Other standards

IMPLEMENT
LEARN
FREE RESOURCES
ABOUT

EU GDPR Readiness Assessment Tool

Find out your level of compliance with EU GDPR

Save my progress and resume later | Resume a previously saved form

Resume Later

In order to be able to resume this form later, please enter your email and choose a password.

Your Email:

A Password:

Confirm Password:

* Please use a different unique password every time you are saving your progress and intend to resume later.

PRINCIPLES RELATED TO PROCESSING OF PERSONAL DATA

PRINCIPLES RELATED TO PROCESSING OF PERSONAL DATA

1. Is the legal basis for each processing activity documented? (“The organisation should maintain a log of each processing activity it engages in, as well as the corresponding legal basis. The processing activity has a valid legal basis only if one or more of the following apply: (a) the data subject provides valid consent; (b) processing is necessary for entering into or the performance of a contract; (c) processing is necessary for compliance with a legal obligation to which the controller is subject; (d) processing is necessary in order to protect the vital interests of the data subject or other individual; (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested; (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or third party, to the extent it does not infringe on the fundamental rights and freedoms of the data subject, particularly where the data subject is a child” - Article 6(1) EU GDPR.)

YesNo

You need to determine the legal basis for each of your processing activities; without this, you won't have lawful basis for processing the personal data. Not having a legal basis for processing is a serious infringement of the EU GDPR requirements.

See here an example of a Consent template.

2. Is the purpose for each processing activity documented? (Every processing activity should be documented. "Processing" is defined as "any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction." - Article 4(2) EU GDPR.)

YesNo

You need to document each processing activity, usually in the form of an inventory.

See here an example of Guidelines for Data Inventory and Processing Activities Mapping and the Inventory of Processing Activities.

3. Will the personal data be processed for a purpose other than what was intended at the time of collection? (Departments within the organisation should consult the Data Protection Officer/Legal Counsel/other relevant personnel prior to processing personal data for a secondary purpose. "Personal Data" is defined as "any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person" - Article 4(1) EU GDPR.)

YesNo

Once you have defined a purpose for processing, make sure to stick to it and not change it without reassessing the legal basis. For example, if the processing activity you want to change is based on an existing consent, before changing the processing activity, you should obtain the consent again. Make sure that such processing is also lawful - the processing activity has a valid legal basis only if one or more of the following apply: "(a) the data subject provides valid consent; (b) processing is necessary for entering into or the performance of a contract; (c) processing is necessary for compliance with a legal obligation to which the controller is subject; (d) processing is necessary in order to protect the vital interests of the data subject or other individual; (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested; (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or third party, to the extent it does not infringe on the fundamental rights and freedoms of the data subject, particularly where the data subject is a child” - Article 6(1) EU GDPR.

4. Do consent-collecting mechanisms require some action (e.g., ticking a box) or affirmative statement by the data subject? (In order for the consent to be valid it should be freely given, specific, unambiguous, and should require some affirmative action from the data subject. Silence, pre-ticked boxes, opt-out or inactivity do not constitute a valid consent.)

YesNo

Make sure that your consents - no matter if they are in paper or digital form (e.g., on a website) - include these actions, because otherwise, they are invalid. To simplify things and still be compliant with the regulation, try to avoid (as much as possible) using consent as a legal basis for processing your employees' personal data.

5. Where processing involving special categories of data is based on consent, is explicit consent obtained (e.g., in writing or verbally) from the data subject? ("Special categories" of data are "personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation" - Article 9(1) EU GDPR.)

YesNo

Evaluate if the sensitive personal data are essential to the processing activity; if not, you should consider not processing it. However, if the sensitive data is essential to the processing activity, make sure you properly identify all the special categories of personal data you are processing, and check if you have valid consents from all the persons who are the owners of those data.

See here an example of a Consent template.

RIGHTS OF THE DATA SUBJECTS WHILE PROCESSING AND ACCESSING THEIR INFORMATION

RIGHTS OF THE DATA SUBJECTS WHILE PROCESSING AND ACCESSING THEIR INFORMATION

6. Is a process in place to respond to requests for access to information held about a data subject?

YesNoNot applicable

You should set up a process to respond to requests from the data subjects to access the information held about them. Make sure that the process is consistent and allows you to respond to the requests in a timely manner (30 days as stated in the Regulation).

See here an example of the Data Subject Access Request Procedure template.

7. Is a process in place to rectify/delete information about a data subject pursuant to a request?

YesNoNot applicable

You should set up a process to rectify/delete information about a data subject pursuant to a request. Make sure you properly identify the data subject.

8. Is a process in place to communicate updates of personal data to third parties who have received the data?

YesNoNot applicable

When possible, you should set up a process to communicate updates of personal data to third parties who have received the data. When using processors, make sure that you communicate to them all the updates of personal data as well, so their databases are kept up to date and accurate.

9. Is there a process in place to allow a data subject to revoke consent for a particular processing activity at any time? (According to Article 7(3) of the EU GDPR, revoking consent should be as easy for the data subject as giving consent.)

YesNoNot applicable

You should implement a process that will allow a data subject to revoke consent for a particular processing activity at any time. Make sure that the process to revoke the consent is as easy, for the data subject, as the process of giving consent.

See here an example of a Data Subject Consent Withdrawal Form and a Parental Consent Withdrawal Form.

10. When consent for a particular processing activity is revoked, are there processes in place to ensure processing is stopped, including any processing by third parties?

YesNoNot applicable

You should implement a process that will ensure that the processing of personal data is stopped, including any processing by third parties, once the data subject revokes the consent for a particular processing activity. Inform your processors that they should stop processing the data if the consent was withdrawn. Make sure you keep evidence of the request sent to processors to stop processing the data.

11. Is there a process in place to comply with requests to restrict the processing of data if requested by a data subject, including any processing by third parties?

YesNoNot applicable

You should implement a process that will comply with the requests of the data subject to restrict the processing of data, including any processing by third parties. Consider taking the personal data out of the production environment, or mark the data so it can be easily identified as data that is restricted from processing.

12. Is a process in place to comply with requests from a data subject to have their personal data transferred directly to another controller, if technically possible? (The process should be documented.)

YesNoNot applicable

You should document a process that will comply with the requests of the data subject to have their personal data transferred directly to another controller, if technically possible. Be aware that the data portability right is only applicable for personal data “provided to” the controller (e.g., photos posted to a social network or content stored on a cloud service), and only if the legal basis for processing is consent or contractual obligation.

13. Is a process in place to stop processing for direct marketing purposes when an objection is received?

YesNoNot applicable

You should implement a process that will ensure that you stop processing information for direct marketing purposes when an objection is received. Be aware that this is an absolute right of the data subject and you have no choice but to comply.

14. If engaged in automated decision making, including profiling, is there a process by which a data subject may request a manual review of the decision or profiling activity? ("Profiling" is defined as "any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements" - Article 4(4) EU GDPR.)

YesNoNot applicable

If your processing activity is using profiling or automated decision making, first make sure that the data subjects are properly informed about this activity. You should give the data subject an opportunity to object to this processing activity and request for the processing to be performed by a human operator. You should implement a process that will allow a data subject to request a manual review of the decision or profiling activity.

15. Has a representative within the European Union been designated? (A European Union representative should be designated where the organisation offers goods or services to, or monitors the behaviour of, data subjects who are within the European Union. A "representative" is defined as "a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation" - Article 4(17) EU GDPR.)

YesNoNot applicable

You should designate a European Union representative if your organisation offers goods or services (even if it is free of charge) to, or monitors the behaviour of, data subjects who are within the European Union. Have in mind that this is essential noncompliance that will most likely trigger efforts from the Meber States to ban your activity on their territory.

TRANSFERS OF DATA TO THIRD PARTIES

TRANSFERS OF DATA TO THIRD PARTIES

16. Do contracts with third parties specify that the third party, and any subcontractor that may be utilised, must have data protection and security protection clauses/annexes in place?

YesNo

You should include in your contracts with third parties clauses that will specify that the third party, and any subcontractor that may be utilised, must have data protection and security protection clauses/annexes in place. The EU GDPR requires for some specific clauses to be included in the contracts.

See here an example of a Supplier Data Processing Agreement.

17. Are records kept of all processing activities your company engages in? (This requirement does not apply if your company employs fewer than 250 individuals, unless your processing activities could result in a high risk to the rights of the data subject or involve special/sensitive categories of information.)

YesNoNot applicable

If your company employees more than 250 individuals, or your company's processing activities could result in a high risk to the rights of the data subject or involve special/sensitive categories of information, you should keep a record of all processing activities your company engages in.

See here an example of an Inventory of Processing Activities.

18. Are all data transfers documented, including cross-border transfers?

YesNoNot applicable

You should document all data transfers, including cross-border transfers.

See here an example of a Cross Border Personal Data Transfer Procedure.

19. Is a data transfer mechanism in place in the event that personal data is to be transferred to a third country or international organisation?

YesNo

You should put in place a data transfer mechanism in the event that personal data is to be transferred to a third country or international organisation.

PRIVACY NOTICES

20. Is a Privacy Notice provided to data subjects no later than at the time information is collected from those data subjects?

YesNo

A Privacy Notice should be provided to data subjects no later than at the time information is collected from those data subjects.

See here an example of a Privacy Notice.

21. Is a Privacy Notice provided to data subjects at every point of collection?

YesNo

A Privacy Notice should be provided to data subjects at every point of collection.

See here an example of a Privacy Notice.

22. If data is to be processed for a secondary purpose, are data subjects notified of the new purpose prior to processing?

YesNo

If data is going to be processed for a secondary purpose, you should notify the data subjects of the new purpose prior to processing; or, if the processing is based on consent, obtain the consent again for the secondary purpose as well.

See here an example of a Data Subject Consent Form.

23. Does the Privacy Notice clearly specify how data subjects can exercise their rights under the GDPR?

YesNo

A Privacy Notice must clearly specify how data subjects can exercise their rights under the GDPR.

See here an example of a Privacy Notice.

DATA BREACHES

24. Is a process in place to ensure the appropriate Supervisory Authority is notified within 72 hours of a confirmed data breach?

YesNo

You need to implement a process that will ensure that, if necessary, the appropriate supervisory authority will be notified within 72 hours of a confirmed data breach.

See here an example of the Data Breach Response and Notification Procedure and the Data Breach Notification Form to the Supervisory Authority.

25. Do agreements/contracts with third parties specify that the third party has to notify you (the controller) without undue delay after becoming aware of a data breach or potential data breach involving personal data? (All contracts with third parties involving the handling of personal data should include provisions to notify you (the controller) in the case of a data breach.)

YesNo

As a controller, you would need to be aware and take actions even if the data breach occurs on the processor's premises. Ultimately, you might be held liable for a data breach that affected the personal data while being processed by a third party. Ensure that all your agreements/contracts with third parties must specify that the third party has to notify you (the controller) without undue delay after becoming aware of a data breach or potential data breach involving personal data.

See here an example of a Supplier Data Processing Agreement.

26. Are internal policies in place defining what is considered to be a data breach and when and if notification to data subjects or Supervisory Authorities is required? (Internal policies should specify what constitutes a data breach under the GDPR, and what kinds of scenarios could result in a "risk to the rights and freedoms" of an individual, thus requiring notification to the relevant authorities or data subjects.)

YesNo

In the case of a data breach, you need to act quickly and consistently to be able to meet the strict deadlines in terms of data breach notifications; thus, you should develop and implement internal policies that will define what is considered to be a data breach and when and if notification to data subjects or Supervisory Authorities is required. The internal policies will also be needed if a Supervisory Authority asks you to provide the method by which you assess the risks and comply with the notification obligations.

See here an example of the Data Breach Response and Notification Procedure, the Data Breach Notification Form to the Supervisory Authority, and the Data Breach Notification Form to Data Subjects.

27. Is a log kept of all data breaches that occur, along with the effects and remedial actions taken? (The GDPR requires the controller to document all data breaches that occur in order to demonstrate compliance with Article 33, paragraph 5: “The controller shall document any personal data breaches, comprising of the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with this Article.”)

YesNo

You should document and keep logs of all data breaches that occur, including effects and remedial actions taken.

See here an example of a Data Breach Register.

28. Are assessments of processing activities conducted by the relevant personnel to determine the data protection measures that should be in place, proportionate to the risks involved with the processing activity? ("Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary." - Article 24(1) EU GDPR.)

YesNo

You should conduct assessments of processing activities to determine that the data protection measures that should be in place are proportional to the risks involved with the processing activity. These assessments should be conducted by the relevant personnel. You should review and update the protection measures where necessary.

See here an example of the Guidelines for Data Inventory and Processing Activities Mapping and the Inventory of Processing Activities.

29. Is privacy assessed at the beginning stages of development of any processing activity?

YesNo

You should assess the privacy at the beginning stages of development of any processing activity.

See here an example of the Information Classification Policy.

30. Are measures such as data minimisation and pseudonymisation implemented across all applicable organisational units? ("Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects." - Article 25(1) EU GDPR.)

YesNo

You should implement measures such as data minimisation and pseudonymisation across all applicable organisational units both at the time of the determination of the means for processing and at the time of the processing itself. The measures should be implemented in an effective manner and should integrate the necessary safeguards into the processing in order to meet the requirements of the EU GDPR and protect the rights of data subjects.

See here an example of Anonymisation and Pseudonymisation Policy.

DATA PROTECTION IMPACT ASSESSMENT (DPIA)

31. Are Data Protection Impact Assessments (DPIAs) completed for processing activities involving special categories of information, automated decision making, or profiling?

YesNo

Filter though the Personal Data Inventory to identify the processing activities that might require a DPIA. You should complete Data Protection Impact Assessments (DPIAs) for processing activities involving special categories of information, automated decision making, or profiling.

See here an example of the Data Protection Impact Assessment Methodology.

32. Are DPIAs completed prior to implementing new technologies, processes, or projects?

YesNo

Data Protection Impact Assessments (DPIAs) should be completed prior to implementing new technologies, processes, or projects. Consider reviewing your DPIAs on a regular basis to make sure that the risk mitigation measures are still adequate.

See here an example of the DPIA Register.

According to our readiness assessment tool, you have implemented

% of the requirements of EU GDPR in the processes of your organisation. Here are some notes on what is still needed.

NOTE: Please open all the elements that you want to be e-mailed to you.

Enter your e-mail address

[The results will be sent to entered e-mail address]

Save my progress and resume later | Resume a previously saved form

Contact Information

Dejan Kosutic
Data Security Expert

Have questions about any step?

Talk with our consultants for free

SCHEDULE FREE CONSULTATION

Our Clients

Our Partners

ASIC is recognised by UKVI in UK, is a member of the CHEA International Quality Group in USA, is a member of the British Quality Foundation, and is an institutional member of European Distance and E-Learning Network.
DNV GL Business Assurance is one of the leading providers of accredited management systems certification.