individuals have a right to erasure if you no longer need the data.
-
What electronic systems / programs / apps etc. do you use?
-
Is data stored electronically?
-
Servers: Yours? / Others? / Cloud based?
-
Where are the Servers?
-
Are they backed-Up?
-
Are you sure?
-
Do you store paper documents / files?
-
Where, and how Secured when unattended?
-
Really ? Do you operate a 'paperless' office ?
-
Do you use 'off site' (or other processor) storage?
-
When did you last visit? Are you happy with facility?
-
How long do you keep data?
-
Who decides how long data is kep?
-
When do you delete data?
-
How do you delete data?
-
RECOMMENDATIONS: Describe any recommendations for data retention policy / schedule / IT Security Policy etc.
IT and IT Security
-
Under GDPR all personal data processed must be done in a manner which ensures integrity and confidentiality. This means that organisations must have appropriate technical and organisational measures in place to ensure the appropriate security of personal data in relation to unauthorised or unlawful processing and to guard against accidental loss, destruction or damage – both personal data in paper files and data stored electronically. In relation to all systems, access controls should be in place and organisations should consider the following measures, where possible: Pseudonymisation. This is data which has had the personally identifiable features removed but which can be combined with other data to re-identify the individual. This is a new term under GDPR and pseudonymised data can reduce the risk of personal data being lost or unlawfully accessed if the additional information for attributing the data is kept separately. Anonymisation. This refers to data that does not itself identify any individual and that is unlikely to allow any individual to be identified through its combination with other data. Encryption. The ICO encourages making sure that any personal data being transferred digitally whether by email or on a removable device, including laptops, is encrypted. Security Standards. Achieving Cyber Essentials and Cyber Essentials Plus is encouraged by the Government. Back-ups. The ICO’s advice is to have a robust data backup strategy in place to protect against disasters such as fire and flood but also malware, such as ransomware. At least one of your back-ups should be off-site. Vulnerability Scans and Penetration Testing. The ICO recommends that organisations run regular vulnerability scans and penetration tests to scan your systems for known vulnerabilities and make sure that any vulnerabilities identified are addressed.
-
Do you have internal (your own) IT Support services?
-
Who do you outsource to?
-
Do they 'back up' your / their servers?
-
Why Not ? Explain...
-
How Often? Explain...
-
Where are the 'back ups' held? Explain...
-
Do you have a Data Processing Agreement in place with them?
-
Where are they based?
-
Do they host in the UK?
-
Where?
-
Do they 'back up' your servers?
-
Why Not ? Explain...
-
How Often? Explain...
-
Where are the 'back ups' held ?
-
Do you allow the use of memory sticks?
-
Do you encrypt personal data?
-
How? Explain...
-
Do you (or your outsourced IT Company) carry out penetration testing?
-
Do you (or your outsourced IT Company) carry out simulated Phishing attacks?
-
Do you (or your outsourced IT Company) have any accreditations, such as: Cyber Essentials / Plus / ISO27001?
-
Is this something you might contemplate?
-
Would you like a recommendation to a reputable Cyber Security Company? (Quorum Cyber)
-
What accreditation(s) ?
-
Briefly describe what other IT security measures you use or rely upon:
-
Is access to personal data restricted on either a 'job role basis' or 'need to know basis'?
-
Explain:
-
RECOMMENDATIONS: Describe any recommendations for IT Security etc.
Breach Management
-
A Personal Data Breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. GDPR obliges the data controller to notify the ICO of a personal data breach without undue delay and within 72 hours after having become aware of it. In considering whether there is an obligation to report an incident, you should consider if there is likely to be an impact on data subjects where physical, material or moral damage could occur including a loss of control over their personal data, or an impact on them in terms of discrimination, identity theft or fraud, financial loss, damage to reputation, loss of confidentiality of data protected by professional confidentiality or any other economic or social disadvantage to the individual concerned. Contracts with Processors must contain a requirement for personal data breaches to be reported to the Data Controller without undue delay. Failing to report a breach or complying with these provisions could result in a fine of up to €10million or 2% of global turnover. If a personal data breach is likely to result in a high risk to the rights and freedoms of a data subject, the controller is obliged to advise the data subject without undue delay so that they can take the necessary precautions. Failing to notify a data subject of a personal data breach in contravention of the GDPR provisions could result in a fine of up to €10million or 2% of global turnover.
-
Do you have a procedure for dealing with data breaches / cyber security incidents?
-
Why not?
-
If a written process, is it available and do people understand it etc.
-
How would you 'detect' a breach?
-
Do you have a procedure to investigate a breach?
-
Do you have a procedure to report a breach?
-
Would you know how or when to report a breach?
-
Have you had a 'reportable breach' / Have you reported a breach
-
When / Why?
-
Do you have a Breach Register?
-
RECOMMENDATIONS: Describe any recommendations for Data Breach Reporting / Register?
Data Protection by Design (and default)
-
Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects. The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons.
-
Do you understand the principle of 'Data Protection by Design' ?
-
Why? Explain....
-
Have you taken measures to comply with this requirement ?
-
What measures? Explain...
-
Why not ? Explain...
-
Do you have a Data Protection Impact Assessment (DPIA) Policy document?
-
Would you how or when to undertake a DPIA pre-screening questionnaire?
-
Do you have a DPIA questionnaire?
-
Have you yet undertaken either DPIA pre-screening or any Full DPIAs?
-
RECOMMENDATIONS: Type recommendations regarding Data Protection Impact Assessments (DPIAs) here....
Data Protection / GDPR Training
-
It is essential that all employees who handle personal data receive training in data protection and that training is conducted both at induction and then refreshed on a regular basis. Staff should know who to go to if there are any data protection issues and/or who their DPO is. They should also be aware of how any organisational policies relate to them within their job role. This will form part of any accountability portfolio
-
Have your staff received any DP / GDPR training?
-
Why not?
-
Would you contemplate having training provided to your staff?
-
Can you prove this? Do you keep a record ?
-
How many months ago?
-
Is some refresher training due or planned?
-
Do you include some DP / GDPR training within staff inductions?
-
Would you prefer 'face to face' training or 'e-learning' training?
-
RECOMMENDATIONS: Describe any recommendations relevant to GDPR / data protection training?
Direct Marketing
-
Direct marketing has a broad definition and includes sending out campaign messages and information as well as the more traditional use of selling things. There are particular rules in relation to direct marketing contained in the Privacy and Electronic Communication Regulations (PECR) which are likely to be replaced by the ePrivacy Regulation: Post - Sending direct marketing by post can be carried out without the consent of the data subject, even if they are named. Phone Calls - Making live phone calls can be done without consent as long the individual does not subscribe to the Telephone Preference Service (TPS). If they do, then consent is required. All automated calls require consent. Emails and Text Message - Any emails or text messages which constitute direct marketing require consent, unless you can rely on the soft opt-in (see below). Business to Business (B2B) Marketing - Sending marketing emails to corporate email addresses does not require consent unless they are sent to a sole trader or partner of an English partnership (not an LLP). The recipient should be able to opt out of receiving such emails. Soft Opt-In: There is provision in PECR and the ePrivacy Regulation to allow direct marketing emails and text messages to be sent without consent if you obtained the individual’s contact details in the course of the sale of a product or service. The organisation is not relying on consent here but is relying on the fact that it has a legitimate interest in sending marketing messages about the same or similar products to someone who has already shown an interest in their products. In that way their right to privacy is not outweighed by the interest of the organisation. However, the data subject must be provided with the option to opt out at the time their contact details are collected and on every other occasion when they are sent a direct marketing message. There is an absolute right to object to data processing for the purpose of direct marketing. This applies to all processing for that purpose, not just being sent messages. It is legitimate to keep the personal data of someone who has objected, to ensure that the individual’s personal data is no longer processed for this purpose. This is known as a suppression list.
-
Do you actively undertake Electronic Direct Marketing?
-
On the basis of consent?
-
On the basis of legitimate interest?
-
Using the 'soft opt-in' ?
-
Do you send service or information messages?
-
Do you undertake Postal Direct Marketing?
-
RECOMMENDATIONS: Describe any recommendations involving Direct Marketing Activities
Freedom of Information (Scotland) Act 2002
-
Are you subject to FOISA?
-
Do you understand the requirements of FOISA?
-
Have you signed up to / agreed a "Publication Scheme"?
-
Which one? - OSIC or Other?
-
Have you yet created your "Guide to Information"?
-
Will you be able to post (publish) the required information onto your website?
-
Do you have a nominated point of contact for FOI requests - who?
-
Will you keep a "Disclosure Log"?
-
Were you even aware of this? Do you need help with this?
-
Are you also aware of the Environmental Information Regulations 2004 (EIRs)?
-
Will you need help with this requirement too?
-
Clarify:
-
RECOMMENDATIONS: Describe any recommendations relevant to either FOISA or EIRs
General Questions
-
Do you have a Data Protection Policy?
-
Do you have a Retention Policy AND Schedule?
-
Do you have a SAR Policy AND Tracking mechanism?
-
Do you have a DPIA Procedure, a pre-screening questionnaire and full DPIA templates?
-
Do you have an IT Security Policy?
-
Do you have a Clear Desk / Clear Screen Policy?
-
Do you have an Information Security Policy?
-
Do you have a BYOD (Bring Your Own Device) Policy?
-
Do you have a Mobile Device Policy?
-
Do you have a Home Worker Policy?
-
Name any policies you have not previously mentioned......
-
Do you have any observations, thoughts or comments you wish to record within this audit?
-
RECOMMENDATIONS: Describe any recommendations in relation to the general questions / policies
CONCLUSION & ACTION PLAN
-
Insert a Conclusion statement here:
-
From this audit undertaking, findings, conclusions and recommendations an "Action Plan" will be compiled and submitted to you. The Action Plan is our recommended programme toward compliance, but you have the option to change priorities etc. according to your operational requirements.