You can use this table as a simple checklist, perhaps adding additional columns for action, owner, progress and status.
| BOARD STATUS UPDATE | PURPOSE |
| Education and Awareness | Use posters, team huddles, reminders and staff handbook to remind people about their obligations (eg the stuff in your Data Protection Policy and Information Security Policy). |
| Data Mapping | Understanding what data you hold, where and why. This is good to help identify trip hazards that need addressing around people, process or technology, making sure there are roles and controls to keep data private, safe and secure |
| Risk Assessment | Understanding and agreeing key risks and measures over people, process and technology). There is a lot you could do on risk and there is some guidance on data-processing impact assessments [DPIA]. As a minimum Id suggest that the Directors (or Audit) have a meeting to discuss training, measures and paperwork and the minutes of that meeting (together with any actions) can constitute a reasonable risk assessment. |
| A Records Management & Retention Policy | To help you to classify/categorise data and treat it accordingly with some being held for 1 year, 3 years, 10 years (or what-ever) and some being restricted to authorised people only. Generally this is also a good housekeeping exercise. |
| Subject access request | Have a standard process and perhaps template response for dealing with requests which may be from staff, customers or other types of people for whom you hold or share data. |
| Data beaches and reporting | Have a standard process and perhaps template response for dealing with Data beaches and reporting, include any that are as a consequence of a supplier, third-party or any other person holding your data. |
| A Data Protection Policy | About data, confidentiality, security, privacy etc. You probably already have this covered in your staff handbook |
| An Information Security Policy | About emails, login, passwords, clear desk-policy, cabinets and keys. You probably already have this covered in your staff handbook too |
| Processor/Controller Agreements | Have a standard letter to send to supplier, third-party or any other person holding, sharing or processing your data. Make sure that letter (or contract) sets out your expectations and their obligations (eg the stuff in your Data Protection Policy and Information Security Policy) |
| A Privacy Notice | About what data you hold, why and key controls taken to keep confidential, accurate and secure. Some of this may be on your website, some may be written into your contracts, or possibly on a leaflet or brochures |
| Data Protection Officer or Co-ordinator | About what data you hold, why and key controls taken to keep confidential, accurate and secure. Some of this may be on your website, some may be written into your contracts, or possibly on a leaflet or brochures |
JERSEY REGULATORS GUIDANCE
You can use this table as a simple checklist, perhaps adding additional columns for action, owner, progress and status.
| PERSONAL DATA | KEY QUESTIONS |
| Consent based data processing ( A article 11 DPJL ) | Have you reviewed your organisations mechanisms for collecting consent to ensure that it is freely given, specific, informed and that it is a clear indication that an individual has chosen to agree to the processing of their data by way of statement or a clear affirmative action? |
| If personal data that you currently hold on the basis of consent does not meet the required standard under the DPJL , have you re - sought the individuals consent to ensure compliance with the DPJL | |
| Are procedures in place to demonstrate that an individual has consented to their data being processed? | |
| Are procedures in place to allow an individual to withdraw their consent to the processing of their personal data? | |
| Children's personal data (A article 11(4) DPJL ) | Where information society services are provided to a child, are procedures in place to verify age and get consent of a parent/ legal guardian, where required? |
| DATA SUBJECT RIGHTS | |
| Access to personal data (Article 28 DPJL ) | Is there a documented policy/procedure for handling Subject Access Requests (SARs)? |
| Is your organisation able to respond to SARs within one month? | |
| Data portability (Article 34 DPJL) | Are procedures in place to provide individuals with their personal data in a structured, commonly used and machine readable format? |
| Rectification and erasure (Articles 31 and 32 DPJL ) | Are there controls and procedures in place to allow personal data to be deleted or rectified (where applicable)? |
| Right to restriction of processing (Article 33 DPJL ) | Are there controls and procedures in place to halt the processing of personal data where an individual has on valid grounds sought the restriction of processing? |
| Right to object to processing for direct marketing purposes, public functions or legitimate interests (Article s 35 and 36 DPJL ) | Are individuals told about their right to object to certain types of processing such as direct marketing or where the legal basis of the processing is legitimate interests or necessary for a task carried out in the public interest? |
| Are there controls and procedures in place to halt the processing of personal data where an individual has objected to the processing? | |
| Profiling and automated processing (Article 38 DPJL) | If automated decision making, which has a legal or significant similar affect for an individual, is based on consent, has explicit consent been collected? |
| Where an automated decision is made which is necessary for entering into, or performance of, a contract, or based on the explicit consent of an individual, are procedures in place to facilitate an individuals right to obtain human intervention and to contest the decision? | |
| Right to object for historical or scientific purposes (Article 37 DPJL) | Where an automated decision is made which is necessary for entering into, or performance of, a contract, or based on the explicit consent of an individual, are procedures in place to facilitate an individuals right to obtain human intervention and to contest the decision? ? |
| Handling of requests by data subject in relation to their rights (Article 27 DPJL ) | Have you taken appropriate action as is required within the required timeframes? |
| ACCURACY AND RETENTION | |
| Purpose limitation | Is personal data only used for the purposes for which it was originally collected? |
| Data minimisation | Is the personal data collected limited to what is necessary for the purposes for which it is processed? |
| Accuracy | Are procedures in place to ensure personal data is kept up to date and accurate and where a correction is required, the necessary changes are made without delay? |
| Retention | Are retention policies and procedures in place to ensure data is held for no longer than is necessary for the purposes for which it was collected? |
| Other legal obligations governing retention | Is your business subject to other rules that require a minimum retention period (e.g. medical records/tax records)? |
| Do you have procedures in place to ensure data is destroyed securely, in accordance with your retention policies? | |
| Duplication of records | Are procedures in place to ensure that there is no unnecessary or unregulated duplication of records? |
| TRANSPARENCY | |
| Transparency to customers and e employees (Articles 12 DPJL ) | Are service users/employees fully informed of how you use their data in a concise, transparent, intelligible and easily accessible form using clear and plain language? |
| Where personal data is collected directly from the individuals, are procedures in place to provide the information listed at Article 12 of the DPJL ? | |
| If personal data is not collected from the subject but from a third party (e.g. acquired as part of a merger) are procedures in place to provide the information listed at Article 12 of the DPJL ? | |
| When engaging with individuals, such as when providing a service, sale of a good or CCTV monitoring, are procedures in place to proactively inform individuals of their rights under the DPJL ? | |
| Is information on how the organisation facilitates individuals exercising their DPJL rights published in an easily accessible and readable format? | |
| OTHER OBLIGATIONS | |
| Processor Agreements (Articles 19 DPJL ) | Have agreements with suppliers and other third parties processing personal data on your behalf been reviewed to ensure all appropriate data protection requirements are included? |
| Data Protection Officers (DPOs) (Articles 24 DPJL ) | Do you need to appoint t a DPO as per Article 24 of the DPJL ? |
| If it is decided that a DPO is not required, have you documented the reasons why? | |
| Where a DPO is appointed, are escalation and reporting lines in place? Are these procedures documented? | |
| Have you published the contact details of your DPO to facilitate your customers/ employees in making contact with them? | |
| Data Protection Impact Assessments (DPIAs) (Article 16 DPJL ) | If your data processing is considered high risk, do you have a process for identifying the need for, and conducting of, DPIAs? Are these procedures documented? |
| DATA SECURITY | |
| Appropriate technical and organisational security measures (Article 21 ) | Have you assessed the risks involved in processing personal data and put measures in place to mitigate against them? |
| Is there a documented security programme that specifies the technical, administrative and physical safeguards for personal data? | |
| Is there a documented process for resolving security related complaints and issues? | |
| Is there a designated individua l who is responsible for preventing and investigating security breaches? | |
| Are industry standard encryption technologies employed for transferring, storing, and receiving individuals' sensitive personal information? | |
| Is personal information systematically destroyed, erased, or anonymised when it is no longer legally required to be retained. | |
| Can access to personal data be restored in a timely manner in the event of a physical or technical incident? | |
| DATA BREACHES | |
| Data Breach response obligations (Article 20 DPJL) | Does the organisation have a documented privacy and security incident response plan? |
| Are plans and procedures regularly reviewed? | |
| Are there procedures in place to notify the office of the Data Protection Commissioner of a data breach? | |
| Are there procedures in place to notify data subjects of a data breach (where applicable)? | |
| Are all data breaches fully documented? | |
| Are there cooperation procedures in place between data controllers, suppliers and other partners to deal with data breaches? | |
| International data transfers (outside the EEA) | |
| International data transfers | Is personal data transferred outside the EEA, e.g. To the US or other countries? |
| Does this include any special categories of personal data? | |
| What is the purpose(s) of the transfer? | |
| Who is the transfer to? | |
| Are all transfers listed including answers to the previous questions (e.g. the nature of the data, the purpose of the processing, from which country the data is exported and which country receives the data, and who the recipient of the data is?) | |
| Legality of international transfers | Is there a legal basis for the transfer, e.g. EU Commission adequacy decision standard contractual clauses. Are these bases documented? |
| Transparency | Are data subjects fully informed about any intended international transfers of their personal data? |
DETAILED UK REGULATOR AUDIT CHECK-LIST
You can use this table as a simple checklist, perhaps adding additional columns for action, owner, progress and status.
| ID | CRITERIA | SUPPORTING EVIDENCE REQUIRED |
| 1 | GOVERNANCE AND ACCOUNTABILITY | |
| 1.1 | Policies and Procedures | Are there governance processes in place which are reflected in key policies? |
| 1.2 | Management Structures | Is there a management framework, including a delegated process of accountability and responsibility from the board down, to ensure there is effective oversight of data protection compliance? |
| 1.3 | Central Action Plan and KPIs | Are there measures and Key Performance Indicators in place against governance processes? |
| 1.4 | Compliance Checks and Audits | Are regular audits and checks carried out and are the results of these actioned? |
| 1.5 | Record of processing (ROPA) and corresponding Risk Register | Is there a documented Record of Processing Activities and Risk Register that is updated frequently? |
| 1.6 | Data Protection Officer | Has there been an appointment of a Data Protection Officer (DPO) and has a DPO supporting infrastructure been developed? |
| 1.7 | Lawful basis of processing | Does a full record of the lawful basis for processing exist for each area of personal data processing? |
| 1.8 | The use of Consent as the lawful basis for processing | Are there appropriate consent mechanisms in place, where consent is used as a lawful basis? |
| 1.9 | Overarching Information Governance Training | Is there an overarching Information Governance training programme in place? |
| 1.10 | Processor Contracts | Is there a written contract (or other legal act) in place to evidence and govern the working relationship with processor(s). |
| 1.11 | Processors of the Organisation | Are processors, acting on the behalf of the organisation, monitored with regards to compliance with information governance policies? |
| 1.12 | External Accrediation | What external accrediation or certification has your organisation undergone? |
| 1.13 | Information Steering Group | Is there a designated group within the organisation for data protection? |
| 1.14 | Online Services for Children | What systems are in place to provide additional safeguards for children? |
| 1.15 | Data Protection by Design and Default | What organisational considerations have been undertaken to demonstrate that data protection by design and default has been implemented? |
| 1.16 | Transparency | What measures does the organisation take to ensure they are transparent with data subjects? |
| 2 | TRAINING AND AWARENESS | |
| 2.1 | Organisational Training Programme | Do all staff undergo data management and GDPR / Data Protection training at the beginning and during their employment? |
| 2.2 | Roles-based Training | Is training tailored dependent upon an employees role? Is there specific Data Protection training for those in specialist roles? |
| 2.3 | Induction Training | Is there induction training for all staff? Does this training cover data protection practices? |
| 2.4 | Refresher Training | Is there planned schedule for refresher training in place? |
| 2.5 | Training Records | Is there a regularly updated record of training? |
| 2.6 | E-learning | Is E-learning available for employees? |
| 2.7 | Follow-up Processes | Is there a process in place to ensure training is completed? |
| 2.8 | Staff Awareness | Are all members of the Board, Senior Leadership, Non-Executive Directors(NEDs), Governors and Executives aware of their legal responsibilities under General Data Protection Regulations(GDPR)/Data Protection Act (DPA)? How are staff kept informed about data protection procedures and updates? |
| 3 | RECORDS MANAGEMENT | |
| 3.1 | Policies and Procedures | Are there policies and procedures in place to enable accurate record management throughout the organisation? |
| 3.2 | Roles and Responsibilities | Are employees aware of their role within records management and the responsibilities entailed by this? |
| 3.3 | Authenticity of Records | Are there processes in place to ensure the authenticity of records? |
| 3.4 | Collection of Data | Are indivudals informed about the use of their personal data? |
| 3.5 | Creation of Records | When creating documented information, has the organisation ensured there are appropriate identification, classifications and security measures? |
| 3.6 | Effective Mechanisms | Are there effective mechanisms in place to locate and retrieve physical records on demand? |
| 3.7 | Accuracy | Are there processes in place to ensure the accuracy of records? |
| 3.8 | Intergrity and Reliability of Records | Are there processes in place to ensure the integrity and reliability of records? |
| 3.9 | Third Party Contracts | What measures are in place to ensure third parties comply with your policies and procedures? |
| 3.10 | Third Party Disposal Checks | Where third parties are supposed to dispose of personal information, what checks have been carried out? |
| 3.11 | Usability of Records | Are there processes in place to ensure the usability of records? |
| 3.12 | Records Inventory Maintenance | Is there a structured records maintenance process in place? This should enable the data to be kept accurate and up to date. |
| 3.13 | Retention Schedule and Disposal of Data | Has a Retention Policy and Schedule been developed, delivered and embedded? Is there an official process in place for destruction of data? |
| 4 | SECURITY OF PERSONAL DATA | |
| 4.1 | Policies and Procedures | Are there information security procedures in place to inform internal staff and data subjects about information security? |
| 4.2 | Well Established Management Framework | Is there a embedded management framework within the organisation? |
| 4.3 | Cyber resilience | Is there evidence of cyber access points being secure from external threats? |
| 4.4 | Appropriate Organisational Measures | Is data security implemented throughout the organisation? |
| 4.5 | Access Control | Is there a policy in place that allows the creation and suspension of user access to organisational systems? |
| 4.6 | Physical Security | How are physical documents stored (e.g. lockable cabinets) and security around devices? What security is in place concerning the building? |
| 4.7 | Operations Security | A policy or procedure that controls the recruitment, management, monitoring and controls of system administration. |
| 4.8 | Mobile Devices and Working from Home | A policy and procedure that implements security measures when using mobile devices and working from home. |
| 4.9 | Appropriate Background Checks | What measures are in place to ensure information security standards are maintained throughout someone's employment? What is the process for HR staff? |
| 4.1 | Responsibility for Assets | Is there a process which identifies your information assets(hardware and software), who is responsible for them and the acceptable use of those assets? |
| 4.11 | Use, Maintenance and Disposal of Assets | What systems are in place to ensure the acceptable use, maintenance and disposal of information assets? |
| 4.12 | Safeguarding of Authentification Information | What meaures are in place to ensure their authenification information is safeguarded? |
| 4.13 | Secure Storage for Physical Assets | What securities have been put in place for physical assets? |
| 4.14 | Operational Procedures and Responsibilities | What operational measures have been implemented to ensure correct and secure systems and services? |
| 4.15 | Malware Protection | What measures have been taken to protect against malware and viruses? |
| 4.16 | Back-Up | How are information assets backed-up? |
| 4.17 | Network Security Management | Has network security management been implemented to ensure the protection of information in networks and its supporting information processing facilities? |
| 4.18 | Technical Vulnerability Management | Has technical vulnerability management been implemented to prevent exploitation of technical vulnerabilities> |
| 4.19 | Third Party Transfers | What measures are in place to provide appropriate protections during third party transfers? |
| 4.20 | Email Protections | What protections are there to safeguard email communications? |
| 4.21 | Information Security in IT Supplier Relationships | What Information Security measures have been implemented within IT supplier relationships? |
| 4.22 | User Access Management | Is there a system that in place to allocate, restrict, control, review and terminate access rights? |
| 4.23 | System Maintenance | Is there a increased level of monitoring where employees have access to crucial information systems? What procedures are there for when operating platforms are changed and software is modified? |
| 4.24 | Information Classification | Is there a consistent approach to differentiate types of information throughout the organisation? |
| 4.25 | Media Handling | Are there procedures and protections in place for the management, transportation and disposal of media? |
| 4.26 | Breach and Incident Management | Is there a Breach/Incident Management policy and procedure? Is there a log of breaches/incidents that is regularly updated? |
| 4.27 | Business Continuity | Is there a Business Continuity plan in place? |
| 4.28 | Compliance Monitoring and Reviews | Is there compliance across all departments? |
| 5 | SUBJECT ACCESS REQUESTS AND INDIVIDUAL RIGHTS | |
| 5.1 | Owner | Is there an individual/team responsible for Subject Access and Individual Rights? |
| 5.2 | Guidance | How are individuals guided on how to make a request? |
| 5.3 | Recognising a Request | Are staff made aware of how to identify and channel requests to the appropriate team or person> |
| 5.4 | Verification | Is there a process in place for how data subjects are verified when making a request? |
| 5.5 | Procedures for Finding and Retrieving Information | Does the organisation know what personal information it holds and has systems and processes in place to locate in good time? |
| 5.6 | Dealing with the Data Subject | Is there a procedure in place for communitications with the Data Subject? |
| 5.7 | Secure Transfer | What procedures are in place to ensure the secure transfer of information to the data subject? |
| 5.8 | Complaint Procedure | Is there a clear process for data subjects to raise complaints? |
| 5.9 | SAR Reporting and Related KPIs | Are SAR reports generated that also display related KPIs? |
| 5.1 | Policies and Procedures | Are there Subject Access and Individual Rights policies in place and are they followed and updated? |
| 5.11 | SAR Log | Are the requests and the following procedure logged? |
| 5.12 | Timescale Monitoring | Is there a process in place for monitoring the progress of requests and ensuring they are completed within the required one month timeframe. |
| 5.13 | Redactions | Is there a process in place? |
| 5.14 | Exemptions | Are there a list of exemptions that have been used when refusing individual rights? |
| 6 | DATA SHARING | |
| 6.1 | Owner/Authorisation | Do you have a record of who owns the data and the authorisation to share the data? |
| 6.2 | Policies and Procedures | Do you have Data Sharing procedures and policies in place? |
| 6.3 | Written agreements Controller/Processors | Where the organisation is the controller is a written agreement in place with all processors outlining their Data Protection requirements ? |
| 6.4 | Written agreements Processors/Controllers | Where the organisation is the processor a written agreement in place with all Controllers outlining their Data Protection requirements ? |
| 6.5 | Written agreements Controllers/Controllers | Where the organisation is a Joint Controller or a Controller in Common a written agreement is in place with all Joint Controllers/Controllers in common outlining their Data Protection requirements ? |
| 6.6 | Transfers outside the EU/Adequacy/EEA | Where data is shared outside the EU are the additional safeguards in place as required |
| 6.7 | Data Quality and Retention | What measures are in place to ensure the quality of any data shared? |
| 6.8 | Disclosures | What processes are in place to ensure disclosures are documented? |
| 6.9 | Documentation of Decisions | How are decisions regarding the sharing of data documented? |
| 6.1 | Managing Data Sharing Agreements | Is there a management procedure to undertake regular quality checks/due diligence on Data Sharing agreements? |
| 6.11 | Brexit - No Deal Readiness | Data flows to the EU have been defined, where required EU DPO/Agents have been appointed and standard contractual terms are in place between controllers and processors. |
| 7 | INFORMATION RISK ASSESSMENT (DPIA) AND MANAGEMENT | |
| 7.1 | Policies and Procedures | Do you have Information risk assessments and management policies and procedures in place? Are there triggers to initiate these procedures? |
| 7.2 | Responsibilities | Do you have a responsibility hierarchy in place? |
| 7.3 | Consultation Process | Do you have a DPIA consultation process in place? |
| 7.4 | Organisational Measures | What organisational measures are in place to identify data flows, into, through and out of the organisation? |
| 7.5 | Referral to ICO | Is there a procedure whereby new projects or changes in processes can be escalated where a high risk is discovered? |
| 7.6 | Formal Report | Is there a formal report to accompany completed DPIAs? Is this report presented to the appropriate stakeholders? |
| 7.7 | Project Plan/Risk Register | Do you have project plans and a corresponding risk register in place? |
| 7.8 | Review and Audit | Do you regularly review and audit your Information risk assessments? |
| 7.9 | Sample DPIAs and Templates | Do you have sample DPIAs and templates in your organisation? |
| 7.10 | Log of DPIAs | Does your organisation have a log of DPIAs? |
| 8 | DIRECT MARKETING | |
| 8.1 | Policies and Procedures | Direct marketing procedures and policies including legitimate interest assessments. |
| 8.2 | Consent | Evidence of collected consent for direct marketing. |
| 8.3 | Screening | Evidence of screening against TPS and other relevant preference services and the organisation's own unsubscribed list. |
| 8.4 | Opting In/Out | Evidence of clear opt in/out options for direct marketing. |
| 8.5 | Privacy Notice | Evidence of direct marketing transparency information within privacy notices and where in the marketing process this is available to data subject. |
| 8.6 | Database Management | A system in place to manage the Database used for direct marketing. |
| 8.7 | Bought-in Lists | Evidence that bought-in lists are valid and due diligence has been carried out. |
| 8.8 | Lawful Basis | Log of the lawful basis being used for direct marketing, documented in the privacy notice. |
| 8.9 | Cookies | A cookies policy in place and processes which evidences that you:tell people the cookies are there, explain why the cookies are there and what they do and that you have received their consent to store the cookie. |
