At minimum, you should be able to answer YES to the following questions:
-
Have we mapped out what personal data we process, and for what purposes?
-
Can we justify the processing of each category of data (i.e. name the legal basis that underpins our right to do so)?
-
Do we provide information to our users/clients about how we process personal data?
-
Have we made sure the data is stored securely and can not be accessed by unauthorised persons?
-
Have we put procedures in place when it comes to deleting data we no longer need?
-
Do we know what to do when an individual decides to use his or her rights under the GDPR, such as the right to get a copy of their data? [should link to the USER page]
-
Have we mapped out the level and source of any risks that relate to the ways in which we process data? Have we taken steps to mitigate these risks?
-
Do we have a response procedure in place in the event of an unauthorised person gaining access to personal data?
-
Have we made sure everyone in the company/organisation knows the correct procedures for processing and securing personal data?
-
Do we have a plan in place for periodically re-evaluating our data processing practices?