GDPR FITNESS ASSESSMENT
Assess your GDPR fitness levels with 10 quick questions about your organisation. Your results will provide insight into where and how you can build up your strength.
Does your organisation process the personal data of individuals resident in the EU Member States or is your organisation based in the EU?
The EU Member States are the 28 countries which are members of the European Union. Personal data encompasses anything that can identify a living person directly or indirectly such as a name, address, location data, online identifier and so forth.
Are you aware of GDPR and the possible impacts it may have on your organisation?
Do you know what GDPR compliance entails and what your organisation needs to do to be ready by 25th May, 2018? There are some significant differences between the GDPR and existing legislation, such as consent requirements, larger fines for data breaches and new rights such as 'the right to be forgotten'.
Do you have someone in your organisation responsible for data protection and compliance?
Depending on the industry vertical your organisation resides in and your organisation's size, you may have one or more people responsible for data protection and compliance. This might be an internal audit function for example or your legal department.
Have you assessed the risks to individuals whose personal data you process and put in place controls to mitigate those risks?
GDPR refers to the implementation of controls to mitigate specific risks to the personal data of individuals but in order to know what controls to implement, you must first have determined what the risks are to the personal data of individuals that your organisation processes.
Does your internal record keeping allow you to demonstrate the measures that are in place to protect and control access to personal data & does it record the legal reasons you have for processing personal data?
For GDPR you must: keep records of the types of processing of personal data that you undertake, and the legal reasons you have for doing so; provide contact information to data subjects regarding the processing of personal data, and describe the measures implemented to protect personal data.
Do you have an Information Security Management System (ISMS) in place and/or any sort of accreditation of your data protection standards?
If you already have an ISMS in place (based on ISO 27001 for example), or have to be compliant to any other sort of standards (e.g. PCI-DSS), then this MAY assist with your GDPR preparations. If you have any sort of accreditation of your ISMS, this could also be of benefit.
Have you updated existing personal data processing consent mechanisms to ensure they comply with the tightened requirements in GDPR?
GDPR mandates that explicit consent for data processing is required unless the personal data is being processed for other legitimate reasons (i.e. in the national interest, to comply with the legal obligations of the data controller, or for pursuing the legitimate interests of the data controller).
In the event of a data breach, do you have notification processes and procedures in place to be able to respond within 72 hours?
Where a personal data breach occurs, your organisation may be required to notify both the Supervisory Authority as well as any data subjects whose 'personal rights and freedoms' may be at high risk due to the breach. If the affected data was encrypted, the GDPR may not require any breach notification.
Do you consider the security and privacy of personal data when designing systems that will process such data?
When designing information processing systems that deal with personal data, do security and privacy concerns form part of the planning, design, implementation and operational activities?
Are you able to respond in a timely manner to Subject Access Requests?
A 'Subject Access Request' (SAR) is a request to your organisation from a data subject regarding any personal data that your organisation may hold and process about them. The GDPR requires that responses are provided to data subjects within one month.
It seems like your business is at the start of the GDPR journey. GDPR is new legislation and the definition of both 'personal data' and 'special categories of data' has been widened. We've suggested some specific action points for you below.
It seems like your business is at the start of the GDPR journey. Being compliant with GDPR regulations requires a mixture of specific controls, management systems and resources. We've suggested some specific action points for you below.
Your business has taken some good steps toward GDPR compliance. Some of the harshest penalties in the GDPR legislation relate to monitoring systems for compromise and reporting it. We've suggested some specific action points for you below.
Your business has taken some good steps toward GDPR compliance. GDPR legislation requires organisations to be able to respond quickly and effectively to specific requests from individuals, something most systems aren’t designed to do. We've suggested some specific action points for you below.
Sounds like your organisation is well prepared for GDPR. Some of the most stringent requirements are around how companies respond to a breach. With the right technology solution it's possible to mitigate, and possibly remove, the risk associated with the articles that carry the harshest penalties.
Thank you for taking the assessement, based on your answer the GDPR legislation won't affect your business.