T-000007 – Process and Technology for data processing
IT, Sales and Finance departments required.
1. Data collection going forward – confirming the opt in process you will use going forward to obtain personal information. Note where is it stored and how you keep track of the length of time it can be used. If you have emailed current customers regarding opting in, attach a copy of the email.
2. Data permission – how do you handle and store data which has been provided by a data subject? How do you note that you have had permission to do this? This would be via updates to employee contracts, using fields within the CRM, etc.
3. Data justification – Again, refer to data assets as reasons for holding and processing data are given there.
4. Remote access – what security measures are in place for remote access to the business systems?
5. Data security – What are the rules around logins and passwords, are there different access levels for different members of staff? How often are they reviewed and are these reviews documented? Attach any checklists or policies you have for employees / contractors / remote workers with access to the business systems.
6. Hardware security – Are all computers / devices with access to personal data secured with a username and password, does each person in the company have a unique username and password? Attach security policy for the business as well.
7. Data objection – Do you have a procedure for handling an objection from a data subject about processing of personal data? This may be part of your data protection policy. Note the subject access request policy and procedure in place. This would need to be replicated and modified to cover other types of requests. The ticketing and reminder system can help notifying and tracking requests within the business.
8. Privacy by design (PID)- Do all aspects of the business take privacy as their first concern? Are privacy impact assessments carried out for uses of new technology where processing is a high risk to rights and freedoms. Within i-Comply-GDPR there are PID policies and tickets which can be used for each new project. Take the assessment first to decide whether a full project plan is required.
Consider taking part in the government Cyber Essentials and Cyber Essential Plus scheme to consolidate your IT security, we have.