Processors checklist report

• 0: Not yet implemented or planned
• 10: Partially implemented or planned
• 7: Successfully implemented
• 1: Not applicable

AMBER: partially implemented or planned

Where you have only partially implemented measures, please select the appropriate actions from the detail below:

Suggested actions

You should:

• organise an information audit across your business or within particular areas to identify the data that you process and how it flows into, through and out of your business;
• ensure this is conducted by someone with in-depth knowledge of your working practices; and
• identify and document any risks you find, for example in a risk register.

Guidance

Find out what information you have, National Archives

Identify information assets, National Archives

Where you have only partially implemented measures, please select the appropriate actions from the detail below:

Suggested actions

You should:

• maintain records of processing activities detailing what personal data you hold, where it came from, who you share it with and what you do with it. This will vary depending on the size of your business;
• consider using an information asset register to do this; and
• ensure you have staff procedures on how to manage information you hold.

Guidance

Guide to the UK GDPR - Documentation, ICO website

Identify information assets, National Archive

Information Asset Register template, National Archive

Where you have only partially implemented measures, please select the appropriate actions from the detail below:

Suggested actions

You should:

• clearly set out your business’s approach to data protection and assign management responsibilities;
• ensure you have a policy framework and information governance strategy in place to support a positive data protection and security culture which management have endorsed;
• assess and identify areas that could cause data protection or security compliance problems and record these on your business's risk register;
• deliver training which encourages personal responsibility and good security behaviours; and
• run regular general awareness campaigns across your business to educate staff on their data protection and security responsibilities and promote data protection and security awareness and compliance.

Where you have only partially implemented measures, please select the appropriate actions from the detail below:

Suggested actions

You should:

• establish a clearly communicated set of security policies and procedures, which reflect business objectives and assign responsibilities to support good information risk management;
• ensure you have processes to analyse and log any identified threats, vulnerabilities, and potential impacts which are associated with your business activities and information (risk register);
• apply controls to mitigate the identified risks and regularly test these controls to ensure they remain effective;
• work with the controller to ensure that all information risks you identify are fed back on a regular basis;
• provide your input to any data protection impact assessments (DPIAs) that the controller may initiate before the start of the contract with you, or at the point where any significant changes are needed; and
• work with the controller to mitigate any risks identified as part of the DPIA.

Guidance

Data protection impact assessments, ICO website           

Assessing and managing risk, National Archives

Where you have only partially implemented measures, please select the appropriate actions from the detail below:

Suggested actions

You should:

• look to continually minimise the amount and type of data you collect, process and store, such as by undertaking regular information and internal process audits across appropriate areas of the business;
• consider whether pseudonymising the personal data is appropriate to render the data record less identifying and therefore reduce concerns with data sharing and data retention;
• regularly undertake reviews of your public-facing documents, policies and privacy information to ensure they meet the renewed transparency requirements under the GDPR;
• ensure any current and/or new processes or systems enable you to comply with an individual’s rights under the GDPR; and
• create, review and improve your data security features and controls on an ongoing basis.

Guidance

Guide to the UK GDPR - Data protection by design and default, ICO website

Suggested actions

Where you have only partially implemented measures, please select the appropriate actions from the detail below:

• ensure a process is in place to allow you to respond to requests for information (either ones you receive directly from an individual or from the controller) in line with the agreed contractual SLA obligations and in order for the controller to meet statutory timescales;
• include subject access procedures within your written data protection policy; and
• provide appropriate awareness training to all staff and more specialised training to individuals that will be dealing with any requests.

Guidance

Guide to the UK GDPR - Right of access, ICO website

Where you have only partially implemented measures, please select the appropriate actions from the detail below:

Suggested actions

You should:

• have procedures to respond to a request from a controller to correct inaccurate records;
• create records management policies, with rules for creating and keeping records (including emails);
• conduct regular data quality reviews of systems and manual records you hold to ensure the information continues to be adequate for the purposes of processing (for which it was collected);
• regularly review information to identify when you need to correct inaccurate records, remove irrelevant ones and update out-of-date ones; and
• promote and feedback any data quality trends to staff through ongoing awareness campaigns and internal training.

Guidance

Guide to the UK GDPR - Right to rectification, ICO website

Suggested actions

Where you have only partially implemented measures, please select the appropriate actions from the detail below:

• ensure your written contract with the controller includes standard contract clauses covering data erasure, retention and disposal;
• have processes in place to ensure that these conditions are met;
• consider creating a written retention policy to remind you when to dispose of various categories of data, and help you plan for its secure disposal; and
• have appropriate procedures in place to ensure you erase data permanently if you receive a request from the controller to do so. If you have shared the data with a third party it is also important to have procedures to notify them of the request.

Guidance

Disposal of Records, National Archives

Guide to the UK GDPR - Right to erasure, ICO website

Where you have only partially implemented measures, please select the appropriate actions from the detail below:

Suggested actions

You should:

• ensure you have processes in place to act on any request from the controller to restrict the processing of an individual’s personal data.

Guidance

Guide to the UK GDPR - Right to restrict processing, ICO website

Suggested actions

Where you have only partially implemented measures, please select the appropriate actions from the detail below:

• ensure you have a process in place to enable you to respond to any request from the controller for the provision of data you process in a structured, commonly used and machine readable format; and
• ensure that the way you provide the data has appropriate technical security controls in place to protect the data it contains.

Guidance

Guide to the UK GDPR - Right to data portability, ICO website

Article 29 Working Party guidance

EDPB guidelines are no longer be directly relevant to the UK regime and are not  binding under the UK regime. However, they may still provide helpful guidance on certain  issues

GREEN: successfully implemented

Not applicable