Take the GDPR Readiness Quiz!
The Data Protection Act is going to be scrapped and replaced by new legislation early in 2016 called the General Data Protection Regulation (GDPR). Take our quick self-assessment to see how you’ll measure up against the new regime:
There are 6 questions in the quiz.
Question 1: How prepared are you for the imminent changes to the UK Data Protection laws?
- We have been tracking GDPR for several years, we understand its requirements and how they impact on our operation: we have task force ready to implement the changes once the regulation becomes law. Choose A
- We’re aware that the GDPR has passed through the European Parliament and have a broad understanding of what we’ll have to change in order to comply with the new requirements. Choose B
- We’re aware of GPDR and decided not to commit any resource to exploring its impact on our organisation until the BREXIT situation becomes clearer. Choose C
- We’re heard about the new regulations and know that we’ll have to make major changes to the way we operate, but we’re not really looked into it in any great depth. Choose D
- We’re not aware of the changes to the law. Choose E
Question 2: How well will you cope with the new mandatory breach notification rules?
- We have existing methodologies for detecting information security breaches, reporting them, investigating them internally, and implementing corrective action. We foresee no problem in extending our regime to informing the regulator within 72 hours of detecting a security breach under the new legislation. Choose A
- Our current breach identification/management arrangements are good and will be amended to meet the 72-hour rule imposed under GDPR. Choose B
- We have started to plan for the new rules and will be ready when GDPR becomes law in the UK but plan to get specialist advice to help us. Choose C
- It is difficult to monitor our current IT systems and network infrastructure and our culture will need nurturing in breach identification and reporting. We are going to have to make some major investment decisions soon so that we will be ready for the new rules. Choose D
- We’ve not really thought about the new breach notification rules and haven’t really looked into what the new GDPR bring into law. Choose E
Question 3: How easily will you meet new data protection compliance officer provisions?
- We already have a data protection team led by a professionally qualified data protection officer (DPO) which will be consistent with GDPR requirements. Choose A
- We have a plan to recruit a professionally qualified DPO and don’t foresee any real issues finding the right person. Choose B
- We have someone part-time looking after data protection as part of their other duties but it’s unlikely that this will be sufficient to meet GDPR so we plan to outsource this function to a data protection management professional services firm. Choose C
- The person who looks after data protection currently will be trained up to be the DPO required by GDPR. We’ll switch their contract to the appropriate level and with the appropriate protections. Choose D
- We are confident that we will be exempt from having a mandatory DPO. Choose E
Question 4: How likely are you to comply with the requirement of good information governance?
- We have a documented system for managing all of the processing of personal information that we or our contracted processors are undertaking akin to BS10012 and foresee no problem in amending this system to cater for the requirements of the new legislation. Choose A
- We’ve got other compliance systems in place such as ISO9001 or PCIDSS and plan to implement BS10012 soon to give us control. Choose B
- We’re planning on engaging with a specialist data protection consultant soon to help us to develop and implement an action plan to ensure we have sufficient systems and controls to make sure that we are compliant when the new rules apply. Choose C
- We don’t have many policies and procedures defining our information processing activities and will engage with a specialist consulting firm do help us to implement whatever the new law requires us to in the run-in period. Choose D
- We’ve not really thought about what we need to do to be able to demonstrate good information governance under the new rules. Choose E
Question 5: How well will you handle the changes to consent?
- We have a register of information assets and understand exactly what data we hold and how we came to be processing it. We know exactly what each data subject has consented to and will have no problem extending our system to manage the new types of personal information nor satisfying the new definition of “consent” and the increased restriction on the use of data through the application of the new definition of consent. We’ll have no problem implementing the new rules such as the right to be forgotten. Choose A
- We know which of our current business operations will not be lawful under the new legislation and have a plan in place to make appropriate changes to either stop particular operations or to change them to make them lawful under the new law so that we are compliant well in advance of the deadline. Choose B
- We’re planning to engage with a specialist consulting firm to help us to investigate what we need to change to make sure that our data collection and usage is lawful under the new rules. Choose C
- We don’t have any documented register of where our information is and what each person has signed up to when we acquired their data but have an action plan we are implementing to make sure we are compliant. Choose D
- We’ve not really looked at GDPR and don’t know if our data capture or usage will be lawful under the new legislation. Choose E
Question 6: How well will your organisation meet the requirements for a structured methodology for data protection and information risk management?
- We already have a methodology for assessing and recording data protection impact risks and we our data protection team are involved in all major projects to ensure we “bake in” privacy assurance to our operations. Choose A
- We have a disciplined culture used to working within a structured policy-driven environment. We currently don’t undertake any privacy impact assessments, hold an information risk register, or adopt a privacy by design approach but we feel confident that we can introduce these measures in time to comply with GDPR. Choose B
- We are aware of what we need to do to comply with GDPR and have an action plan that we are implementing. Choose C
- We currently don’t have any information or data protection compliance risk arrangements in place that will meet the requirements of GDPR but we’re planning to have a look at information risk management soon so that we are ready for when GDPR becomes law. Choose D
- We’ve not looked at the impact of GDPR on our organisation. Choose E
Mostly “a”: Looks like you have a structured program of work in place to ensure you meet the new rules on time. However it might be worthwhile getting a second opinion on some elements.
Mostly “b”: If you’re going to get everything in place on time you may need to engage with a professional data protection consulting practice to add more pace where needed.
Mostly “c”: We’d love to talk to you about your plans and pitch for the work to help you.
Mostly “d” and “e”: The general data protection regulation will have a huge impact on every organisation in Europe. You need to get up to speed with it straight away and assess what you’ll need to change to be compliant with the new laws if you are to avoid the massively increased fines likely to result from changes to the ICO’s remit.