Quiz - Simple GDPR Self Assessment

This is a simple self-assessment, we do not keep your email address or try and sell you anything

Are you GDPR Ready? †Take our Questionnaire

Your result will appear automatically at the foot of the page. Please be sure to answer all questions.

Have you appointed a Data Protection Officer (DPO)?

YES NO UNSURE
Implementation of GDPR measures will, in some cases, require the appointment of a Data Protection Officer. Organisations will have additional obligations and there will be changes that impact internal accountabilities and contracts. Where there is insufficient need for an internal DPO, some organisations may choose to employ the services of an external Data Protection Officer.

Have your security personnel received training or instruction on the GDPR?

YES NO UNSURE
Software alone cannot sufficiently counter all threats to data protection. Security personnel training should cover data processing obligations as well as the identification of breaches and risks.

Have your senior management been briefed on the GDPR?

YES NO UNSURE
A GDPR compliance programme should involve senior stakeholders as it will require input from all departments.

Have all staff received GDPR awareness training?

YES NO UNSURE
Many staff are unaware of their contribution to protecting private information and what is expected of them. The GDPR requires privacy awareness training to be provided to all employees.

Have you reviewed and updated your privacy policies?

YES NO UNSURE
You will need to review all existing data protection and privacy policies to ensure they comply with the new requirements.

Have you made preparations for implementing and performing Data Protection Impact Assessments?

YES NO UNSURE
You should assess all of your data processing activities in relation to managing data privacy and ensuring compliance. To prepare for Data Protection Impact Assessment (DPIA) requirements, you should also identify processing of sensitive data (including biometric information), surveillance activities (including CCTV), and data processing that may impact on the rights and freedoms of individuals.

Have you assessed all points of data collection to ensure that explicit consent is properly requested in each case?

YES NO UNSURE
The GDPR implements more stringent requirements for obtaining consent when collecting data from individuals. Data collection will have to adhere to just-in-time notification of ìreason for data collectionî and communicating to data subjects ìhow their data will be processedî and procedures for ìfurther engagement in terms of enhanced privacy rights.î

Have you prepared, documented and communicated processes for managing subject data access requests?

YES NO UNSURE
Not many companies know where all their data is kept. Data may be stored in many different places, and not just inside the company or for internal use. Data is often not restricted to databases. Much of the data people work with everyday is in a variety of file formats and on different platforms, often outside the network, somewhere in the cloud. Successfully responding to data subject access requests will be a challenge in cases where process requirements have not been considered and dealt with thoroughly.

Have processes been developed to allow individuals to amend or delete their personal data?

YES NO UNSURE
New enhanced personal data rights, such as the ìright to be forgottenî and ìdata portability rightsî additionally necessitate the need for organisations to know what data they process and where they store it. To allow individuals to amend or delete their personal data, the capability to track data (through systems and all the different storage locations) will be required under the GDPR.

Have data retention and destruction procedures been reviewed for all data (including offline) as used by your organisation?

YES NO UNSURE
Documented policies and procedures should describe handling of classified information in terms of retention, responding to data deletion requests, and maintaining records of retention and destruction activities.

Have you re-assessed your suppliers and supplier contracts in relation to the GDPR?

YES NO UNSURE
It will be necessary for organisations to monitor the privacy compliance of suppliers, agents and shops to avoid liabilities and damages. It is also advisable to follow a formal process for selecting external suppliers that will be expected to process personal data.

Have you made preparations to detect and report breaches as part of a response plan?

YES NO UNSURE
Breach notifications are already mandatory elsewhere in the world. The GDPR introduces requirements for breach responses, particularly for breaches that affect data belonging to private individuals in the EU.

Have you prepared data breach notification procedures for informing data subjects?

YES NO UNSURE
It will be necessary to maintain a protocol for communicating breaches. A breach response plan should cover communication to affected individuals and describe processes for co-operating with regulators, credit agencies, and law enforcement.

Have you prepared for regular compliance audits or reviews to identify and fix issues?

YES NO UNSURE
It will be necessary to maintain a protocol for communicating breaches. A breach response plan should cover communication to affected individuals, and also describe processes for co-operating with regulators, credit agencies, and law enforcement.

Have you made preparations to abide by the GDPR codes for ëPrivacy by Design and by Defaultí?

YES NO UNSURE
This requirement will call for evidence that you have considered and incorporated compliance measures into your data processing activities. This includes adopting appropriate policies for integrating privacy-by-design and privacy-by-default, as well as pseudonymising and data minimisation.

Answer all of the above to see your result here†

Feedback:

If you want to get in contact feel free to phone +447797762051 or email timhjrogers@adaptconsultingcompany.com

(C)OPYRIGHT Tim HJ Rogers, All Rights Resverved

Sharing data with Government (data-controller or data-processor)

Businesses hold a lot of data about staff, customers and contacts and under GDPR they need to keep that data  private, safe and secure.

Additionally where that data is held or shared with a third-party there needs to be some form of data-controller/data-processor agreement detailing the roles, goals and controls for the management of that data.

GDPR Checklist for Third Party Agreements
https://gdprjerseyarticles.blogspot.com/2018/02/gdpr-checklist-for-third-party.html

In many cases that third-party may be a government department. So it makes sense for the government department to detail is policy, procedures, templates etc., so as to be clear and consistent with all its dealings rather than create a bespoke solution and documentation for every organisation with whom it shares data.

Having a standard approach and template agreements will help reduce cost, raise awareness and ensure best practice. Surely this is better than every business having a slightly different approach with sharing data with that government department?

In the meantime I have been writing letters long the following line to support by clients becoming GDPR compliant and evidencing the roles, goals and controls for the management of data held for, or shared with government.

Dear XXXXXX                                                                          

FOI General Data Protection Regulation (GDPR).

Many organisations hold personal-data [as defined by GDPR] for the States or shared with the States (for example ID, Tax and SocSec Information, and in some cases special-category data like medical information)

What are the requirements of the States in relation to that data? Do you have guidance and model data-controller/data-processor agreements as required by GDPR that can be shared to encourage a standardised approach based on best-practice?

For Example

·        What personal-data should be held for the States or shared with the States (Examples DBS Checks? ID Records? Staff Records?)

·        What should the retention period be for personal-data for the States or shared with the States (Example: 1 year, 3 years, 10 years?)

·        What information security measures should be applied personal-data for the States or shared with the States (Example: Cyber Essentials? ISO 207001?)

Perhaps this is be better submitted as a Freedom of Information Request so that the reply can be used as a standard for all organisations seeking to address the requirements of GDPR?

Yours sincerely

GDPR Checklist for Third Party Agreements

GDPR Checklist for Third Party Agreements

Unlike the EU Data Protection Directive (Directive) (where only data controllers had direct compliance obligations),the EU General Data Protection Regulation (GDPR) will impose both direct compliance obligations on data processors as well as specific contractual requirements for the data controller to include in its data processing agreement with the data processor (see, e.g., Article 28 of the GDPR).

The following is a list of some issues to consider when reviewing your third party vendor agreements for compliance with the GDPR. This list assumes that such agreements are already compliant with the Directive (e.g., already have security requirements in place), and that the vendor is acting as a data processor rather than as a joint controller. In addition, please note this list is not meant to be a complete list of all the issues you may need to consider.

DEFINITIONS

Consider whether the definitions in your Agreement need to be updated to reflect the revised definitions in the GDPR (e.g., definition of sensitive personal data).

DATA BREACH

In the event of a data breach, the vendor should be required to notify you without undue delay after becoming aware of the breach.

In the event of a data breach, the vendor should be required to cooperate with you to investigate and remediate the breach, cooperate with any supervisory authorities and law enforcement, and assist with any notifications as required.

DATA SECURITY

Consider whether it is appropriate to require the use of specific technical measures, such as pseudonymisation or encryption.

Consider requiring the vendor to implement data protection by design where applicable.

PROCESSING AND RECORD KEEPING

The vendors data processing should be set up so that it can help you respond to and fulfil data subject requests(e.g., with respect to their right to data portability, right of access, right to rectification, right to erasure (right to be forgotten), right to restriction of processing, right to object to processing, and right to not be subjected to automated profiling).

The vendor should be required to make available to you all information necessary to demonstrate the vendors compliance with its processing obligations.

The vendor should be required to maintain a record in writing of all categories of processing activities carried out on your behalf and make such records available to you or a supervisory authority upon request

COOPERATION

Consider requiring the vendor to cooperate:

With any data protection impact assessments (DPIAs) that you conduct.

With any audits or inspections that you or another auditor may need to perform (e.g., to verify the vendors compliance).

To assist you in complying with your obligations regarding data security.

With any inquiries or notices received from or with any investigations or consultations with a supervisory authority, or with a supervisory authority in the performance of its tasks, upon request.

DATA PROTECTION OFFICER

Consider whether the vendor is required to have a designated data protection officer.

FINES

Consider whether to modify the indemnities, limits of liability and other similar clauses to address the new risks, including the substantially increased fines (e.g., in the event of a data breach)

Important for Jersey Charities..Fundraising Regulator changes code to bring it in line with GDPR -

All fundraising organisations “must comply with all legal requirements relating to data protection” including Privacy and Electronic Communications Regulations, the Data Protection Bill 2017 and GDPR, as well as the requirements of the Telephone Preference Service.

Fundraising organisations “must be able to show that all reasonable steps have been taken to ensure that communications are suitable for those targeted” and must comply with the Committee of Advertising Practice Code and Broadcasting Committee of Advertising Practice.

New guidance on preparation, mail enclosures and reciprocal mailing. It makes clear that fundraising charities must not send direct marketing materials to individuals registered on the Mailing Preference Service.

A full list of changes ..

https://www.civilsociety.co.uk/news/fundraising-regulator-announces-new-sections-to-bring-code-in-line-with-gdpr.html#sthash.l2FKtHS7.dpuf

https://www.fundraisingregulator.org.uk/code-of-fundraising-practice/code-changes/code-changes-gdpr-post-may-25th-2018/

Good and Bad Examples of Privacy Notices

See more Good and Bad Examples of Privacy Notices http://ow.ly/ejQY30ipKUN

Read your own PRIVACY NOTICE and consider – would I sign this?

I have put this article into two parts, a SUMMARY which essentially makes the point and the DETAIL with an invitation to “crowd source” all your comments on this document. Think of it as a “where’s wally” exercise for GDPR professionals.

I was recently asked to review a Privacy Notice for a Club/Association that I will keep anonymous. I am sharing feedback as a learning exercise for anyone contemplating a Privacy Notice and a stark warning for anyone who simply recycles someone else’ Privacy Notice without thought.

SUMMARY

This is about a club with a membership who meet regularly to discuss their pet topic. They are not a business. They are not part of government. It is simply a club for which the text below details the conditions for membership.

First, have a look at the Data Protection Principles here

Lawfulness, fairness and transparency	Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject
Purpose limitation	Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
Data minimisation	Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
Accuracy	Personal data shall be accurate and, where necessary, kept up to date
Storage limitation	Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
Integrity and confidentiality	Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
Accountability	The controller shall be responsible for, and be able to demonstrate compliance with the GDPR

https://united-kingdom.taylorwessing.com/globaldatahub/article-the-data-protection-principles-under-the-gdpr.html

Now consider would you sign this as a club membership condition?

[zzzzzzzz]   may collect and process  [all and any] social media accounts + work and home details + professional life + personal relationships

[zzzzzzzz]   may disclose your personal data to

·        other members

·        professional advisors, banks and other service providers [unlimited]

·        any central or local government department and other statutory or public bodies as required.

This seems a bit excessive as a pre-condition of joining a Club/Association for the purposes of monthly chats about common interests.

1.      It does not seem to be collected for specified, explicit and legitimate purposes {ie managing membership of a club} and not further processed in a manner

2.      Nor is it adequate, relevant and limited to what is necessary in relation to the purposes {ie managing membership of a club}

3.      It is not obvious that  this is fair and transparent {why is data being so widely shared, and specifically what data?}

4.      If data is being stored for 10 years and shared widely how is it accurate and, where necessary, kept up to date

5.      There is no mention of data-controller/data-processor agreements and it is vague {given the circumstance and nature of social media accounts + work and home details + professional life + personal relationships} as to processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss

DETAIL

Read the full text here. Would you sign an agreement that said this? What modifications would you suggest? Think of it as a “where’s wally” exercise for GDPR professionals.

1. Introduction
This Privacy Notice sets out how the [zzzzzzzz]  ( “ [zzzzzzzz] ”) deals with your personal data which we collect in the course of your use of this website and as a result of you interacting with The  [zzzzzzzz]  entities in other ways. We may collect certain information about you in the course of your use of this website and otherwise in your interaction and correspondence with us. We take privacy and security of your information seriously and will only use such personal information as set out in this privacy policy.
2. Collection of Information by Third Parties
The  [zzzzzzzz]  website contains links to other sites whose information practices may differ from those of The  [zzzzzzzz] . If you should visit such third party sites, you should ensure that you review the appropriate privacy notices as we have no control over information that is submitted to, or collected by, these third parties.
3. Who We Are – The  [zzzzzzzz]
Information which is collected as a result of your use of this website will be the responsibility of the  [zzzzzzzz] , who will act as data controller in relation to your personal data.
The  [zzzzzzzz]  is a members’ association for those with an active interest in Jersey  [zzzzzzzz]  issues.
4. Where And When we Collect your Data
We may collect and process your personal data from a variety of sources including:
• Your use of this website;
• Your interactions with our officers, committee and members;
• The information you provide us when you are applying to join the  [zzzzzzzz] ;
• When you interact with us on behalf of your own employer or institution;
• Your colleagues when they write to us on your behalf; and
• Information which we collect from our contact on social media (including but not limited to Twitter and Linkedin).
5. What Data We May Collect
We may collect and process the following types of personal data:
• Your work and home details, such as email address, postal address and/or telephone number (both landline and mobile);
• Your job title and professional qualifications;
• Details of your social media accounts;
• Details of your professional life including your occupation and professional interests;
• Details of your visits to our websites and applications including, but not limited to, traffic data, location data and other communication data, and the resources that you access;
• Details of your interactions with us, including any which occur electronically or in person;
• Details of your professional and personal relationships;
6. What we use your personal data for
The  [zzzzzzzz]  and/or persons acting on our behalf may process your personal data for a number of business purposes, (depending on the capacity in which you deal with the  [zzzzzzzz] ) which may include:
• to ensure the content on our websites and applications is presented in the most effective manner for you;
• to manage your membership of the  [zzzzzzzz]  and any training requirements which you may have from time to time;
• to ensure the protection of the interests and reputation of the  [zzzzzzzz] .
• to comply with our legal, tax and regulatory obligations;;
• for monitoring and assessing compliance with the  [zzzzzzzz] ’s policies and standards;
• for promotional and marketing materials and activities, including photos and videos;
• to provide you with requested products or services;
• in order to ensure the security and access of our systems, premises, platforms and secured websites and applications; and
• other purposes reasonably ancillary to the above
Many of the above ways in which we process data may be as a result of legal or regulatory obligations. Some may be based on your consent (which we will obtain at the time of collection and at appropriate other times).
Where we process data for our legitimate business interests, you have the right to object to such processing (see below in relation to your rights). Please bear in mind that if you do object this may affect our ability to carry out tasks above for your benefit.
7. When we may disclose your personal data
We may disclose your personal data to the following for the purposes
• To other  [zzzzzzzz]  members.
• To third party data processors who process your personal data on our behalf (such as our IT systems providers);
• To third parties service providers which are themselves data controllers such as professional advisors, banks and other service providers;
• To third parties in the course of providing membership benefits and products.
• To any national and/or international regulatory, enforcement or exchange body or court where we are required to do so by applicable law or regulation or at their request.
• To any central or local government department and other statutory or public bodies as required.
8. Data Security
The  [zzzzzzzz]  uses up-to-date data storage and security techniques to protect your personal information from unauthorised access, improper use or disclosure, unauthorised modification or unlawful destruction or accidental loss.
Any third parties we engage to process your personal information are obliged to respect the confidentiality of your information.
9. International Transfers
The personal data we collect from you may be processed in (including being accessed in or stored in) a country or territory outside your home country, including outside the European Economic Area (“EEA”).
Where we transfer data to another jurisdiction, which does not offer the same level of protection of personal data as may be enjoyed within your home country, we will ensure that your data is appropriately protected.
10. How we use cookies and other similar technology on our websites
This website uses cookies. A cookie is a small text file that a website saves onto your device when you visit the site. It enables our website to remember your actions and preferences over a period of time, so you don’t have to keep re-entering them when you come back to the site or browse from one page to another. It makes your experience with us more seamless.
Our pages use cookies to remember:
• Your display preferences, such as colour settings or font size.
• If you have already replied to any pop-ups that appear so that you won’t be asked again;
• If you have agreed (or not) to our use of cookies on this site;
Any videos embedded in our pages use a cookie to anonymously gather statistics on how you got there and what videos you visited.
Enabling these cookies is not strictly necessary for the website to work, but it will provide you with a better browsing experience. You can delete or block these cookies through your browser, but if you do that some features of this site may not work as intended.
The cookie-related information is not used to identify you personally and the pattern data is fully under our control.
These cookies are not used for any purpose other than those described here.
11. How Long We Retain Personal Data
We will retain your personal data for as long as necessary to fulfil the purpose for which it was collected.
Once those purposes are completed, we then have legal and regulatory obligations to fulfil in connection with data retention which we will need to fulfil.
Additionally, we may also retain personal data in some circumstances for a period of least ten years in order to ensure that we are able to answer and deal with any queries, complaints, tax enquiries or investigations or any legal proceedings which may arise.
12. Your rights
You have the right to apply for a copy of the personal data we hold about you and to have any inaccurate personal data about you rectified.
In some circumstances you may also have the right to ask us to erase your personal data or restrict its processing.
Where we process your data for our legitimate interests, you have the right to object to such processing.
Where our processing is based on consent, you may withdraw your consent by emailing membership@ [zzzzzzzz]
Please bear in mind that if you object to processing or withdraw your consent, this may affect our ability to deliver services to you.
Should you wish to discuss the exercise of any your rights, please contact us as set out below.
13. Contact information
If you have any questions in relation to this policy or  [zzzzzzzz]  within please contact us at:
[zzzzzzzz]
If you currently receive marketing information from us which you would prefer not to receive in the future please email us at [zzzzzzzz]

NEED SUPPORT WITH GDPR?        

Jersey Community Partnership and Association of Jersey Charities are looking to co-ordinate resources and suppliers, and there may be grant funding available.

http://www.jerseycharities.org/

http://www.jerseycommunitypartnership.org/

Jersey Charities Q&A

https://gdprjersey.blogspot.com/

Jersey Data Protectin  Association list of GDPR events

https://www.eventbrite.com/d/jersey--saint-helier/jersey-data-protection-association/

GDPR  Reform in the Channel Islands

https://thinkgdpr.org/

https://thinkgdpr.org/article/gdpr-guidance/

EU Guidance Site

https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en

CONTACT

TimHJRogers@AdaptConsultingCompany.Com

+447797762051 Skype: timhjrogers TimHJRogers@gmail.com