E: [email protected]
T: 01526 352919
1. Do any data subjects you are collecting data from reside in the EEA/EU?
Make sure you are aware of your obligations, the GDPR has increased its scope of application. It doesn’t matter where your organisation is located so long as it is processing or data belonging to a data subject residing in the EEA/EU
2. Is your organisation aware of what personal data means under the GDPR?
Make sure your organisation is aware that personal data under the GDPR means much more than it used to under the old regime. Personal data now means any information relating to an identified or identifiable natural person. This now includes unique identifiers, including: IP addresses and cookies (where they are used to uniquely identify the device, or in combination with other data, to identify the individual associated with the device, regardless of the use of pseudonymisation of cookies)
3. Have you assessed the impact of the new definition of consent under the GDPR and how this affects your surveys?
Consent for taking personal data will require the following elements under the GDPR:
Be explained in plain language
Be separate from other matters of the form
Be made by a clear affirmative action (as opposed to silence, inactivity or pre-ticked boxes)
Be for all purposes of the data processing
Must not be to the detriment of the data subject or a pre-condition for providing the service.
Consent cannot be bundled for different processing activities – the data subject must be able to consent or refuse for each individual processing activity
Consent must be withdrawable and the data subject must be told of right to withdraw consent at any time prior to giving his consent.
If processing sensitive personal data consent must be explicit, meaning that there must be the express word “consent”, as opposed to just personal data where it can be implied through a course of conduct.
4. Do you have a process for breach notification?
Breach Notification is now compulsory for data controllers, where the breach is likely to result in a risk for the rights and freedoms of the individuals. This must be done within 72 hours of becoming aware of the breach and needs to be sent to the ICO. The data subject must also be notified without undue delay after the controller becomes aware of the data breach, if the breach is likely to result in a high risk to the rights and freedoms of individuals.
For data processors, they must notify the data controller without undue delay after becoming aware of the data breach.
5. Have you given the data subject the right to access his or her information?
The data subject has the right to obtain from the data controller confirmation of whether personal data concerning them is being processed, where it is being processed and for what purposes.
This must be provided for free of charge and you can only charge a reasonable fee if request is repetitive, excessive or unfounded.
6. Where a data subject has asked for his or her information, is the information given in a commonly useable and machine readable format?
If the data subject has requested to receive the personal data concerning him, it must be provided in a commonly useable and machine readable format.
7. Does your organisation have the process of erasing the data subject’s data at this or her request?
The data subject can compel the data controller to erase all personal data about him and stop processing of it by third parties.
Data subject has this right if: he withdraws consent, or if the data is no longer relevant to original purpose of processing. When considering such request, the controller can object based on grounds of public interest – if there is a public interest in the availability of the data, or for grounds of legal defence.
8. Does your organisation hold and process data only if it is absolutely necessary for the completion of its duties?
The GDPR requires privacy by design. This means that organisations must implement appropriate technical and organisational measures, this includes processing data only when it is absolutely necessary for the completion of duties, and limiting access of personal data to those doing the processing.
9. Have you trained your staff on the GDPR and how to properly handle data?
It is very important to train staff on the importance of the GDPR and how it can affect their business function. At the very least, staff need to be aware of the new developments at a high level and should have a point of contact to help them with queries regarding GDPR compliance.
10. Have you considered if you need to appoint a Data Protection Officer (DPO)?
It will be compulsory to have a Data Protection Officer if: (a) your core activities consist of regular and systematic monitoring of data subjects on a large scale; (b) you deal with special categories of data relating to criminal convictions and offences; or, (c) you are a public authority.