Use our checklists to assess your compliance with data protection law and find out what you need to do to make sure you are keeping people’s personal data secure.
This self assessment toolkit has been created with small organisations in mind. It will be most helpful to sole traders or small to medium sized organisations from the private, public and third sectors.
Good information handling makes good business sense. You'll enhance your business's reputation, increase customer and employee confidence, and by making sure personal information is accurate, relevant and safe, save both time and money.
Getting ready for the GDPR
Before undertaking our self assessment checklist to help your organisation get ready for the GDPR, you should first determine whether your organisation processes personal data as a “data controller” or “data processor”. The definition of these two terms can be found in the Guide to the GDPR.
In some instances, organisation will process personal information as both a controller and a processor. When this is the case, we would advise you complete both assessments.
GDPR checklist for data controllers
Designed to help you, as a data controller, assess your high level compliance with data protection legislation. Includes the new rights of individuals, handling subject access requests, consent, data breaches, and designating a data protection officer, under the upcoming General Data Protection Regulation.
GDPR checklist for data processors
Designed to help you, as a data processor, understand and assess your high level compliance with data protection legislation. Includes the new requirements for data processors, the rights of individuals, data breaches, and designating a data protection officer, under the upcoming General Data Protection Regulation.
Assess your compliance with data protection in the specific areas of information and cyber security policy and risk, mobile and home working, removable media, access controls and malware protection.
Assess your business or organisation in the area of direct marketing in line with the Privacy and Electronic Communications Regulation (PECR). Includes consent and bought-in marketing lists, and telephone, email, text and postal marketing.
Please note, direct marketing is the promotion of aims and ideals as well as the sale of products and services.
Assess your records management policy and risks to people’s personal information. Includes record creation, storage and disposal, access, tracking and off-site storage.
Data sharing and subject access
Designed to help assess your organisation’s data sharing policies and agreements, compliance monitoring, maintaining sharing records, registration and your process for how to deal with a subject access request.
Data protection law covers the use of CCTV. This checklist help you to assess the compliance of your CCTV systems including the installation, management, operation, public awareness and signage.