General Data Protection Regulation

PREPARING FOR THE

GENERAL DATA PROTECTION REGULATION

SELF-ASSESSMENT QUESTIONNAIRE

Data Processors

1. The current data protection legislation – the Data Protection (Bailiwick of Guernsey) Law, 2001 and the Data Protection (Jersey) Law 2005 (the Current Laws) – was drafted in response to EU Directive 95/46/EC (the Directive) and declared adequate for the purposes of data transfers. Given the vast changes in technology that have taken place over the last twenty years, the Current Laws (and European laws) are being updated.

1. The EU has approved the General Data Protection Regulation (GDPR), the largest change to the protection of personal data since the Directive in 1995. The GDPR comes into effect for EU Member States on 25 May 2018. Whilst the Channel Islands (the Islands) are not part of the EU, the GDPR has implications for the Islands in two ways:

1. Local organisations offering goods/services to or otherwise targeting/monitoring EU citizens will be required to comply with the GDPR, regardless of what regulatory or legislative regime is in place locally.

1. The Islands’ “adequacy” rulings under the current EU Directive will be re-assessed against the GDPR and it is highly unlikely that the Current Laws will be considered adequate against the new standard. Both Governments have therefore made the decision that new legislation will be implemented in both Islands with the aim to be ready for implementation in May 2018, in line with the EU legislative timetable.

What do you need to do?

1. Legislative drafting across the Channel Islands is underway with a view to the creation of new, GDPR-focused data protection laws (“new data protection legislation”) in both Bailiwicks. However, it may be some time before any drafts are available for review. That being so, it is important for organisations to take stock of their current data handling processes and procedures now and not to leave preparations until the last minute.

1. Whilst aspects of the GDPR are new, many of the requirements build upon the existing legislative framework and therefore compliance with the Current Laws will go a long way towards compliance with the GDPR. If your organisation is compliant under the Current Laws then much of your approach should remain valid under the GDPR. The GDPR does, however, introduce certain new elements and other significant enhancements and it is important and useful for organisations to identify and understand how the GDPR is likely to impact them. The responsibility to become familiar with the GDPR (and any local legislation in due course) lies with the organisation.

1. In addition to existing, published guidance the Commissioners has launched a microsite dedicated to GDPR and data protection reform. This can be found at

1. Further information will be provided over the coming months in order to assist in preparation for the GDPR (and the new legislation).

1. Do not underestimate the time required to ensure you are fully prepared for 2018. The value of formulating, adopting and implementing exemplary data governance and security practices lies in the rewards it yields.

Using this Questionnaire

1. In order to provide a practical starting point for organisations, the Commissioner has compiled the this questionnaire to assist in the preparation for compliance under the GDPR and new local legislation. This questionnaire contains simple questions that senior management and directors of organisations can use to assess the basic level of compliance that currently exists within that organisation and to highlight those areas which are likely to require attention prior to May 2018. It is also a starting point for the record of processing activities that data processors will be required to hold under both the GDPR (article 28) and local legislation. It is for your internal use only.

1. The document is protected so you will only be able to add, edit and delete text in the space given for answers.

1. Additional information to support some of the questions in this document can be found in the Data Processors’ Self-Assessment Notes.

THIS DOCUMENT IS PURELY FOR GUIDANCE AND DOES NOT CONSTITUTE LEGAL ADVICE OR LEGAL ANALYSIS. IT IS INTENDED AS A STARTING POINT ONLY, AND ORGANISATIONS MAY NEED TO SEEK INDEPENDENT LEGAL ADVICE WHEN REVIEWING, ENHANCING OR DEVELOPING THEIR OWN PROCESSES AND PROCEDURES OR FOR SPECIFIC LEGAL ISSUES AND/OR QUESTIONS.

GDPR
SA-2 / GDPR
SELF-ASSESSMENT QUESTIONNAIRE
Name of Organisation / Click or tap here to enter text.
Notification Number(s)
(if notified) / Click or tap here to enter text.
Department / Click or tap here to enter text.
Contact Name / Click or tap here to enter text.
Products and/or services provided / Click or tap here to enter text.
Number of sites/ locations to be covered / Click or tap here to enter text.
Number of full-time staff / Click or tap here to enter text. / Number of part-time staff / Click or tap here to enter text.
Name of Data Protection Officer (if any) / Click or tap here to enter text. / Number of sub-contractors / Click or tap here to enter text.
Date questionnaire completed / Click or tap here to enter text. / Completed by / Click or tap here to enter text.

Table of Contents

AINTRODUCTION

BDATA COLLECTION

CGOVERNANCE

DSTORAGE AND ARCHIVING

ESECURITY

FDESTRUCTION OF DATA AND TERMINATION OF CONTRACT

GUSING SUB-PROCESSORS

HTRANSFERS OF PERSONAL DATA

ITRAINING

AINTRODUCTION

Question1 / Are any of the individuals whose personal data you process on behalf of a data controller based in the EU? (See Note 1 in the Data Processors’ Self-Assessment Notes for a list of EU countries)
Click or tap here to enter text.
If yes, it is necessary to ensure that processing of personal data of those individuals based in the EU is compliant with the GDPR by 25 May 2018. Please carry on with this self-assessment to flag those topics that may need some work.
If no, there is no requirement to comply with the GDPR itself, but new local legislation is in the process of being drafted and you will need to ensure that you comply with that. As it is based upon GDPR there is value in conducting this self-assessment as a flagging exercise in order to establish areas that may need work but at this time there is no definitive guidance as to what the local law will look like.

BDATA COLLECTION

Question 2 / What personal data are processed? (e.g. name, address, telephone number etc.)
Click or tap here to enter text.
Question 3 / Why are these personal data processed? For what purpose are they used?
Click or tap here to enter text.
Question 4 / Within the GDPR, the term “special category data” replaces the existing term “sensitive personal data”. It also encompasses more data types than the current definition. (See Note 2 in the Data Controllers’ Self-Assessment Notes for more information on “sensitive personal data” and “special category” data)
With the expanded definition in mind, is any special category data held or processed (e.g. medical/health data, ethnic origin etc.)?
If so, for what purpose?
Click or tap here to enter text.
Personal data relating to criminal convictions and offences is subject to a separate EU legal instrument, known as the Law Enforcement Directive and this will impact on how organisations can process such data. These provisions will be written into new data protection legislation and further guidance as to how such data should be processed and protected will be published in due course.

CGOVERNANCE

Question 5 / Do you currently have a Data Protection Officer?
Click or tap here to enter text.
Question 6 / If so, to whom does the Data Protection Officer report?
Click or tap here to enter text.
Question 7 / What responsibilities does the Data Protection Officer have?
Click or tap here to enter text.
Question 8 / If you do not currently have a Data Protection Officer, are you planning to appoint someone to such a role prior to 25 May 2018?
Click or tap here to enter text.
Some organisations are mandated to have a Data Protection Officer. (See Note 3 in the Data Controllers’ Self-Assessment Notes for more information as to whether your organisation will require a Data Protection Officer)
Question 9 / Are written agreements in place between your organisation and the data controller that outline how personal data should be processed?
Click or tap here to enter text.
If no, there should be in order to meet the requirements of relevant section of Schedule 1, Part II of the Law although it falls to the data controller to ensure a contract is in place and the data controller would be at fault if there was not.
If yes, each agreement will require review against the new requirements within the GDPR. Data processors become accountable and liable under the GDPR and as such you may require extra information from the data controller to ensure you are compliant.
Question 10 / Is a central record of processing activities maintained in a format that can be used to demonstrate processing activities to the DC?
Click or tap here to enter text.
The GDPR requires organisations to hold records of their processing activities, including the categories of processing and details of any transfers of data outside the Bailiwick.
Question 11 / If yes, how often is this reviewed and updated?
Click or tap here to enter text.

DSTORAGE AND ARCHIVING

Question 12 / How does your organisation store personal information on behalf of a data controller? (e.g. on computer or manual files or both and/or on personal devices?)
Set out details of databases/filing systems containing personal data.
Click or tap here to enter text.
Question13 / If information is stored on computer is this within the organisation or elsewhere? If elsewhere, identify the third party storing the data, detailing where and how the data are stored.
Click or tap here to enter text.
If your data is being held by a third party the third party is acting as a sub- processor. Ensure you complete the Using Sub-Processors section of this self-assessment to assess this relationship.
Question14 / If information is stored manually is this within the organisation or elsewhere? If elsewhere, identify the third party (sub-processor) storing the data, detailing where and how the data are stored.
Click or tap here to enter text.
If your data is being held by a third party the third party is acting as a sub-processor. Ensure you complete the Using Sub-Processors section of this self-assessment to assess this relationship.
Question15 / If your organisation processes sensitive personal data on behalf of a data controller, is such data stored separately from any other personal data or subject to any specific marking, security or handling rules/restrictions?
Click or tap here to enter text.
Question 16 / In what format or in what medium is the archived information stored?
Click or tap here to enter text.
Question 17 / Where is the archived information stored? If it is stored on third party premises, identify that third party and where and how it is stored?
Click or tap here to enter text.
If data is being held by a third party the third party is acting as a sub-processor. Ensure you complete the Using Sub-Processors section of this self-assessment to assess this relationship.

ESECURITY

Question 18 / Describe in outline the security procedures in operation in your organisation to keep all information processed on behalf of a data controller secure. Describe the physical, administrative and technological procedures used and any specific requirements each data controller may have.
Click or tap here to enter text.
Question 19 / Who has access to personal information within the organisation/outside the organisation?
Click or tap here to enter text.
Question 20 / Who authorises such access?
Click or tap here to enter text.
Question 21 / Do you have policies and procedures in place for detecting and dealing with breaches? If so, what are they?
Click or tap here to enter text.
Question 22 / How do you check that there has been no internal unauthorised access to personal data? What data audit facilities/mechanisms are in place?
Click or tap here to enter text.
Question 23 / Do you have policies and procedures in place for report breaches to the data controller?
If so, what are they?
Click or tap here to enter text.
Under GDPR, data breaches will need to be reported to the Commissioner’s Office within 72 hours of discovery by the data controller. Data processors will need to ensure they communicate any breaches or compromises of data to the data controller as soon as possible.

FDESTRUCTION OF DATA AND TERMINATION OF CONTRACT

Question 24 / Under the contract with the data controller, are you responsible for the destruction of the data?
Click or tap here to enter text.
Question 25 / How is personal information destroyed?
Click or tap here to enter text.
Question 26 / Who authorises destruction? Who carries out destruction? What agreements are in place with contractors who provide shredding etc. facilities/services?
Click or tap here to enter text.
Question 27 / Are there clear instructions in the contract detailing what happens to the data at the end of the contract period?
Click or tap here to enter text.

GUSING SUB-PROCESSORS

Question 28 / Are any of your processing activities carried out by third parties (sub-processors)? List them and describe the processes and location of the provider and the data.
Click or tap here to enter text.
Question 29 / Who authorises these processing activities?
Click or tap here to enter text.
Article 28 states that a data processor shall not engage the services of another data processor as a sub-processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.
Question 30 / Are written agreements in place covering these arrangements?
Click or tap here to enter text.
Each agreement will require review against the new requirements within the GDPR. Data processors become accountable and liable under the GDPR and as such may require extra information from data controllers to ensure they are compliant.
Data processors engaging the services of a sub-processor will also need to ensure sufficient guarantees of compliance are given by the sub-processor. In the event of a breach or data compromise, should the services of a sub-processor been contracted by a data processor, the data processor will hold liability for this.
Question31 / Outline the security measures under which each sub-processor must operate
Click or tap here to enter text.
Question32 / Do the sub-processors used by your organisation use any other organisation to perform that service on their behalf? If so, list the organisation and any written arrangements in place with regards to the service these sub-contractors offer.
Click or tap here to enter text.
Under the GDPR if a data processor employs another processor to perform a service on behalf of a data controller they should obtain wither specific or general written authorisation. The data processor with which the data controller has its agreement remains liable for the actions of any data processor to which it sub-contracts.

HTRANSFERS OF PERSONAL DATA

Question 33 / Do you transfer data
a. cross-departmentally; and/or
b. to third parties outside the organisation
(See Note 4 in the Data Controllers’ Self-Assessment Notes for a definition of Transfer)
Click or tap here to enter text.
Question 34 / How is data transferred? (e.g. Encrypted email? Secure fax?)
Click or tap here to enter text.
Question 35 / In what countries are those people to whom you disclose the information (whether inside the organisation or external) located?
Click or tap here to enter text.
Question 36 / Where data is transferred outside the EEA, what measures are used to ensure compliance with the Eighth Data Protection Principle? (See Note 5 in the Data Controllers’ Self-Assessment Notesfor a list EEA countries and adequate countries)
Click or tap here to enter text.

ITRAINING

Question 37 / Do the employees in your organisation receive training on data protection and other relevant law? If so, please describe the nature of the training given, when it is given and identify who is responsible for carrying out the training.
Click or tap here to enter text.
Question 38 / Are refresher courses held? If so, please describe the nature of the training given, when it is given, identify who is responsible for carrying out the training and who is directed to attend.
Click or tap here to enter text.
Question 39 / Are staff aware that unlawful access to and/or disclosure of personal data is prohibited?
Click or tap here to enter text.
Question 40 / Have the following attended a GDPR awareness session?
a. The Board
b. Senior management
c. Security/IT team
d. All other staff
Click or tap here to enter text.

Page 1 of 12