Have you registered (notified) with the Information Commissioner?
What is notification?
Is there clear accountability for ensuring data protection compliance in your organisation – e.g. a data protection office, or someone else responsibility for the compliance; confidentiality clauses in all employee contracts?
Do you have a data protection policy, or do your existing policies (e.g. HR, ICT) sufficiently address data protection?
Do you have policy and procedures in place to handle requests for personal information – from both individuals (subject access requests) and from other organisations (such as the police)?
Do these ensure the appropriate checks and balances are in place to provide access where appropriate but maintain privacy when required?
Do you collect personal information fairly – from customer, service users and/or employees?
Do you use ‘privacy notices’ or other means of informing them what will happen to their personal information – e.g. when collecting information via your website or on application forms?
Do you have policy and procedures to help ensure you maintain the accuracy of personal information, and that it is not kept for longer than is necessary?
Have you implemented both technical measures (e.g. encryption; firewalls) and organisational measures (policies, procedures and training) that provide appropriate security for the personal information you are responsible for?
Could you show that all ‘reasonable steps’ have been taken to reduce the risk of a serious data protection breach?
If you use external providers to deliver services on your behalf (and these services involve personal information e.g. HR, ICT, marketing, cleaners or waste disposal) do you have a contract in writing which requires them to protect the personal information to the same standard as you?
Have you provided adequate data protection training – at induction, and annually – to your employees and any temporary staff who handle personal information? And could you provide evidence of this?
Do I have to train temporary staff?
Do you send personal information outside of the EU?
If so, have you implemented measures to ensure the protection of that information – e.g. assessed adequacy; used model contract clauses; relied on an exemption?