What I have for you today is not an article but a questionnaire focused on GDPR (General data protection regulation), that is directive in force since 25/5/2018. This directive cancels Law no. 101/2002 Coll on personal data protection and brings many new obligations. I recommend to start elsewhere in case you do not know GDPR basics in detail. You can come back to this questionnaire later.
GDPR questionnaire that I prepared is made of 32 questions and should help you find out to which extent are you GDPR ready. It will also help you orientate better in areas under influence of GDPR. In case answer to some of the question shall be “NO“, I recommend you to get some info on the area or prepare for it with help of a consultant. Some questions may be more or less relevant depending on dimension of the organization and process complexity. Please feel free to add any comments into the comment section.
1) BASIC RIGHTS OF DATA SUBJECTS
- Is it possible to grant access to all personal data stored in the system upon client’s request (printed, electronic form)? Is it possible to provide transfer of client data to third party?
- It is possible to perform client data edit in the system
- Is it possible to delete client data if there is not any lawful, contract based or other reason for its processing?
- Is it possible revoke agreement on personal data processing for marketing purposes?
- Is it possible to ascertain client’s refusal with processing of their data for automated processes, filtering?
- Is it possible to allow client raise an objection against processing their personal data?
- In case when it is possible to state for which period of time can be the client and employee personal data be processed, are periods determined?
- Are all personal data in evidence only to necessary extent for the service to be provided or to fulfill legal requirements (e.g. with employees)?
2) SALES AND MARKETING AND WEB
- Does exist a consent with personal data processing with every client whose personal data is processed in the moment of personal data acquirement (i.e. even retrospectively)? GDPR must be ACTIVELY accepted by the client. This means that for example in case of a web it does not suffice to just confirm pre-checked button as it was until now.
- Are up-to-date information on personal data processing posted on the web as well as information on client rights concerning personal data protection and obligation of OÚ administrator?
- Is in the organization internally determined on which legal basis are the personal data processed? Contract vs. legal basis
- Is cookies policy set correctly?
- Is there an ongoing marketing material distribution to clients taking place? If yes, exists a consent to process personal data for marketing purposes by each client (even retrospectively)?
- Are sensitive data processed (and are they even identified) in special protection regime? These are children personal data, biometric data, health data, sexual orientation, religion etc.?
3) DOCUMENTS AND PROCESSES
- Is there a Authorized personnel for personal data protection (in obligate cases)? What are their competences, tasks and aren’t they in conflict of interest?
- Is privacy by design politics implemented in the organization? This means approval of EVERY new process by Authorized personnel to confirm the process is GDPR OK.
- Is there a intercompany directive regarding client personal data management and its protection?
- There are processes and documents with purpose to manage laws that can be applied by subject of data in accordance with GDPR (incl. written form)
- Is there evidence of client personal data appearance, who works with it and where is it stored?
- Are the personal data regularly evaluated in order to find data without contract-based or legal approval to be processed and are these regularly deleted?
- Are the employees regularly informed about their rights and duties?
- Is there a list of all employees of the company who process personal data?
- Is there (and is regularly updated) an overview of processed data types (in case there is an obligation to have such) at least in such range:
4) INFORMATION SYSTEMS AND SECURITY
- Is there regularly updated list of information systems containing personal data?
- Are personal data secured against misuse or loss? Is it possible to restore the data from a backup?
- Can employees access intercompany system or mail from private devices? If yes, is this connection secured/encrypted against unauthorized access?
- Are all data stored in EU based servers?
- Is there a personnel responsible for information security of the organization? Are there any security guidelines?
- Are data archiving and system security tests conducted regularly?
- Is it possible to modify the system in retrospective during restoration from a backup by previously applied rights of data subjects (removals, edits)?
5) RELATIONSHIP OF PERSONAL DATA ADMINISTRATOR VS. PROCESSOR – SUPPLIER
- Is personal data protection secured by a contract towards processors/suppliers (third party)?
- Is it technically possible to apply data subject rights towards processors/suppliers (right to be informed, edit, removal, MKT agreement withdrawal)?
Disclaimer: GDPR questionnaire is published for illustrative purposes and it is an opinion statement and an authors interpretation. It does not serve nor it is meant as a guide to exercise obligations concerning GDPR implementations. I, as an author, do not bear any responsibility for damage or loss sustained by wrong interpretation or incompletion of the questionnaire. Use of the questionnaire for private purposes is forbidden with exception of written approval issued by the author.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
- CHAPTER I – General provisions
- CHAPTER II – Principles
- CHAPTER III – Rights of the data subject
- CHAPTER IV – Controller and processor
- CHAPTER V – Transfers of personal data to third countries or international organisations
- CHAPTER VI – Independent supervisory authorities
- CHAPTER VII – Cooperation and consistency
- CHAPTER VIII – Remedies, liability and penalties
- CHAPTER IX – Provisions relating to specific processing situations
- CHAPTER X – Delegated acts and implementing acts
- CHAPTER XI – Final provisions