Right to Erasure – Process documented including data disposal

activity

Right to Data Portability – Process documented

Right to Object to Processing – Process documented

Right re automated decision making (profiling - Activity reviewed,

compliance assured, and process documented

Develop and implement a DPIA process

Complete/update your ‘Subject Access Request’ policy

Complete/update your ‘Data breach’ policy and procedures and

have this tested/reviewed periodically

Demonstrate adherence to ‘Privacy by design and by default’ with

DPIA documentation available where appropriate

Complete/update your Data Protection policies

Evaluate potential benefits of relevant BS/ISO/Cyber Essentials

standards and certifications

Technology

Corporate security policy in force and updated

Is the data safe? Review security protocols and tools for preventing

unauthorised access into your network including

 Firewall configuration (ensuring passwords reset from

default settings)

 Any open ports been reviewed

 Malware, Ransomware and anti-virus software installed

and updated regularly

 All patches applied within 14 days of release

All users have read and understood the Corporate Security policy

and all unnecessary or default user accounts have been deleted

Password security incorporates strong password protocols and are

changed regularly

Remove and disable any unnecessary software, services and

applications

Identify and implement appropriate technical measures that make

PII only accessible to relevant employees

Consider encryption and pseudonymisation requirements

Back up policy in place

User privileges restricted to appropriate personnel

Conduct penetration testing and consider adherence to ‘Cyber

Essentials’ scheme

Review any file sharing capabilities, technologies and protection

systems ensuring compliance

Consider the use of automated tools for discovering, cataloguing

and classifying personal and sensitive personal data across your

organization

Identify and review use of all data systems whether sanctioned or

not e.g. use of cloud storage services such as Dropbox, Box, and

other similar services (clarify sovereignty/residency)

Review use and synchronization of corporate data to cloud services

and from noncorporate devices e.g., personal mobile devices and

home computers