general data protection regulation questionnaire for...

gilsongray.co.uk

General Data Protection Regulation

Questionnaire for Businesses

gilsongray.co.uk

Data Protection Seminar- Questionnaire for Businesses -

gilsongray.co.uk

This short questionnaire is a useful tool to help begin the process of identifying how your or-ganisation collects, processes, and stores personal data. We hope that it may help you identi-fy certain short-falls in your data processing activities and narrow down key areas of focus on.

Please circle the most appropriate choice

GENERAL MANAGEMENT

1. Do you have a policy that covers data protection matters?

Yes No Don’t Know

1A. If the answer to the above question is ‘Yes’, how do you judge that policy?

1 2 3 4 5

e.g.) 1 = Clear, useful, up to date 5 = Unclear, useless, out of date

1B. If ‘Yes’, when was your policy last reviewed?

1 2 3 4 5

e.g.) 1 = Less than one year ago 5 = More than four years ago

2. Is your data protection policy adequately resourced, and supported by a management infrastructure that can sustain, monitor and review your policy and generate reports on its effectiveness?

Yes No Don’t Know

2A. If the answer to the above question ‘Yes’, then how well do you think your policy is promoted and supported by management?

1 2 3 4 5

e.g). 1 = Actively supported 5 = Unsupported

3. Is there an identifiable person responsible for data protection matters?

Yes No Don’t Know


gilsongray.co.uk

3A. If the answer to the previous question is ‘Yes’ then how well do you think that person is supported by management?

1 2 3 4 5

e.g.) 1 = Actively supported 5 = Unsupported

4. Do all individuals who are authorised to process personal data receive appropriate training, instruction or guidance on data protection matters?

Yes No Don’t Know

4A. If the answer to the above question is ‘Yes’, how do you judge the training given?

1 2 3 4 5

e.g.) 1 = All individuals receive appropriate training/instruction/guidance 5 = Individuals do not receive any training/instruction/guidance

4B. Are you confident that all individuals who process personal data understand their data protection obligations associated with that processing?

1 2 3 4 5

e.g.) 1 = Very confident 5 = Very unsure

5. If there are contracts, associated with the processing of personal data, which allow contractors and other third parties access to personal data, do these contracts specify adequate data protection requirements?

Yes No Don’t Know

5A. If the answer to the above question is ‘Yes’, then how well do you judge the effectiveness of the monitoring and/or auditing of contractual controls?

1 2 3 4 5

e.g.) 1 = Compliance with contracts is audited/monitored regularly 5 = No auditing/monitoring is undertaken


gilsongray.co.uk

6. Is there a folder of documents, or other documentation, which will help to manage and demonstrate compliance with your data protection obligations?

Yes No Don’t Know

6A. If the answer to the above question is ‘Yes’, then what is your view on the quality of the information in the folder or in other documentation?

1 2 3 4 5

e.g.) 1 = Clear, complete, up to date 5 = Unclear, incomplete, out of date

LAWFULNESS OF PROCESSING

7. Has the full extent of processing, which is authorised by law or regulation, been identified?

Yes No Don’t Know

8. Has proof of lawful processing been retained?

Yes No Don’t Know

9. Are data subjects made aware, before they provide personal data, of why personal data is being collected and which organisations will use their data?

Yes No Don’t Know

10. Are there significant practical or technical difficulties in providing the details identified in the above question?

Yes No Don’t Know

11. Are there reasons (e.g. public interest) for not providing such information?

Yes No Don’t Know

12. When personal data about a data subject are provided to you by other organisations or individuals, are these data subjects made aware of why personal data is collected and which organisations will use that data?

Always Sometimes Never Don’t Know


gilsongray.co.uk

13. Is there a significant practical or technical difficulty in providing the details identified in the previous question?

Yes No Don’t Know

14. Are there reasons (e.g. public interest) for not providing such information?

Yes No Don’t Know

QUALITY OF PERSONAL DATA

15. Is personal data assessed as to whether it is ‘adequate, relevant and not excessive’ in the context of each particular purpose?


16. Are there significant practical or technical difficulties in meeting the above criteria in all circumstances?

Yes No Don’t Know

17. Are there reasons (e.g. in the public interest) retaining the personal data since the data might become relevant in the future?

Yes No Don’t Know

18. Is personal data assessed for accuracy and checked whether it is up to date?

At appropriate intervals Sometimes Never Don’t Know

19. Are there significant practical or technical difficulties in carrying out such assessments?

Yes No Don’t Know

20. Before action is taken against a data subject, is the accuracy of the personal data checked?


21. Are there practical or technical difficulties in carrying out such checks?

Yes No Don’t Know


gilsongray.co.uk

22. Do formal criteria/procedures for the deletion of personal data exist?

Yes No Don’t Know

23. Are there significant practical or technical difficulties in deleting personal data?

Yes No Don’t Know

24. Are there reasons (e.g. in the public interest) for not deleting some or all of the personal data?

Yes No Don’t Know

SECURITY

25. Is there a security policy that covers all aspects of the processing and collecting of personal data?

Yes No Don’t Know

25A. If the answer to the above question is ‘Yes’, how do you judge the security policy?

1 2 3 4 5

e.g.) 1 = Clear, concise, useful 2 = Unclear, verbose, useless

25B. If the answer to the above question is ‘Yes’, how well is the security policy promoted and supported by management?

1 2 3 4 5

e.g.) 1 = Actively supported 5 = Wholly unsupported

26. Do security controls or procedures include measures to ensure the integrity of the personal data and of its processing?

Yes No Don’t Know


gilsongray.co.uk

26A. How effective do you consider these controls/procedures to be?

1 2 3 4 5

e.g.) 1 = Very effective 2 = Wholly ineffective

27. Do security controls or procedures include measures to permit user identification and authorisation for processing?

Yes No Don’t Know

27A. How effective do you consider the controls/procedures to be?

1 2 3 4 5


28. Do security controls or procedures include measures to safeguard operating procedures?

Yes No Don’t Know

28A. How effective do you consider the controls/procedures to be?

1 2 3 4 5


29. Do security controls or procedures include measures that include encryption?

Yes No Don’t Know

30. Do security controls or procedures include measures to invoke a business continuity/ disaster recovery plan?

Yes No Don’t Know

30A. Are there significant practical or technical difficulties in forming such a plan?

Yes No Don’t Know


gilsongray.co.uk

31. Do security controls or procedures include measures to establish adequate audit and monitoring arrangements?

Yes No Don’t Know

31A. How effective do you consider these arrangements to be?

1 2 3 4 5


32. Do security controls or procedures include measures to safeguard the physical security of the processing environment?

Yes No Don’t Know

32A. How physically secure do you consider your processing of personal data to be?

1 2 3 4 5

e.g.) 1 = Very secure 5 = Wholly insecure

33. Are staff trained in the necessary security controls and procedures?

Yes No Don’t Know

33A. If the answer to the above question is ‘Yes’, then how do you judge the training given?

1 2 3 4 5

e.g.) 1 = Staff receive appropriate security training 5 = Staff wholly untrained

33B. When did you last receive training/instruction on IT security requirements?

1 2 3 4 5



gilsongray.co.uk

DATA SUBJECTS’ RIGHTS

34. Do procedures allow for data subjects to be informed of the nature of the processing of personal data, and to receive confirmation as to whether or not personal data about them is processed?

Yes Sometimes No Don’t Know

35. Are there significant practical or technical difficulties in providing such information?

Yes No Don’t Know

36. Are there reasons (e.g. in the public interest) for not providing such information?

Yes No Don’t Know

37. Do procedures allow data subjects to exercise their right of access to personal data which relate to them?


38. Are there significant practical or technical difficulties in providing such data to the data subject?

Yes No Don’t Know

39. Are there reasons (e.g. in the public interest) for not providing such data?

Yes No Don’t Know

40. Do procedures allow for data subjects to be informed of the logic underpinning any automated decision-making processing which significantly impacts on them and to challenge such decision?



Yes No Don’t Know

42. Are there reasons (e.g. in the public interest) for not providing such information?

Yes No Don’t Know


gilsongray.co.uk

43. Do procedures have the capability to correct, block or erase personal data (e.g. in compliance with requests from data subjects and/or from data protection authorities or courts) and to notify third parties who have received data subject’s personal data?



Yes No Don’t Know

45. Do procedures allow data subjects to object to the processing of personal data?

Yes No Don’t Know

46. Are there reasons (e.g. in the public interest) for not allowing such objection?

Yes No Don’t Know

47. Has a comprehensive census of the processing of personal data been carried out?

Yes No Don’t Know

47A. When was the last census carried out?

1 2 3 4 5


48. Do procedures anticipate the need to notify details of the processing to a data protection authority (e.g. the Information Commissioner’s Office)?

Yes No Don’t Know

SYSTEM DESIGN

49. Are data protection considerations taken into account during the development, purchase or acquisition of hardware and software?

Yes No Don’t Know


gilsongray.co.uk

50. Are changes to the software or processing environment considered in the context of data protection obligations?

Yes No Don’t Know

Interpreting the results of the Questionnaire

Each question is based on one or more of the statutory obligations in the Data Protection Act 1998 which the data controller has towards the protection of personal data of a data subject. It is important to double check that you are not overlooking something which could make your processing of personal data unlawful.

Although this questionnaire uses the Data Protection Act 1998 as the basis for its questions, it is important to understand that if you identify deficiencies in your organisation based on this questionnaire then it is highly unlikely that you will be compliant with the General Data Protection Regulation because the upcoming legislation incorporates and further develops the existing legal framework.

Each ‘No’ answer, or a ‘Yes’ answer which scores 4 or 5, identifies a potential exposure in your data protection procedures. Although lower scores cannot be ignored and should also be investigated, it would be advisable to focus on the highest scoring aspects of the question-naire first because these are likely the source of the greatest deficiencies in your current data handling procedures.

An answer that indicates a significant practical or technical problem in meeting an obligation needs further consideration. If an obligation cannot be satisfied because it is ‘impossible’ or involves ‘disproportionate’ effort, then in some cases the legislation permits the derogation from the obligation. That said, it is likely that the test of what is or what isn’t ‘disproportion-ate’ will more than likely increase under the General Data Protection Regulation with the addi-tion of the Accountability Principle and the higher standard of consent that must be obtained prior to undertaking the processing of personal data, particularly in light of the increased fines regime.

Any ‘Sometimes’ answer, or any matter associated with the processing of personal data in the public interest, needs careful attention before you decide whether or not an exemption from a data protection obligation applies. It is crucial to understand that the exemptions are very narrow in scope and will only apply to a very small sub-set of organisations, for example, GCHQ or MI5. It cannot, and should not, be used as an excuse to try and avoid your legal obligations, particularly in light of the upcoming General Data Protection Regulation.

We would be grateful if you could provide us a copy/scan of your answers by e-mailing either Graham Millar ([email protected]) or John Kielski ([email protected]).

Your Contacts

John KielskiSolicitor

Corporate

T +44 (0) 141 530 2038 M +44 (0) 7871 834 494

E [email protected]

gilsongray.co.uk

Graham MillarPartner

Head of Employment

T +44 (0) 141 530 2023 M +44 (0) 7841 920 102

E [email protected]

Derek HamillPartner

Head of Corporate

T +44 (0) 141 530 2022 M +44 (0) 7973 924 333

E [email protected]

gilsongray.co.uk

general data protection regulation questionnaire for...

Documents