- What personal data have we collected/stored?
- Have we obtained it fairly?
Do we have the necessary consents required and were the data subjects informed of the specific purpose for which we’ll use their data? Were we clear and unambiguous about that purpose and were they informed of their right to withdraw consent at any time?
- Are we ensuring that we are holding it for the length of time that is required and keeping it up-to-date?
- Are we keeping it safe and secure using a level of security appropriate to the risk?
For example, is either encryption or pseudonymization required to protect the personal data we hold? Are we limiting access to ensure it is only being used for its intended purpose?
- Are we collecting or processing any special categories of personal data, such as ‘Sensitive Personal Data’, children’s data, biometric or genetic data etc. and if so, are we meeting the standards to collect, process and store it?
- Are we transferring the personal data outside the EU and if so, do we have adequate protections in place?