We have been working through the guidance provided by the Information Commissioners Office to ensure that our practices comply with the EU General Data Protection Regulations coming into force on 25th May 2018.
The assessment tool to ensure readiness is linked here https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/data-controllers/ from which we have gained the below recorded assessment of readiness.
Your overall rating was red on 4/12/2017
- 25: Not yet implemented or planned
- 0: Partially implemented or planned
- 0: Successfully implemented
- 4: Not applicable
Your overall rating was amber on 4/2/2018
- 2: Not yet implemented or planned
- 17: Partially implemented or planned
- 3: Successfully implemented
- 7: Not applicable
Your overall rating was green on 7/2/2018
- 0: Not yet implemented or planned
- 3: Partially implemented or planned
- 18: Successfully implemented
- 8: Not applicable
AMBER: partially implemented or planned
Your business provides data protection awareness training for all staff.
Where you have only partially implemented measures, please select the appropriate actions from the detail below:
Suggested actions
You should:
- provide induction training on or shortly after appointment;
- update all staff at regular intervals or when required (for example, intranet articles, circulars, team briefings and posters); and
- provide specialist training for staff with specific duties, such as marketing, information security and database management.
Guidance
Think privacy toolkit, ICO website
Training checklist for small to medium sized organisations, ICO website
Your business has nominated a data protection lead or Data Protection Officer (DPO).
Where you have only partially implemented measures, please select the appropriate actions from the detail below:
Suggested actions
You should:
- designate responsibility for data protection compliance to a suitable individual;
- support the appointed individual through provision of appropriate training;
- ensure there are appropriate reporting mechanisms in place between the individual responsible for data protection compliance and senior management;
- register the details of your DPO with the ICO; and
- document the internal analysis carried out to determine whether or not a DPO is to be appointed, unless it is obvious that your organisation is not required to designate a DPO.
Guidance
Guide to the GDPR - Data protection officers, ICO website
Decision makers and key people in your business demonstrate support for data protection legislation and promote a positive culture of data protection compliance across the business.
Where you have only partially implemented measures, please select the appropriate actions from the detail below:
Suggested actions
You should:
- clearly set out your business’s approach to data protection and assign management responsibilities;
- ensure you have a policy framework and information governance strategy in place to support a positive data protection and security culture which has been endorsed by management;
- assess and identify areas that could cause data protection or security compliance problems and record these on your business's risk register;
- deliver training which encourages personal responsibility and good security behaviours; and
- run regular general awareness campaigns across your business to educate staff on their data protection and security responsibilities and promote data protection and security awareness and compliance.
Guidance
Think Privacy training, ICO website
GREEN: successfully implemented
Your business has conducted an information audit to map data flows.
Your business has documented what personal data you hold, where it came from, who you share it with and what you do with it.
Your business has identified your lawful bases for processing and documented them.
Your business has reviewed how you ask for and record consent.
Your business has systems to record and manage ongoing consent.
If your business relies on consent to offer online services directly to children, you have systems in place to manage it.
Your business has made privacy notices readily available to individuals.
Your business has established a process to recognise and respond to individuals' requests to access their personal data.
Your business has processes in place to ensure that the personal data it holds remains accurate and up to date
Your business has a process to securely dispose of personal data that is no longer required or where an individual has asked for it to be erased.
Your business has procedures to respond to an individual’s request to restrict the processing of their personal data.
Your business has procedures to handle an individual’s objection to the processing of their personal data.
Your business has an appropriate data protection policy.
Your business monitors its own compliance with data protection policies and regularly reviews the effectiveness of data handling and security controls.
Your business manages information risks in a structured way so that management understands the business impact of personal data related risks and manages them effectively.
Your business has implemented appropriate technical and organisational measures to integrate data protection into your processing activities.
Your business has an information security policy supported by appropriate security measures.
Your business has effective processes to identify, report, manage and resolve any personal data breaches.