It's already the third anniversary of the GDPR!

Here are 10 questions that controllers should consider when self-assessing their compliance. Most of these questions are relevant for processors too!

  1. Have you set up and maintained a record/register of processing activities?
  2. Are you identifying, on an ongoing basis, lawful bases for all the processing you carry out (including recording consent as appropriate and conducting a balancing test if relying on legitimate interest)?
  3. Are you drafting or updating your internal data protection policy and privacy information notice?
  4. Are you putting in place processes and procedures to respond to data subjects' requests (access, update, erasure, etc.) and managing data breaches?
  5. Destroying or deleting personal data that is no longer necessary to pursue the purposes for which it has been collected?
  6. Implementing appropriate technical and organisational measures to protect personal data (including an information security policy and training for the member of your staff who processes personal data) and are you regularly reviewing the security of your IT environment?
  7. Have you entered into a written contract with the processors you use?
  8. Do you have documents that you do not need and have you conducted data protection impact assessments (DPIA)?
  9. Do you have documents that you do not need and have you appointed a DPO;
  10. Are you ensuring all transfers of personal data are made under appropriate safeguards and are you taking appropriate measures further to the Schrems II case?

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.