Data Protection Accountability Questionnaire

This is a high-level questionnaire for senior management to assess current levels of compliance and to help identify key areas of vulnerability to be addressed in relation to the EU General Data Protection Regulation ((EU) 2016/679).

It can be used as part of a periodic compliance review and as a tool to demonstrate accountability.

Organisation Name:

Your Name:

Email *

Has responsibility for monitoring data protection compliance been formally assigned to a Data Protection Officer (DPO) or other responsible person?

If so, when was this person appointed?

Who is this person?

Provide a copy of their job description showing this responsibility, or the terms of reference provided:

List other job roles that have data protection responsibilities included in their job descriptions:

Select those below that will evidence regular and functional communication between the DPO and the organisation's most senior management:

How often does the DPO meet with senior management to discuss data protection?

How are these documents available to staff?

List job roles that have accountability for ensuring compliance with data protection policies in their job descriptions:

In which of these areas can we provide evidence of processes?

Data breaches / near misses
Data subject rights requests and responses
Supplier data compliance
Data breach risk assessment
Legitimate interest assessment (LIA)
Data Protection Impact Assessment (DPIA)

i.e. data breach log, rights request log, processor terms, processor compliance audit, DPIA form, LIA forms

What processes are embedded to ensure data accuracy?

Regular prompt for update
Periodic update
User reliant update
Data subject has full Controll
Data subject requested to notify changes
Third party data source requested to notify changes

How can we show compliance with the duty to keep data processed to the minimum required for process purposes?

Information Asset Register
Other data audit
Forms used are regularly reviewed to ensure data necessary and relevant
No measures currently in place

How are staff trained in data protection?

If we act as joint controller of personal data with any other organisation (group or otherwise), can we evidence how data responsibilities are allocated between controllers?

Yes, by a written agreement
Yes, by process document/s
Yes, by minutes of meetings
No, but this should be addressed
No, because we don't act as joint controller

How can we show compliance with the responsibility of transparency with data subjects?

Fair processing notice exists for all categories of data subject
Separate privacy notices issued to all categories of data subject
Privacy notice information provided piecemeal where data is collected
Privacy notice information is within contractual documents
No privacy notice information provided

NB. privacy notice information is essentially as follows. Our name and contact details and of our DPO. The types of personal data we use and the purposes and lawful bases of our processing. Where the data came from and if there is any legal obligation for it to be provided. Who we share personal data with and if it is transferred outside UK/EU. How long we keep the data for and what rights data subjects have. Details of any automated decision making or profiling activities.

Do we have a record of our processing activities?

Yes, we have this in a single document / audit outcome
Yes, this information is contained across several documents
No, because we have less than 250 staff and we don't process sensitive personal data or data likely to cause a risk to individual's rights and freedoms
No, because this needs to be put in place

NB. Records required are as follows. Data controller and data processor identity and contact information, categories of personal data processed, details of transfers outside UK/EU, existence of safeguards for transfers outside UK/EU, details of technical and organisational security measures.

Can we show that we have identified a suitable legal basis for all processing activities?

Yes, we have covered this in an audit
Yes, we have identified legal bases but not by reference to any audit
Yes, we have adopted a standard document
No, we could not show that we have identified a legal basis for each category of personal data we process

NB. the available legal bases are as follows. Legal obligation, contractual necessity, legitimate interest, consent, vital interest and public interest.

Comment