Get Free Downloads
Start your GDPR today in just a few clicks
Get Free Downloads
Start your GDPR today in just a few clicks
Data Controller Readiness Questionnaire

Section 1: Basics

Has your business documented information about personal data? (e.g. What you hold, where it came from, who you share it with, what you do with it?)

You need to decide the lawful reason for processing the data, this includes options such as consent, contract, legitimate interest etc…. Have you declared which the lawful basis for processing you are using?

Has your business reviewed your consent requesting and recording methods?

Does your business have a way to manage ongoing consent?

Does your business have a way to manage consent for the processing of children's personal data?

Is your business registered with the Information Commissioner’s Office?

Section 2: Individuals' rights

Has your business included privacy notices on all opt-in/consent pages?

Can your business communicate privacy information in a way a child would understand?

Can your business appropriately respond to individuals requests to access their personal data?

Does your business ensure that held personal data remains accurate and up to date?

Is your business able to securely dispose of personal data when it is no longer required or its removal has been requested?

Could your business restrict the processing of an individual’s personal data at their request?

Is your business able to move, copy or transfer an individual's personal data to another IT environment, without affecting usability?

Do you have a method to handle the “Right to object”?

Has your business implemented procedures to handle the requirements of an automated decision making process in the event that it is needed?

Section 3: Accountability

Does your business have a data protection policy?

Does your business monitor it’s own compliance, data handling effectiveness and security controls?

Has your business provided data protection awareness training for all staff?

Does your business have a contract with the data processors used?

Does the management of your business understand the impact of personal data risks and manage them effectively?

Does your business integrate data protection into its processing activities?

Can your business conduct a DPIA when necessary?

Does your business have a DPIA framework which links to your existing risk management and project management processes?

Does your business have a Data Protection officer?

Do decision makers and key people in your business demonstrate support for data protection legislation and promote a positive culture of data protection compliance across the business?

Section 4: Data security, international transfers and breaches

Does your business have an appropriate information security policy?

Does your business protect data that is transferred outside of Europe and processed on your behalf?

Can your business both identify and manage personal data breaches?

Get My Results