General Data Protection Regulation GDPR DPA18 Checklist Template and Overview | Regulation Audit Checklists | Template for FCA Applications and Authorised Firms

1. Answer each requirement based on your current process

2. Refer to the relevant GDPR Article if you need further clarification on meeting the standard or requirement (if the question relates to a specific Article, it is noted to the left of the question – those without Article references are suggested requirements or guidelines from the ICO or WP29)

3. Use the requirement number on the Action Plan where corrective actions or mitigating controls are required 

4. Where actions are needed, add a review date for re-auditing

·         What personal data you hold?

·         Where it came from?

·         Who you share it with?

·         Legal basis for processing it?

·         What format(s) is it in?

·         Who is responsible for it?

• To inform and advise the business, management, employees & third parties who carry out processing, of their obligations under the GDPR
• To monitor compliance with the GDPR and with the firm’s own data protection objectives
• Assignment of responsibilities, awareness-raising and training of staff involved in processing operations
• To provide advice where requested as regards the data protection impact assessment and monitor its performance
• To cooperate with the Supervisory Authority
• To act as the contact point for the Supervisory Authority on issues relating to processing

NO

• processed lawfully, fairly and in a transparent manner?
• collected for specified, explicit and legitimate purposes only?
• adequate, relevant and limited to what is necessary?
• accurate and, where necessary, kept up to date
• kept only for as long as is necessary and only for the purpose(s) which it is processed?
• processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage?

• Processing personal data could result in a risk to the rights and freedoms of individual?
• The processing is not occasional?
• You process special categories of data or criminal convictions and offences?

• Your full name and contact details and the name and contact details of the Data Protection Officer?
• Where applicable, details of any joint controller and/or the controller’s representative?
• The purposes of the processing?
• A description of the categories of data subjects and of the categories of personal data?
• The categories of recipients to whom the personal data has or will be disclosed (including any recipients in third countries or international organisations)?
• Where applicable, transfers of personal data to a third country or an international organisation (including the identification of that third country or international organisation and where applicable, the documentation of suitable safeguards)?
• Where possible, the envisaged time limits for erasure of the different categories of data?
• A general description of the processing security measures you have in place?

• Your full name and contact details?
• The full name and contact details of each controller on behalf of which you are acting?
• The name and contact details of the Data Protection Officer?
• The categories of processing carried out on behalf of each controller
• Where applicable, transfers of personal data to a third country or an international organisation (including the identification of that third country or international organisation and where applicable, the documentation of suitable safeguards)?
• A general description of the processing security measures you have in place?

• maintained in writing?
• provided in a clear and easy to read format?
• readily available to the Supervisory Authority upon request?

• A systematic description of the envisaged processing operations?
• The purposes of the processing?
• Where applicable, the legitimate interest pursued by the controller?
• An assessment of the necessity and proportionality of the processing operations/activities in relation to the purposes?
• An assessment of the risks to the rights and freedoms of data subjects?
• The measures envisaged to address the risks (inc. safeguards, security measures and mechanisms to ensure the protection of personal data)?

• The respective responsibilities of the controller (if applicable)?
• Joint controllers and processors involved in the processing (if applicable)?
• The purposes and means of the intended processing?
• The measures and safeguards provided to protect the rights and freedoms of data subjects?
• The contact details of the Data Protection Officer?
• The data protection impact assessment?
• Any other information upon request?

·         Identity and contact details of the controller (or controller’s representative)?

·         Contact details of the Data Protection Officer?

·         Purpose of the processing and the legal basis for the processing?

·         The legitimate interests of the controller or third party?

·         Any recipient or categories of recipients of the personal data?

·         Details of transfers to third country and safeguards?

·         Retention period or criteria used to determine the retention period?

·         The existence of each of data subject’s rights?

·         The right to withdraw consent at any time, where relevant?

·         The right to lodge a complaint with a supervisory authority?

·         Whether the provision of personal data part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data?

·         The existence of automated decision making (inc profiling) & information about the logic involved & the significance/envisaged consequences for the data subject?

·         The categories of personal data?

·         The source the personal data originates from and whether it came from publicly accessible sources?

• The purposes of the processing?
• The categories of personal data concerned
• The recipients or categories of recipient to whom the personal data has/will be disclosed?
• Whether the personal data has/will be transferred to a third countries or international organisations?
• Pursuant to the above, the right to be informed of the appropriate safeguards used?
• The envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period?
• The existence of the right to request rectification or erasure of personal data?
• The existence of the right to restrict processing of personal data or to object to such processing?
• The right to lodge a complaint with a supervisory authority?
• Where the personal data was not collected directly from the data subject, information as to the source?
• The existence of automated decision-making (inc. profiling) and details of the logic involved, as well as any significant/envisaged consequences of such processing?

• The personal data is no longer necessary in relation to the purposes for which it was collected.
• The data subject withdraws consent on which the processing is based.
• The personal data has been unlawfully processed.
• The personal data must be erased for compliance with a legal obligation.
• The personal data has been collected in relation to the offer of information society services.
• The data subject objects, on grounds relating to their particular situation, to processing of concerning them which is based on points (e) or (f) of Article 6(1).
• The data subject objects to the processing pursuant to data being processed for direct marketing purposes.

·         Required skill, competency and knowledge?

·         The processors data protection obligations?

·         Your expectations, rights and obligations?

·         The processing duration, aims and objectives?

·         The data subjects’ rights and safeguarding measures?

·         The nature and purpose of the processing?

·         The type of personal data & categories of data subjects?

·         Frequency & type of ongoing due diligence & monitoring?

·         The benefits and risks of sharing the data

·         The objectives and goal of sharing

·         What information needs to be shared

·         Who requires access to the shared personal data?

·         How should it be shared

·         Encryption methods and data minimisation tools

·         How to assess and monitor that the sharing is achieving its objectives?

·         Due diligence checks of the entity or individual who will receive the personal information?

1. Where the Commission has decided that the third country/organisation ensures an adequate level of protection (Adequacy Decision)

2. In the absence of an Adequacy Decision, where you have provided appropriate safeguards and have ensured that enforceable data subject rights and effective legal remedies for data subjects are available

3. With Supervisory Authority authorisation, transfers can take place where there are: –

(a) Contractual clauses between the controller (you) or processor and the controller, processor or the recipient of the personal data in the third country or international organisation?

(b) Provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights?

·         A legally binding and enforceable instrument between public authorities or bodies

·         Binding corporate rules

·         Standard data protection clauses adopted by the Commission

·         Standard data protection clauses adopted by a Supervisory Authority and approved by the Commission

·         An approved code of conduct together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regard data subjects’ rights

·         An approved certification mechanism together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regard data subjects’ rights

·         Legally binding and apply to and are enforced by every member concerned of the group of undertakings, or group of enterprises engaged in a joint economic activity, including their employees?

·         Expressly confer enforceable rights on data subjects with regards to the processing of their personal data?

• GDPR scope & principles?
• Measures & controls for protecting data & minimising risks?
• Data Protection Officer duties?
• Supervisory Authority role and scope?
• Codes of Conduct and/or Certifications?
• Privacy Impact Assessments (PIA)?
• Information Audits?
• Processing Activities & Conditions?
• Conditions for Consent & Privacy Notices?
• Data Subject Rights & subject Access Requests?
• Third Country or International Organisation Transfers
• Reporting Lines & Notifications?
• Privacy by Design (i.e. data minimisation, pseudonymisation & encryption)?

84

• A description of the nature of the personal data breach?
• The categories and approximate number of data subjects concerned?
• The categories and approximate number of personal data records concerned?
• The name and contact details of the Data Protection Officer (or other POC where more information can be obtained)?
• Description of the likely consequences of the personal data breach?
• Description of the measures taken/proposed to address the personal data breach?
• Measures to mitigate any possible adverse effects?

Have all questions been completed?                       YES/NO                                    Print Name:                _______________________

Have all next review/action dates been set?           YES/NO                                    Signed:                        _______________________

CHECKLIST NO.

COMPLETED (√)