J. Data Protection
This domain covers compliance with data protection legislation.
00) Does your organisation collect, process, or store personal data, other than that of your own employees?
Answer yes if your organisation collects, processes or stores information that relates to an identified or identifiable individual. You need not answer yes if the only personal data you process is that of your own employees for HR requirements. Data collection also includes any identifiable information collected from web cookies.
01) Which countries do you store personal data in, or transfer personal data to?
Please list all countries where personal data controlled or processed by you resides or is transferred to or through. This includes the location of your head office and data centres, as well as locations of sub-processors. For each country listed, please describe what data is stored or transferred and under what circumstances.
02) Do you use appropriate legal mechanisms for all international transfers of personal data?
Answer yes if you have processes in place to ensure that every cross-border transfer of personal data has the appropriate contractual / legal mechanisms in place, depending on your jurisdiction. For example, this could be an international data transfer agreement, or an adequacy decision. Please describe in the notes section which mechanism is used for which instances of data transfer.
03) Has your organisation been subject to any personal data access requests from governments or other authorities in the last 24 months?
Answer yes if your organisation has received a request from any government or other authority to provide access to personal data. Please provide information about the nature, volume and origin of requests, including how many you complied with in the notes section, or through supporting evidence (e.g. a link to your transparency report or a document upload).
04) Does your organisation have a nominated Data Protection Officer (DPO)?
Answer yes if your organisation has a nominated Data Protection Officer (DPO) who undertakes regular compliance checks and leads on continual privacy improvement. Please include in the notes section details about how your DPO monitors compliance with relevant data protection obligations.
05) Does your organisation have an up-to-date Data Protection Policy?
Answer yes if your organisation has a Data Protection Policy that has been reviewed in the last year. Please upload your Data Protection Policy (as a PDF file) as evidence.
06) Does your organisation maintain a record of all personal data collection & processing activities?
Answer yes if you document your personal data processing activities. This could be through data flow diagrams or written documentation and should include details of collection, purpose, storage, access, use, sharing, and retention. Please describe how you do this in the notes.
07) Has your organisation defined and documented the lawful basis of each instance of personal data collection or processing?
Answer yes if your organisation has documented the legal justification for processing personal data in each instance. The criteria for a valid lawful basis will depend on your jurisdiction.
08) Does your organisation conduct a Data Protection Impact Assessment (DPIA) for all processing that is likely to result in a high risk to individuals?
Answer yes if your organisation conducts a Data Protection Impact Assessment (DPIA) for all processing of personal data that is likely to result in a high risk to individuals. To find out more about Data Protection Impact Assessments, see the Risk Ledger Knowledgebase.
09) Can your organisation facilitate an individual's data privacy rights?
Answer yes if your organisation has the correct processes in place to be able to provide the relevant individual data privacy rights to all of the data subjects for whom you hold data.
10) Does your organisation have a Records Retention Policy?
Answer yes if your organisation has a Records Retention Policy that has been reviewed in the last year. Please upload your Records Retention Policy (as a PDF file) as evidence.
11) Does your organisation have robust detection, investigation and reporting procedures in place for personal data breaches, including maintaining a record of all personal data breaches?
Answer yes if organisation has robust detection, investigation and reporting procedures in place for all personal data breaches. This should include assessing the likely risk to individuals as a result of the breach, informing affected individuals without undue delay, and documenting the facts surrounding personal data breaches in a Breach Log. Please provide details about your processes surrounding a personal data breach in the notes section, including uploading any relevant documentation (as a PDF file).
12) Does your organisation have a process for notifying the relevant Authority and all relevant parties (e.g. data controllers) when a breach occurs?
Answer yes if your organisation has a documented process for notifying the relevant Authority for your jurisdiction and all data controllers or other relevant parties when it becomes aware of a security breach involving Personal Data.
13) Has your organisation suffered a security incident that led to a Personal Data breach in the last 6 months?
Answer yes if your organisation has had a security incident that led to a Personal Data breach in the last 6 months. If you answered yes, please describe the nature of the breach in the notes section and attach a root causes analysis report (as a PDF file) for each listed breach.
14) Does your organisation process personal data on behalf of another organisation?
Answer yes if your organisation processes personal data on behalf of another organisation where they are the data controller and you are the data processor.
15) Does your organisation have procedures in place to inform and obtain authorisation (if required) from the data controller before engaging a sub-processor?
Answer yes if you have ways to ensure that new sub-processors are authorised by or communicated to the data controller before the new sub-processing takes place. Please attach evidence or describe how this is ensured in the notes.
16) Does your organisation ensure that processing activities are only carried out under the documented instructions of the data controller?
Answer yes if you have processes or policies which ensure data is only processed in the way in which your data controller has requested, and you have written instructions from the controller describing this. Please describe in the notes how you obtain these instructions from data controllers and how you ensure data is not processed in any way outside of the documented written instructions.