EU GDPR Readiness Assessment Tool

You need to determine the legal basis for each of your processing activities; without this, you won't have lawful basis for processing the personal data. Not having a legal basis for processing is a serious infringement of the EU GDPR requirements.

See here an example of a Consent template.

You need to document each processing activity, usually in the form of an inventory.

See here an example of Guidelines for Data Inventory and Processing Activities Mapping and the Inventory of Processing Activities.

Evaluate if the sensitive personal data are essential to the processing activity; if not, you should consider not processing it. However, if the sensitive data is essential to the processing activity, make sure you properly identify all the special categories of personal data you are processing, and check if you have valid consents from all the persons who are the owners of those data.

See here an example of a Consent template.

You should set up a process to respond to requests from the data subjects to access the information held about them. Make sure that the process is consistent and allows you to respond to the requests in a timely manner (30 days as stated in the Regulation).

See here an example of the Data Subject Access Request Procedure template.

You should implement a process that will allow a data subject to revoke consent for a particular processing activity at any time. Make sure that the process to revoke the consent is as easy, for the data subject, as the process of giving consent.

See here an example of a Data Subject Consent Withdrawal Form and a Parental Consent Withdrawal Form.

You should include in your contracts with third parties clauses that will specify that the third party, and any subcontractor that may be utilised, must have data protection and security protection clauses/annexes in place. The EU GDPR requires for some specific clauses to be included in the contracts.

See here an example of a Supplier Data Processing Agreement.

If your company employees more than 250 individuals, or your company's processing activities could result in a high risk to the rights of the data subject or involve special/sensitive categories of information, you should keep a record of all processing activities your company engages in.

See here an example of an Inventory of Processing Activities.

You should document all data transfers, including cross-border transfers.

See here an example of a Cross Border Personal Data Transfer Procedure.

A Privacy Notice should be provided to data subjects no later than at the time information is collected from those data subjects.

See here an example of a Privacy Notice.

A Privacy Notice should be provided to data subjects at every point of collection.

See here an example of a Privacy Notice.

If data is going to be processed for a secondary purpose, you should notify the data subjects of the new purpose prior to processing; or, if the processing is based on consent, obtain the consent again for the secondary purpose as well.

See here an example of a Data Subject Consent Form.

A Privacy Notice must clearly specify how data subjects can exercise their rights under the GDPR.

See here an example of a Privacy Notice.

You need to implement a process that will ensure that, if necessary, the appropriate supervisory authority will be notified within 72 hours of a confirmed data breach.

See here an example of the Data Breach Response and Notification Procedure and the Data Breach Notification Form to the Supervisory Authority.

As a controller, you would need to be aware and take actions even if the data breach occurs on the processor's premises. Ultimately, you might be held liable for a data breach that affected the personal data while being processed by a third party. Ensure that all your agreements/contracts with third parties must specify that the third party has to notify you (the controller) without undue delay after becoming aware of a data breach or potential data breach involving personal data.

See here an example of a Supplier Data Processing Agreement.

In the case of a data breach, you need to act quickly and consistently to be able to meet the strict deadlines in terms of data breach notifications; thus, you should develop and implement internal policies that will define what is considered to be a data breach and when and if notification to data subjects or Supervisory Authorities is required. The internal policies will also be needed if a Supervisory Authority asks you to provide the method by which you assess the risks and comply with the notification obligations.

See here an example of the Data Breach Response and Notification Procedure, the Data Breach Notification Form to the Supervisory Authority, and the Data Breach Notification Form to Data Subjects.

You should document and keep logs of all data breaches that occur, including effects and remedial actions taken.

See here an example of a Data Breach Register.

You should conduct assessments of processing activities to determine that the data protection measures that should be in place are proportional to the risks involved with the processing activity. These assessments should be conducted by the relevant personnel. You should review and update the protection measures where necessary.

See here an example of the Guidelines for Data Inventory and Processing Activities Mapping and the Inventory of Processing Activities.

You should assess the privacy at the beginning stages of development of any processing activity.

See here an example of the Information Classification Policy.

You should implement measures such as data minimisation and pseudonymisation across all applicable organisational units both at the time of the determination of the means for processing and at the time of the processing itself. The measures should be implemented in an effective manner and should integrate the necessary safeguards into the processing in order to meet the requirements of the EU GDPR and protect the rights of data subjects.

See here an example of Anonymisation and Pseudonymisation Policy.

Filter though the Personal Data Inventory to identify the processing activities that might require a DPIA. You should complete Data Protection Impact Assessments (DPIAs) for processing activities involving special categories of information, automated decision making, or profiling.

See here an example of the Data Protection Impact Assessment Methodology.

Data Protection Impact Assessments (DPIAs) should be completed prior to implementing new technologies, processes, or projects. Consider reviewing your DPIAs on a regular basis to make sure that the risk mitigation measures are still adequate.

See here an example of the DPIA Register.