Not logged in - Login

Data Asset Requirements

The list below takes each of the data asset detail fields and gives a question to ask when deciding what to put in the field as well as some possible options, the lists give a good idea, but are by no means exhaustive.

Article 30

Business function

Question to ask - Which area of the business is the personal data used for?

Possible options - HR / Finance / Sales

Purpose/type

Question to ask - What is the purpose of processing this data?

Possible options - Recruitment / Direct Marketing / Payroll

Category of the data subject

Question to ask - What role does the data subject hold in relation to the business?

Possible options - Employee / Candidate / Customer / Supplier

Type of data being held

Question to ask - Which personal details?

Possible options - Name / Email / Qualifications / NI Number

Shared with third party

Question to ask - If this data might be shared with anyone else, who would that be?

Possible options - HMRC / Referee / Governing Body

Where is the data stored

Question to ask - Is it as a physical copy on paper, or electronic?

Possible options - Paper, filing cabinet / electronic, Office 365 / electronic, CRM system

Article 6

Lawful reason for holding the data

Question to ask - This one or more of the 6 reasons set out in Article 6 of the GDPR directive

Possible options - Consent / Contract / Legal Obligation / Vital Interest / Public Task / Legitimate interest

Article 9

Reason to hold specific data

Question to ask - If as a business you process special category as part of Article 9 you need to give the reason for this

Possible options - If you hold disability or ethnicity details the reason may be employment details.

Privacy Information

Legitimate reason for processing

Question to ask - If your lawful reason for processing data is Legitimate interest you need to give the reason why.

You can back this up by completing a Legitimate interests assessment which are available as events to be added to a new ticket.

Completed a legitimate interests assessment (LIA)?

This is a Yes / No answer based on the question above.

Rights available to individuals

Question to ask - If you are contacted by a data subject which rights do they have over the personal data you process?

Possible options - Access / data portability / rectification / objection / erasure

Automatic decision making

Question to ask - Is the personal data processed using automated decision making processes.

Possible options - loan companies giving decisions based on computer algorithms

Source of the personal data

Question to ask - Where has the data come from?

Possible options - data subject /data controller / data broker

Privacy by Design

Data impact assessment required?

This is a Yes / No answer.

A DPIA is usually linked to new projects as part of the privacy by design ethos for protecting personal data. For all new projects you need to run through an assessment in case further data protection needs to be considered.

This process can be found as an event to add to a new ticket.