Apart from you regular review of the Compliance section of the app, here are some additional pointers to consider when reviewing your overall data protection compliance program.
App features
Are you now transferring personal data outside the EU? Is your organisation doing any automated decision making, including profiling? Perhaps you are required to do DPIAs? Have you selected these features under Organisation / Subscription?
Notifications
Have the relevant preferences been setup? And in respect of your review, especially the one ‘To do a complete compliance review’. What about the other preferences like ‘Processor contract expiry’?
DPO
Has anything changed to the effect that you now need to appoint a DPO? Have the details of your current DPO changed – if so, have you updated the supervisory authority?
Data Mapping
Operationally, has anything changed in the organisation which might require updating in data mapping? New data subject types, different processing purposes, different retention periods, new processors etc.? Make the changes and don’t forget to click ‘Publish’ in your privacy notices under Governance.
Consent
Where you use consent as a lawful basis, is it still appropriate? Have you taken into account any objections? Are you providing the proper mechanisms for people to provide (opt-in) or withdraw (opt-out etc.) their consent? Should any previously obtained parental consent be reviewed now that the child is an adult?
Legitimate interests
Where you use legitimate interests as a lawful basis, is it still appropriate? Do you keep a record of your legitimate interest impact assessment?
Governance
The email address to whom your online subject access requests are being sent – is it still valid? Look under Governance/Your Website. Are there any Custom documents that you could add to your library?
Employees
Is it time to resend certain documents? Are there employees to add or remove from your listing? Have employees been trained to recognise subject access requests? Have the relevant employees/stakeholders been trained in the management of responses to data security incidents?
Processors
Are they all updated with contract start and end dates? Else, the notification won’t work. Are they all signed – or at least those that can be signed? Are you now transferring personal data outside the EU? - have you entered the relevant lawful basis into the processor contract form?
Breach Management
Have the appropriate staff received recent training in this process? Are there any matters outstanding in ‘open’ incidents? Are there any ‘open’ incidents that should be closed? Are there any breaches that have yet to be reported?
Reports
Are you regularly printing and storing copies of your Records of Processing Activities Report and your Readiness Assessment?
The content herein is provided for your convenience and does not constitute legal advice.
Compliance Technology Solutions B.V. 2018