B. Data Protection

This domain covers compliance with data protection legislation.

00) Does your organisation collect, process, or store personal data as defined under GDPR, other than that of your own employees?

Scoping question. Answer yes if your organisation collects personal data of data subjects residing in the European Union as defined by GDPR, other than the personal data of your own employees.

GDPR
Scoping
Read more

01) Does your organisation transfer any personal data out of the European Economic Area?

Answer yes if your organisation transfers personal data to any entity that sits outside of the European Economic Area. If yes, please upload a spreadsheet listing the company names, location country, and data type sent as evidence.

GDPR
EEA
Restricted Framework
Read more

02) Does your organisation have a nominated Data Protection Officer (DPO)?

Answer yes if your organisation has a nominated Data Protection Officer as defined by GDPR.

GDPR
DPO
Data Protection Officer
Read more

03) Does your organisation have an up-to-date Data Protection Policy?

Answer yes if your organisation has a Data Protection Policy that has been reviewed in the last year. Please upload your Data Protection Policy (as a PDF file) as evidence.

GDPR
Data Protection Policy
Read more

04) Does your organisation maintain a breach log that records losses of personal data?

Answer yes if your organisation has a Breach Log that keeps a record of the facts surrounding any security breaches of Personal Data. Please upload a copy of your Breach Log (as a PDF file) as evidence.

GDPR
Breach Log
Read more

05) Does your organisation have a process for notifying the relevant Supervisory Authority (for UK based entities, the ICO) and all relevant parties when a breach occurs?

Answer yes if your organisation has a documented process for notifying the ICO when it becomes aware of a security breach involving Personal Data.

GDPR
Breach Notification
Read more

06) Does your organisation conduct Data Privacy Impact Assessments as part of its risk assessment processes?

Answer yes if your organisation conducts Data Privacy Impact Assessments for every data flow that involves Personal Data as defined by GDPR. To find out more about Data Privacy Impact Assessments, see the Knowledgebase.

GDPR
DPIA
Data Privacy Impact Assessment
Read more

07) Has your organisation defined and documented the lawful basis of each instance of personal data collection or processing?

Answer yes if your organisation has documented a valid lawful basis in order to process each flow of Personal Data as defined under GDPR.

GDPR
Valid Lawful Basis
Read more

08) Can your organisation facilitate an individual's data privacy rights as defined under GDPR?

Answer yes if your organisation has the correct processes in place to be able to provide the relevant individual data privacy rights to all of the data subjects for whom you hold data.

GDPR
Data Privacy Rights
Read more

09) Has your organisation suffered a security breach that led to the loss of any Personal Data in the last 6 months?

Answer yes if your organisation has had a security breach that led to the loss of Personal Data in the last 6 months. If you answered yes, please describe the nature of the breach in the notes section and attach a root causes analysis report for each listed breach.

GDPR
Security
Breach
Root
Cause
Analysis
Read more

10) Does your organisation have a Records Retention Policy?

Answer yes if your organisation has a Records Retention Policy that has been reviewed in the last year. Please upload your Records Retention Policy (as a PDF file) as evidence.

GDPR
Records Retention Policy
Read more