T-00001 – What data do you hold?
All departments required.
1. What type of data do you store – most businesses will be personal data, sensitive and children data, require further rules.
2. Historic data - this is looking at how you got consent for personal data to date. Mainly sales and marketing data, has the customer information you contact be obtained by a positive opt in from the prospect, have you asked them if they can be contacted, or have they ticked that they would like to receive information from you via your website? Note your consent process to date and where the information on consent is stored.
3. Clear consent – this would link to your retention policy on what you do with sales data you hold, how long you keep it for. For the consent you have recorded, how was this given? For example we use notes in our CRM if consent was given verbally, or if they ticked to opt in via our website.
4. Data removal – this is required for data which has not bee opted into, based on the new rules. This would also be included in your retention policy, for how you handle and remove data not positively opted-in to.
5. Data subject access requests – are you equipped to answer these requests, how will you do that? The note would be using the subject access request form, generating a ticket and assigning it to the department containing the data, eg. Finance /HR. If you have a policy for data requests you can attach this here too, all of the information you require from the data subject is noted in i-Comply-GDPR as a policy template and ticket.
6. Data Transfer - This is really for Consumer to Business who should be able to transfer to easily from one service to another. Therefore, the supplier needs to provide the personal data to the new supplier in an electronic format.