Assessing your business
- What personal data do you collect?
- When personal data is collected do you explain why it’s captured and what you do with it?
- Are individuals given the option to refuse marketing or withdraw consent?
- Do you ensure that you don’t use pre-ticket boxes or implied consent by default?
- Where is your data stored (electronic and physical) and does it leave the EU?
- How have you obtained that personal data? Do you have a lawful basis for processing it?
- How long do you store the data? Is it longer than strictly necessary, e.g. invoices for stored for 6 years for accounting purposes before they are deleted.
- Do you collect and store any sensitive personal data, children’s data, genetic information or credit card details? Do you have the security in place to collect, process and store it?
- Are you able to handle requests for data to be modified or deleted? Is there a policy in place?
- Are your staff trained in all the relevant areas regarding the GDPR?
- Do you review the data you hold on a regular basis?
- Do you have a data protection officer in place?
- Do you have a plan in place in case of a data breach?
- Do you have procedures in place to specify how we handle personal data?
- Are your contracts with third party vendors up to date?