Proactively share your Security Profile with anyone, at any time. Learn More

B. Data Protection

This domain covers compliance with data protection legislation.

00) Does your organisation collect, process, or store personal data, other than that of your own employees?

Scoping question. Answer yes if your organisation collects personal data as defined under GDPR, the CCPA or similar data protection regulations. You need not answer yes if the only personal data you collect is that of your own employees for HR requirements. Data collection also includes any identifiable information collected from web cookies.

GDPR
Scoping
Read more

01) Does your organisation transfer any personal data out of the European Economic Area?

Answer yes if your organisation transfers personal data to any entity that sits outside of the European Economic Area (EEA). This includes any cloud storage which is hosted outside the EEA. If yes, please provide a spreadsheet listing the recipient company names, location country, data type, and transfer mechanism used.

GDPR
EEA
Restricted Framework
Read more

02) Has your organisation and your sub-processors implemented Standard Contractual Clauses (SCCs) within your contracts (as defined under GDPR) to ensure legal data transfers outside of the EEA?

Answer yes if your organisation has implemented Standard Contractual Clauses (SCCs, as defined under GDPR). SCCs are the approved transfer mechanism for transferring data to entities outside of the EEA.

GDPR
EEA
Restricted Framework
Read more

03) Does your organisation, or any of your sub-processors, transfer personal data to the United States of America?

Answer yes if your organisation, or any of your sub-processors, transfer personal data to the United States of America.

GDPR
EEA
Restricted Framework
Read more

04) Is your organisation fully compliant with the July 2020 Schrems II judgement, and can you confirm that you do not rely on the Privacy Shield framework to transfer data to the USA?

Answer yes if your organisation, or its sub-processors, do not rely on the Privacy Shield framework to transfer personal data to the USA.

GDPR
EEA
Restricted Framework
Read more

05) Have you gained assurance over your suppliers that they are compliant with the July 2020 Schrems II judgement, and can you confirm that they are?

Answer yes if your organisation conducts assurance exercises over its supply chain to ensure any sub-processors do not rely on the Privacy Shield framework to transfer personal data to the USA.

GDPR
EEA
Restricted Framework
Read more

06) Have you been subject to any data access requests from US government authorities in the last 24 months?

Answer yes if your organisation has been requested by government authorities to provide access to data under such laws as the USA Patriot Act.

GDPR
EEA
Restricted Framework
Read more

07) If yes, how many?

If your organisation has received data access requests within the last 24 months, how many has it received?

GDPR
EEA
Restricted Framework
Read more

08) If yes, of the requests made, how many did you comply with?

If your organisation has received data access requests within the last 24 months, how many has it complied with?

GDPR
EEA
Restricted Framework
Read more

09) Does your organisation have a nominated Data Protection Officer (DPO)?

Answer yes if your organisation has a nominated Data Protection Officer as defined by GDPR.

GDPR
DPO
Data Protection Officer
Read more

10) Does your organisation have an up-to-date Data Protection Policy?

Answer yes if your organisation has a Data Protection Policy that has been reviewed in the last year. Please upload your Data Protection Policy (as a PDF file) as evidence.

GDPR
Data Protection Policy
Read more

11) Does your organisation maintain a breach log that records details of all personal data breaches?

Answer yes if your organisation has a Breach Log that keeps a record of the facts surrounding any security breaches of Personal Data. Please provide a copy of your Breach Log (as a PDF file) as evidence.

GDPR
Breach Log
Read more

12) Does your organisation have a process for notifying the relevant Supervisory Authority (for UK based entities, the ICO) and all relevant parties when a breach occurs?

Answer yes if your organisation has a documented process for notifying the relevant Supervisory Authority when it becomes aware of a breach involving Personal Data.

GDPR
Breach Notification
Read more

13) Does your organisation conduct Data Privacy Impact Assessments as part of its risk assessment processes?

Answer yes if your organisation conducts Data Privacy Impact Assessments for every data flow that involves Personal Data as defined by GDPR. To find out more about Data Privacy Impact Assessments, see the Knowledgebase.

GDPR
DPIA
Data Privacy Impact Assessment
Read more

14) Does your organisation maintain a record of all personal data collection & processing activities?

Answer yes if you document your personal data processing activities. This could be through data flow diagrams or written documentation and should include details of collection, purpose, storage, access, use, sharing, and retention. Please describe how you do this in the notes.

Read more

15) Has your organisation defined and documented the lawful basis of each instance of personal data collection or processing?

Answer yes if your organisation has documented a valid lawful basis in order to process each flow of Personal Data as defined under GDPR.

GDPR
Valid Lawful Basis
Read more

16) Can your organisation facilitate an individual's data privacy rights as defined under GDPR?

Answer yes if your organisation has the correct processes in place to be able to provide the relevant individual data privacy rights to all of the data subjects for whom you hold data.

GDPR
Data Privacy Rights
Read more

17) Has your organisation suffered a security incident that led to a Personal Data breach in the last 6 months?

Answer yes if your organisation has had a security incident that led to a Personal Data breach in the last 6 months. If you answered yes, please describe the nature of the breach in the notes section and attach a root causes analysis report (as a PDF file) for each listed breach.

GDPR
Security
Breach
Root
Cause
Analysis
Read more

18) Does your organisation have a Records Retention Policy?

Answer yes if your organisation has a Records Retention Policy that has been reviewed in the last year. Please upload your Records Retention Policy (as a PDF file) as evidence.

GDPR
Records Retention Policy
Read more

19) Does your organisation process personal data on behalf of another organisation?

Answer yes if your organisation processes personal data on behalf of another organisation where they are the data controller and you are the data processor.

Read more

20) Does your organisation have procedures in place to inform and obtain authorisation (if required) from the data controller before engaging a sub-processor?

Answer yes if you have ways to ensure that new sub-processors are authorised by or communicated to the data controller before the new sub-processing takes place. Please attach evidence or describe how this is ensured in the notes.

Read more

21) Does your organisation ensure that processing activities are only carried out under the documented instructions of the data controller?

Answer yes if you have processes or policies which ensure data is only processed in the way in which your data controller has requested, and you have written instructions from the controller describing this. Please describe in the notes how you obtain these instructions from data controllers and how you ensure data is not processed in any way outside of the documented written instructions.

Read more