List the categories of data subjects and personal data collected and retained e.g. current employee data; retired employee data; customer data (sales information); marketing database; CCTV footage.
Did the data subject sign up to a newsletter. Are they an existing customer governed by our contract in which case consent may not be required.
Do we have the necessary consents required and were the data subjects informed of the specific purpose for which we’ll use their data? Were we clear and unambiguous about that purpose and were they informed of their right to withdraw consent at any time?
Are you recording the basis of recording the data and is that basis still relevant at this stage.
Are we ensuring we aren’t holding it for any longer than is necessary and keeping it up-to-date? Do you have a policy for keeping the data up to date and have you defined the timeframe and criteria for getting rid of data. Do we have a defined policy on retention periods for all items of personal data, from customers, prospects and employee?
Are we keeping it safe and secure using a level of security appropriate to the risk? For example, will encryption be required to protect the personal data we hold? Are we limiting access to ensure it is only being used for its intended purpose? Who in our organisation has access to the data?
Are our staff trained in all relevant areas GDPR policy to ensure they handle data in a compliant manner?
Are we transferring any personal data outside the EU and if so, do we have the required adequate protections in place?
Do we have procedures in place to handle requests from data subjects to modify, delete or access their personal data? Do we have procedures to anonymise data if we are asked to do so by a data subject? Do these procedures comply the new rules under the GDPR?
Do we have a Privacy Policy in place and if so, do we need to update it to comply with GDPR?
In cases where our third party vendors are processing personal data on our behalf such as online accounts systems or CRM system have we ensured our contracts with them have been updated to include the processor requirements under GDPR?