Apart from you regular review of the Compliance section of GDPR365, here are some additional pointers to consider when reviewing your overall data protection compliance program.
Are you now transferring personal data outside the EU? Is your organisation doing any automated decision making, including profiling? Perhaps you are required to do DPIAs? Have you selected these features under Organisation / Subscription?
In GDPR365, have the relevant preferences been setup? And in respect of your review, especially the one ‘To do a complete compliance review’. What about the other preferences like ‘Processor contract expiry’?
Has anything changed to the effect that you now need to appoint a DPO? Have the details of your current DPO changed – if so, have you updated the supervisory authority (as well as GDPR365)?
Operationally, has anything changed in the organisation which might require updating in data mapping? New data subject types, different processing purposes, different retention periods, new processors etc.? Make the changes and don’t forget to click ‘Publish’ in your privacy notices under Governance.
Where you use consent as a lawful basis, is it still appropriate? Have you taken into account any objections? Are you providing the proper mechanisms for people to provide (opt-in) or withdraw (opt-out etc.) their consent? Should any previously obtained parental consent be reviewed now that the child is an adult?
Where you use legitimate interests as a lawful basis, is it still appropriate? Do you keep a record of your legitimate interest impact assessment?
The email address to whom your online subject access requests are being sent – is it still valid? Look under Governance/Your Website. Are there any Custom documents that you could add to your library?
Is it time to resend certain documents? Are there employees to add or remove from your listing? Have employees been trained to recognise subject access requests? Have the relevant employees/stakeholders been trained in the management of responses to data security incidents?
Are they all updated with contract start and end dates? Else, the notification won’t work. Are they all signed – or at least those that can be signed? Are you now transferring personal data outside the EU? - have you entered the relevant lawful basis into the processor contract form?
Have the appropriate staff received recent training in this process? Are there any matters outstanding in ‘open’ incidents? Are there any ‘open’ incidents that should be closed? Are there any breaches that have yet to be reported?
Are you regularly printing and storing copies of your Records of Processing Activities Report and your Readiness Assessment?
The content herein is provided for your convenience and does not constitute legal advice.
Compliance Technology Solutions B.V. 2018