Appendix E. Checklist for corporate data protection

Technical Measures

Are there adequate technical safeguards against cyber intrusion?

(How)               

Are there adequate technical measures to ensure the integrity and confidentiality of stored personal data?

                     

Are there adequate technical measures to ensure the integrity and confidentiality of personal data during data processing?

                     

Are there adequate technical measures to ensure the integrity and confidentiality of personal data when transferring data between systems or organizations?

                     

Are there adequate technical measures to ensure the security of disposed documents that contain personal data?

                     

Are surveillance systems used in a proper way?

                     

Are tracking technologies used in a proper way?

                     

Are portable data storage devices used in a proper way?

                     

Organizational Measures

Are there adequate authentication procedures to verify and validate the accuracy of identity of the data subjects as well as their personal data?

                     

Is there a privacy policy?

                     

Does the privacy policy comply with the requirement of the data protection regulation?

                     

Is there adequate control of employees’ access to personal data?

                     

Are there adequate resources to support corporate data protection activities?

                     

Are there digital forgetting mechanisms which stipulate the data retention period and data forgetting procedures?

                     

Is there adequate training of employees regarding compliance with internal guidelines as well as national regulations for data protection?

                     

Is there data protection impact assessment before data processing in particular when using new technologies?

                     

Are there regular and extensive checks on the effectiveness of the measures applied to ensure data security?

                     

Is there adequate investigation on the data security of an organization before entering into an agreement or contract with it?

                     

Is personal data, in particular sensitive data, collected as what is necessary in relation to the processing purposes?

                     

Is personal data processed in line with the purpose of its original collection?

                     

Are all data handling activities based on consent?

                     

Are there proper procedures to obtain informed consent?

                     

Are there adequate procedures to fulfil data rights of the data subjects?

                     

Is there adequate cooperation with data protection authority?