GDPR FITNESS ASSESSMENT

Is your business Fit for GDPR?

QUESTION 1

Assess your GDPR fitness levels with 10 quick questions about your organisation. Your results will provide insight into where and how you can build up your strength.

  • Does your organisation process the personal data of individuals resident in the EU Member States or is your organisation based in the EU?

    NO

    don't know

    Yes

    The EU Member States are the 28 countries which are members of the European Union. Personal data encompasses anything that can identify a living person directly or indirectly such as a name, address, location data, online identifier and so forth.

  • Are you aware of GDPR and the possible impacts it may have on your organisation?

    NO

    don't know

    Yes

    Do you know what GDPR compliance entails and what your organisation needs to do to be ready by 25th May, 2018? There are some significant differences between the GDPR and existing legislation, such as consent requirements, larger fines for data breaches and new rights such as 'the right to be forgotten'.

  • Do you have someone in your organisation responsible for data protection and compliance?

    NO

    don't know

    Yes

    Depending on the industry vertical your organisation resides in and your organisation's size, you may have one or more people responsible for data protection and compliance. This might be an internal audit function for example or your legal department.

  • Have you assessed the risks to individuals whose personal data you process and put in place controls to mitigate those risks?

    NO

    don't know

    Yes

    GDPR refers to the implementation of controls to mitigate specific risks to the personal data of individuals but in order to know what controls to implement, you must first have determined what the risks are to the personal data of individuals that your organisation processes.

  • Does your internal record keeping allow you to demonstrate the measures that are in place to protect and control access to personal data & does it record the legal reasons you have for processing personal data?

    NO

    don't know

    Yes

    For GDPR you must: keep records of the types of processing of personal data that you undertake, and the legal reasons you have for doing so; provide contact information to data subjects regarding the processing of personal data, and describe the measures implemented to protect personal data.

  • Do you have an Information Security Management System (ISMS) in place and/or any sort of accreditation of your data protection standards?

    NO

    don't know

    Yes

    If you already have an ISMS in place (based on ISO 27001 for example), or have to be compliant to any other sort of standards (e.g. PCI-DSS), then this MAY assist with your GDPR preparations. If you have any sort of accreditation of your ISMS, this could also be of benefit.

  • Have you updated existing personal data processing consent mechanisms to ensure they comply with the tightened requirements in GDPR?

    NO

    don't know

    Yes

    GDPR mandates that explicit consent for data processing is required unless the personal data is being processed for other legitimate reasons (i.e. in the national interest, to comply with the legal obligations of the data controller, or for pursuing the legitimate interests of the data controller).

  • In the event of a data breach, do you have notification processes and procedures in place to be able to respond within 72 hours?

    NO

    don't know

    Yes

    Where a personal data breach occurs, your organisation may be required to notify both the Supervisory Authority as well as any data subjects whose 'personal rights and freedoms' may be at high risk due to the breach. If the affected data was encrypted, the GDPR may not require any breach notification.

  • Do you consider the security and privacy of personal data when designing systems that will process such data?

    NO

    don't know

    Yes

    When designing information processing systems that deal with personal data, do security and privacy concerns form part of the planning, design, implementation and operational activities?

  • Are you able to respond in a timely manner to Subject Access Requests?

    NO

    don't know

    Yes

    A 'Subject Access Request' (SAR) is a request to your organisation from a data subject regarding any personal data that your organisation may hold and process about them. The GDPR requires that responses are provided to data subjects within one month.

LOADING YOUR RESULTS

28 %

Ready

It seems like your business is at the start of the GDPR journey. GDPR is new legislation and the definition of both 'personal data' and 'special categories of data' has been widened. We've suggested some specific action points for you below.

It seems like your business is at the start of the GDPR journey. Being compliant with GDPR regulations requires a mixture of specific controls, management systems and resources. We've suggested some specific action points for you below.

Your business has taken some good steps toward GDPR compliance. Some of the harshest penalties in the GDPR legislation relate to monitoring systems for compromise and reporting it. We've suggested some specific action points for you below.

Your business has taken some good steps toward GDPR compliance. GDPR legislation requires organisations to be able to respond quickly and effectively to specific requests from individuals, something most systems aren’t designed to do. We've suggested some specific action points for you below.

Sounds like your organisation is well prepared for GDPR. Some of the most stringent requirements are around how companies respond to a breach. With the right technology solution it's possible to mitigate, and possibly remove, the risk associated with the articles that carry the harshest penalties.

RESULTS summary

What you need to be fit for GDPR

  • Check whether you hold any personal data related to EU citizens.
  • Familiarise yourself with the new GDPR legislation.
  • Consider appointing a Data Protection Officer (DPO). In some circumstances, you MUST appoint one.
  • Initiate a data inventory to understand where personal data is held in your organisation.
  • Review Article 30 of the GDPR legislation and ensure you are retaining the specified information related to processing personal data. E.g. purposes of personal data processing, contact details for the data controller, time limits on data retention.
  • Implementation of an ISMS, based on ISO27001 can be used to demonstrate good information governance to the Supervisory Authority.
  • Update your data processing consent mechanism and ensure Privacy Notices adhere to the mandates in Article 31.1.
  • Ensure that the responsibilities, processes and procedures to address a breach are comprehensive and involve all necessary parts of your organisation.
  • For 'high risk' types of personal data processing it is necessary to undertake a Data Protection Impact Assessment (DPIA).
  • Ensure you have the processes in place to respond in a timely manner to Subject Access Requests (SARs).

What you need to be fit for GDPR

  • Check that your definition of 'personal data' reflects that in GDPR, which now includes biometric and genetic data.
  • Check that your data breach notification processes are fit for GDPR. Certain types of notification mechanism may not be appropriate for all breaches.
  • SARs may substatially increase once GDPR comes into force, make a plan to scale resources if required.
  • Review your encryption capability; breaches do happen, but encrypted data prevents compromise and may remove the need for notification.

Download your full report

The full report contains:

  • Detailed and actionable content related to your results
  • Easy to follow instructions
  • Clear information that can be shared within your organisation

Thank You

Thank you for taking the assessement, based on your answer the GDPR legislation won't affect your business.