What is covered by the report?
Leadership and oversight
This section looks at your organisational structure, roles and responsibilities including your data protection officer (if you have one), and how you make sure information governance activities are completed.
Policies and procedures
This section looks at your process for creating and sharing policies and procedures, how staff find and learn about these and how you make sure data is protected by design and default.
Training and awareness
This section looks at your induction, annual refresher and role-specific training. We will look at how you ensure your training covers what matters to you and that your staff understand it.
This section looks at how you handle data subject rights requests, including how you would cope with a sudden influx and how you make sure they are completed correctly and within statutory time frames.
This section looks at your privacy notices and how you make sure they work for your audiences. We will look at how you ensure they are up-to-date and easy for people to find and understand.
Records of processing activities and lawful basis
This section looks at how you create and maintain records of the processing you do and how you make sure your processing is lawful. We will look at your processes, privacy notices and focus on how you handle processing on the basis of legitimate interest and consent. If you process children’s data we will also look at your parental/guardian consent processes.
Contracts and data sharing
This section looks at how you handle contracts with third parties and make sure personal data is protected when you use other organisations to help you process it.
Risks and data protection impact assessments
This section looks at how you identify, record and manage data protection risks.
Records management and security
This section looks at how you handle personal data and protect it from information security risks. We will look at how you make sure it is suitable for your purposes and ask you about specific information security controls such as access controls, remote working and business continuity preparations.
Breach response and monitoring
This section looks at how you detect, manage and handle breaches and incidents.