Data protection checklist
Data protection checklist
Know your data
Are you posting personal data? The data relates to a living, identifiable individual | |
Are you a ‘data controller’? |
|
We decide what data we are collecting and what we do with it | |
We have self-assessed whether we need to register with the Information Commissioner’s Office |
Know your high risk data
Are you posting ‘special category’ or ‘criminal convictions’ data? The data relates to an individual’s: | |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Have a good reason
What is our legal basis for posting the information online?
We have a legal obligation to post the information | |
We are public authority and posting the information is part of our public task | |
We have a legitimate interest, balanced fairly against the rights and freedoms of the individual | |
We have obtained the individual’s informed, freely given, affirmative consent |
If we are posting ‘special category’ or criminal convictions online, what is our additional legal basis for posting the information online?
We have obtained the individual’s explicit consent | |
The individual has clearly put the information in the public domain already |
Keep it in scope, relevant and accurate
We are using the data only for our stated purposes | |
We are posting only the data that is relevant to the purpose, and is not excessive or more than we need | |
We have checked to ensure the data is accurate before posting |
Take it down when you’re done
We keep the data no longer than is necessary | |
We have a retention policy based on legal or business requirements |
Keep it safe
The website and/or platform we are posting data to has a robust firewall and up-to-date software | |
We have IT staff or a contracted IT service that assists with cyber security | |
Where we use third party social media platforms, we use complex passwords and restrict access to trained staff | |
Our staff are trained and aware of data protection and IT security, including being aware about phishing links, sending encrypted files and checking email recipients before sending |
Be accountable
How can my organisation prove it is data protection compliant?
The website and/or platform we are posting data to has a robust firewall and up-to-date software | |
We have IT staff or a contracted IT service that assists with cyber security | |
Where we use third party social media platforms, we use complex passwords and restrict access to trained staff | |
Our staff are trained and aware of data protection and IT security, including being aware about phishing links, sending encrypted files and checking email recipients before sending | |
We have documented our data protection processes and procedures |
Tell people what you’re doing
How do I let people know how we process their data?
We have a privacy notice in place that states to individuals: | |
|
|
|
|
|
|
|
|
|
|
|
|
|
Let people find out more
Staff know how to recognise a data subject rights request (DSAR) when it is received | |
The organisation knows how to deal with data subject rights request | |
The organisation is able to remove / delete information provided based on consent |
Browse related resources by smart tags:
Checklist Data Data protection Digital content GDPR Legal compliance Sharing content
Please attribute as: "Data protection checklist (2022) by Dr Kit Good, Naomi Korn Associates supported by The National Lottery Heritage Fund, licensed under CC BY 4.0