How do we know if we’re ready?

At minimum, you should be able to answer YES to the following questions:

  • Have we mapped out what personal data we process, and for what purposes?

  • Can we justify the processing of each category of data (i.e. name the legal basis that underpins our right to do so)?

  • Do we provide information to our users/clients about how we process personal data?

  • Have we made sure the data is stored securely and can not be accessed by unauthorised persons?

  • Have we put procedures in place when it comes to deleting data we no longer need?

  • Do we know what to do when an individual decides to use his or her rights under the GDPR, such as the right to get a copy of their data? [should link to the USER page]

  • Have we mapped out the level and source of any risks that relate to the ways in which we process data? Have we taken steps to mitigate these risks?

  • Do we have a response procedure in place in the event of an unauthorised person gaining access to personal data?

  • Have we made sure everyone in the company/organisation knows the correct procedures for processing and securing personal data?

  • Do we have a plan in place for periodically re-evaluating our data processing practices?