When acquiring a new company it is important to very quickly get an understanding of what risk you are taking on from a DP perspective. While the ideal scenario would be to complete a full assessment, very often there is a need to issue a couple of question to understand at a very high level what the DP practices are in the target company. Below is a list of sample questions that we would recommend. Some of these questions are taken from the ODPC self-assessment Checklist.
Governance & Management
- Does Data Protection sit on a risk register at the board level?
- On a scale from 1 to 10, how important is the processing of personal data to your organisation?
- Is there a budget for data protection?
- Do you have the following policies?
- Data Protection Policy
- Data Retention Policy
- Data Destruction Policy
- Subject Access Request Management
- Data Protection Statement on web site
- Cookie Deployment Policy
- Fair Processing Notice for forms
- Fair Processing Notice in Call Centres
- Script for Call Centres
- Data Security Policy
- Acceptable Use Policy for staff hardware
- Breach Notification Policy
- How many 3rd parties/suppliers that process personal information on your behalf do you use. Remember, ‘processing’ is any supplier that has access to personal data, for example, this could be cleaning staff or IT providers.
- Do you have a Data Processor Contract with all data processors (a 3rd party that processes personal data on your behalf)
People
- Do you have a Data Protection Officer?
- Are your staff trained in DP
- Are your staff trained with the rules of the organisation around DP
- Is someone responsible for the security of the personal data held?
- Is a named individual responsible for handling subject access requests?
- Do you know about the levels of awareness of data protection are in our organisation?
Processing
- At the time when you collect information about individuals, are they made aware of the uses for that information?
- Are people made aware of any disclosures of their data to third parties?
- Have you obtained people's consent for any secondary uses of their personal data, which might not be obvious to them?
- Can you describe your data-collection practices as open, transparent and up-front?
- Are you clear about the purpose (or purposes) for which you are keeping personal information?
- Are the individuals on your database also clear about this purpose?
- Are you required to register with the Data Protection Commissioner?
- Do you have defined rules about the use and disclosure of information?
- Is there a list of security provisions in place for each data set?
- Are our computers and our databases password-protected, and encrypted if appropriate?
- Are our computers, servers, and files securely locked away from unauthorised people?
- Do you take steps to ensure our databases are kept up-to-date?
- Is there a clear statement on how long items of information are to be retained?
- Do we regularly purge our databases of data which you no longer need, such as data relating to former customers or staff members?
- Are there clear procedures in place for dealing with SAR requests?
- What countries do you currently transfer personal data to? For example, if you use Gmail, personal data will be stored in the US. This counts as a transfer. Think of any services or cloud-based products you use for email, marketing or storage and where these are located?
History
- How many Subject Access Requests did you process over the last 24 months?
- How many breaches occurred over the last 24 months?
- Have you ever received any communication from the Commissioner?
- Have you ever been in the media regarding poor processing of personal data?
If you are unsure of the answer to any of these questions or want to access template policies, log on to privacyengine.io for a free trial.
