Processors checklist report

• 10: Not yet implemented or planned
• 5: Partially implemented or planned
• 1: Successfully implemented
• 2: Not applicable

RED: not implemented or planned

Suggested actions

You should:

• organise an information audit across your business or within particular areas to identify the data that you process and how it flows into, through and out of your business;
• ensure this is conducted by someone with in-depth knowledge of your working practices; and
• identify and document any risks you find, for example in a risk register.

Guidance

Find out what information you have, National Archives

Identify information assets, National Archives

Suggested actions

You should:

• maintain records of processing activities detailing what personal data you hold, where it came from, who you share it with and what you do with it. This will vary depending on the size of your business;
• consider using an information asset register to do this; and
• ensure you have staff procedures on how to manage information you hold.

Guidance

Guide to the UK GDPR - Documentation, ICO website

Identify information assets, National Archive

Information Asset Register template, National Archive

Suggested actions

You should have a standalone policy statement or general staff policy that:

• sets out your business's approach to data protection together with responsibilities for implementing the policy and monitoring compliance;
• aligns with and covers the measures within this checklist as a minimum;
• is approved by management, published and communicated to all staff; and
• you review and update at planned intervals or when required to ensure it remains relevant.

Guidance

Get Safe Online website

Policy examples and templates are widely available online.

Suggested actions

You should:

• provide induction training on or shortly after appointment;
• update all staff at regular intervals or when required (for example, intranet articles, circulars, team briefings and posters); and
• provide specialist training for staff with specific duties, such as marketing, information security and database management.

Guidance

Think privacy toolkit, ICO website

Suggested actions

You should:

• ensure a process is in place to allow you to respond to requests for information (either ones you receive directly from an individual or from the controller) in line with the agreed contractual SLA obligations and in order for the controller to meet statutory timescales;
• include subject access procedures within your written data protection policy; and
• provide appropriate awareness training to all staff and more specialised training to individuals that will be dealing with any requests.

Guidance

Guide to the UK GDPR - Right of access, ICO website

Suggested actions

You should:

• have procedures to respond to a request from a controller to correct inaccurate records;
• create records management policies, with rules for creating and keeping records (including emails);
• conduct regular data quality reviews of systems and manual records you hold to ensure the information continues to be adequate for the purposes of processing (for which it was collected);
• regularly review information to identify when you need to correct inaccurate records, remove irrelevant ones and update out-of-date ones; and
• promote and feedback any data quality trends to staff through ongoing awareness campaigns and internal training.

Guidance

Guide to the UK GDPR - Right to rectification, ICO website

Suggested actions

You should:

• ensure your written contract with the controller includes standard contract clauses covering data erasure, retention and disposal;
• have processes in place to ensure that these conditions are met;
• consider creating a written retention policy to remind you when to dispose of various categories of data, and help you plan for its secure disposal; and
• have appropriate procedures in place to ensure you erase data permanently if you receive a request from the controller to do so. If you have shared the data with a third party it is also important to have procedures to notify them of the request.

Guidance

Disposal of Records, National Archives

Guide to the UK GDPR - Right to erasure, ICO website

Suggested actions

You should:

• ensure you have processes in place to act on any request from the controller to restrict the processing of an individual’s personal data.

Guidance

Guide to the UK GDPR - Right to restrict processing, ICO website

Suggested actions

You should:

• ensure you have a process in place to enable you to respond to any request from the controller for the provision of data you process in a structured, commonly used and machine readable format; and
• ensure that the way you provide the data has appropriate technical security controls in place to protect the data it contains.

Guidance

Guide to the UK GDPR - Right to data portability, ICO website

Article 29 Working Party guidance

European guidelines are no longer directly relevant to the UK regime and are not binding under the UK regime. However, they may still provide helpful guidance on certain issues

Suggested actions

You should:

• develop, implement and communicate an information security policy;
• ensure the policy covers key information security topics such as network security, physical security, access controls, secure configuration, patch management, email and internet use, data storage and maintenance and security breach / incident management;
• implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with your security policy
• implement periodic checks for compliance with policy, to give assurances that security controls are operational and effective; and
• deliver regular staff training on all areas within the information security policy.

Guidance

Guide to the UK GDPR – Security, ICO website

Small businesses guidance, National Cyber Security Centre website

AMBER: partially implemented or planned

Where you have only partially implemented measures, please select the appropriate actions from the detail below:

Suggested actions

You should:

• establish a clearly communicated set of security policies and procedures, which reflect business objectives and assign responsibilities to support good information risk management;
• ensure you have processes to analyse and log any identified threats, vulnerabilities, and potential impacts which are associated with your business activities and information (risk register);
• apply controls to mitigate the identified risks and regularly test these controls to ensure they remain effective;
• work with the controller to ensure that all information risks you identify are fed back on a regular basis;
• provide your input to any data protection impact assessments (DPIAs) that the controller may initiate before the start of the contract with you, or at the point where any significant changes are needed; and
• work with the controller to mitigate any risks identified as part of the DPIA.

Guidance

Data protection impact assessments, ICO website           

Assessing and managing risk, National Archives

Where you have only partially implemented measures, please select the appropriate actions from the detail below:

Suggested actions

You should:

• look to continually minimise the amount and type of data you collect, process and store, such as by undertaking regular information and internal process audits across appropriate areas of the business;
• consider whether pseudonymising the personal data is appropriate to render the data record less identifying and therefore reduce concerns with data sharing and data retention;
• regularly undertake reviews of your public-facing documents, policies and privacy information to ensure they meet the renewed transparency requirements under the GDPR;
• ensure any current and/or new processes or systems enable you to comply with an individual’s rights under the GDPR; and
• create, review and improve your data security features and controls on an ongoing basis.

Guidance

Guide to the UK GDPR - Data protection by design and default, ICO website

Suggested actions

Where you have only partially implemented measures, please select the appropriate actions from the detail below:

• ensure you have a written contract with the controller that sets out the respective responsibilities and liabilities of the controller and your business; and
• review and amend any existing contracts to ensure they meet the requirements under the GDPR. 

Refer to the ICO guidance (link below) to clarify responsibilities and liabilities, and to help you to agree new contracts and amend existing ones. Please note that this checklist may be subject to change as our formal GDPR guidance evolves. Look out for publication of new ICO guidance.

Guidance

Guide to the UK GDPR – Contracts, ICO website

Suggested actions

Where you have only partially implemented measures, please select the appropriate actions from the detail below:

• seek written authorisation from the controller before using a sub-processor;
• ensure you have a written contract (or other legal act) in place with the sub-processor which imposes on them the same GDPR obligations that you, as processor, have under your contract with the controller.

Guidance

Draft contracts guidance, ICO website

GREEN: successfully implemented

Not applicable