EDUCATION AND AWARENESS
| Education and Awareness: Use posters, team huddles, reminders and staff handbook to remind people about their obligations (eg the stuff in your Data Protection Policy and Information Security Policy). |
| Summary Red/Amber/Green Description of action taken so far Description of next steps and dates |
DATA MAPPING
| Data Mapping: Understanding what data you hold, where and why. This is good to help identify trip hazards that need addressing around people, process or technology, making sure there are roles and controls to keep data private, safe and secure. |
| Summary Red/Amber/Green Description of action taken so far Description of next steps and dates |
RISK ASSESSMENT
| Risk Assessment: Understanding and agreeing key risks and measures over people, process and technology). There is a lot you could do on risk and there is some guidance on data-processing impact assessments [DPIA]. As a minimum Id suggest that the Directors (or Audit) have a meeting to discuss training, measures and paperwork and the minutes of that meeting (together with any actions) can constitute a reasonable risk assessment. |
| Summary Red/Amber/Green Description of action taken so far Description of next steps and dates |
A RECORDS MANAGEMENT & RETENTION POLICY
| A Records Management & Retention Policy: To help you to classify/categorise data and treat it accordingly with some being held for 1 year, 3 years, 10 years (or what-ever) and some being restricted to authorised people only. Generally this is also a good housekeeping exercise. |
| Summary Red/Amber/Green Description of action taken so far Description of next steps and dates |
SUBJECT ACCESS REQUEST
| Subject access request: Have a standard process and perhaps template response for dealing with requests which may be from staff, customers or other types of people for whom you hold or share data. |
| Summary Red/Amber/Green Description of action taken so far Description of next steps and dates |
DATA BEACHES AND REPORTING
| Data beaches and reporting: Have a standard process and perhaps template response for dealing with Data beaches and reporting, include any that are as a consequence of a supplier, third-party or any other person holding your data. |
| Summary Red/Amber/Green Description of action taken so far Description of next steps and dates |
A DATA PROTECTION POLICY
| A Data Protection Policy: About data, confidentiality, security, privacy etc. You probably already have this covered in your staff handbook |
| Summary Red/Amber/Green Description of action taken so far Description of next steps and dates |
AN INFORMATION SECURITY POLICY
| An Information Security Policy: About emails, login, passwords, clear desk-policy, cabinets and keys. You probably already have this covered in your staff handbook too |
| Summary Red/Amber/Green Description of action taken so far Description of next steps and dates |
PROCESSOR/CONTROLLER AGREEMENTS
| Processor/Controller Agreements: Have a standard letter to send to supplier, third-party or any other person holding, sharing or processing your data. Make sure that letter (or contract) sets out your expectations and their obligations (eg the stuff in your Data Protection Policy and Information Security Policy) |
| Summary Red/Amber/Green Description of action taken so far Description of next steps and dates |
A PRIVACY NOTICE
| A Privacy Notice: About what data you hold, why and key controls taken to keep confidential, accurate and secure. Some of this may be on your website, some may be written into your contracts, or possibly on a leaflet or brochures. |
| Summary Red/Amber/Green Description of action taken so far Description of next steps and dates |
DATA PROTECTION OFFICER
| Data Protection Officer: Only mandated for a public authority or where carrying out large scale systematic monitoring or carry out large scale processing of special categories of data (eg health or medical). Nonetheless there is value in having someone to help with co-ordination of policy, procedures and processes and to take-charge and co-ordinate matters in the event of a subject-access-request or need to progress a breach-notification. |
| Summary Red/Amber/Green Description of action taken so far Description of next steps and dates |
