What would you say? 20 questions from the ICO

What would you say? 20 questions from the ICO

The findings from the ICO’s latest Information Risk reviews highlight the many and varied areas that data protection risk touches upon.

We turned the findings into the 20 key questions you should ask yourself about data protection at your organisations.

  1. Do you have a clear Data Protection Policy framework and supporting procedures that have a consistent format and includes details on how the policies work together?
  2. Do you have records showing clear governance structures in place, with delegated responsibility from the board / Trustees down?”
  3. Do you have formalised working groups in order to ensure strategic (corporate) oversight of data protection going forward, and documented programmes of work with progress reported on to ensure their effectiveness?
  4. Has your Data Protection Policy (and any supporting policies and procedures) been signed off by either senior management and/or the board / Trustees?
  5. Is there any agreed approach to monitoring and reporting on compliance?
  6. Do you provide training to staff and volunteers before they collect, access or use personal data?
  7. Do you provide annual refresher training?
  8. Do you provide specialist training, based on a training needs analysis?
  9. Have you reviewed the functionality of existing systems, and will you ensure future procurement of new systems, follow the Data Protection by Design and Default requirements of the GDPR?
  10. Do you have a record retention schedule, and are processes in place to review and dispose of records that exceed their retention period?
  11. Do you have contracts with all suppliers; do they contain the required data protection clauses, and do you review whether suppliers are following your data protection requirements?
  12. Do you have a clear, documented approach to authorising privacy notices and privacy information before it goes live, to ensure a consistent and co-ordinated approach to providing privacy information at all points of data collection (all forms, both paper and electronic; face-to-face and verbal collections)?
  13. When used together, do your privacy notices and privacy policy provide all the privacy information required by the GDPR?
  14. Do you have a clear, documented approach to Direct Marketing, addressing, for example, decisions on whether consent or legitimate interests should be used for postal and live phone calls?
  15. Does your databases/customer relationship marketing (CRM) system maintain an audit trail demonstrating how and when consent was given, with reference to the relevant marketing campaign and privacy notice provided, alongside a copy of the relevant consent form?
  16. Do you have clear processes for handling individual requests objecting to Direct Marketing, and/or seeking erasure of their personal data?
  17. Have you started (or do you plan to start) data audits / reviews to establish what data is held and how it flows into, around and out of your organisation?
  18. Have you created your Record of Processing Activity (ROPA)?
  19. Do you have clear procedures for handling data breaches, including maintaining an incident log and process to assess risk in order to report breaches when required?
  20. Do you securely dispose of confidential data?


Subscribers, please log a helpline ticket if you wish to discuss how your subscription can support you to response to each question.

Non-subscribers, please call us on 020 3691 5731 to learn more about our subscriber and modules of support, or find more details here.