Introduction
Welcome to the GRCReady General Data Protection Regulation (GDPR) self-assessment questionnaires. The EU GDPR came into force on 25 May 2018 in response to Europeans wanting the same data protection rights across the EU regardless of where their data is processed. Personal Data includes: name, address, email address, phone number and anything else which a person can be identified from. It also extends to photos of people – as they can be identified. Also, if you collect information about health, children’s data, religious beliefs, ethnicity, political beliefs, etc., this is classified Sensitive Data and requires extra care. Companies which reside outside the EU territory but provide their goods and services into European countries also need to implement a GDPR framework. Since the intention of the GDPR is to protect the personal data of EU citizens wherever it is held; there are strict requirements governing where personal data can be transferred to and the measures that must be in place for such as transfer to be legal. The penalties for contravening the GDPR are significant and care must be taken by your organisation to ensure it remains compliant with the law at all times.
For those organisations that are struggling to know where to start, we recommend completing our GDPR Readiness Assessment which will provide a quick ‘health check’ of current arrangements. For those organisations that have already committed to a GDPR management program, we recommend undertaking either the GDPR ‘light’ or ‘premium’ assessments which will help you assess the effectiveness of those areas where the GDPR applies and identify opportunities for improvement.
Option 1. GDPR ‘Readiness’ Assessment (Free)
To help you better understand your organisation’s current approach to the GDPR and identify steps to strengthen current arrangements, we have developed a free self-assessment questionnaire. The assessment allows organisations of all sizes to complete a suite of questions aligned to a globally recognised best practice governance framework, identify weaknesses in systems and providing access to pre-emptive solutions. The scorecard includes 10 self-assessment questions that assess your current control environment, approach to assessing data protection, key control activities and mechanisms for internal/external communication. The questionnaire should take no longer than 5 minutes to complete, following which you will receive a free concise report describing your current GDPR status and any critical exposures, with recommendations for reducing your GDPR compliance risk.
Option 2. GDPR ‘Light’ Assessment ($250)
Our GDPR ‘light’ assessment has been specifically designed to help you evaluate your organisation’s current level of personal data protection, identify any gaps or weaknesses, and assess the current level of compliance with the GDPR. The questions have been structured to help you assess data processing activities, data transfers, approach to data privacy and highlight additional data security measures that you should consider implementing to create a more effective GDPR management program. The assessment includes 26 questions and should take you no longer than 10-15 minutes to complete. Once you have completed the questionnaire, you will be able to generate a visual picture of the state of your organisation’s GDPR compliance. You can then download a report summarising the maturity of your organisation’s GDPR arrangements highlighting any potential weaknesses in your current GDPR management program and any compliance gaps that may expose the organisation to negative consequences. It can also help you evaluate if the business is ready to stand up to regulatory scrutiny.
Option 3. GDPR ‘Premium’ Assessment ($450)
For those organisations that are already well advanced in their GDPR management journey, we have developed a comprehensive self-assessment questionnaire consisting of 51 questions covering required GDPR procedures, enabling you to assess effectiveness and ensure alignment with the requirements of the GDPR. We have developed this questionnaire as a basis for the analysis, development and enhancement of a leading practice GDPR management program. The self-assessment should take you no longer than 20-30 minutes to complete and will provide a quick and easy evaluation to help you determine whether your GDPR management program is operating effectively or whether there is room for improvement. After completing the questionnaire, we will evaluate your responses and provide you with a personalised scorecard with recommended actions to help improve your GDPR practices. You can then download a comprehensive report summarising the maturity of your organisation’s GDPR arrangements, highlighting any potential weaknesses in your current GDPR management program and any compliance gaps that may expose the organisation to negative consequences. It can also help you evaluate if the business is ready to withstand regulatory scrutiny.
Why should I care about the General Data Protection Regulation?
First and foremost, because European data protection rules are extraterritorial. As such, they affect your European users as well as your business as a provider whose customers live in the EU countries. If you have interests in Europe or collect information from European users, you must protect their personal data. The GDPR rules are fairly complex and apply to all organisations, even those who we don't typically think of as having vast amounts of personal data are also required to comply with the rules. Importantly, the penalties for breaking GDPR rules can range from written warnings to massive fines, depending on the specific rule in question. For the most serious offences, organisations can be liable for fines up to €20 million or 4 percent of their total revenue, whichever is higher. For a multibillion dollar company like Facebook or Google, that adds up to hundreds of millions of dollars. Not every GDPR infraction warrants the steepest fines, which are reserved for ‘the most serious infringements,’ but even relatively modest fines could be potentially catastrophic for smaller organisations. One thing is clear, the EU is serious about enforcing its provisions so organisations need to take extra care in meeting its strict requirements.
How to maximise value from the questionnaires
There are a number of ways to get the most out of the questionnaires. If you believe you have an informed perspective of the GDPR arrangements in your organisation, you can complete your own assessment of how your organisation’s GDPR program is performing. Alternatively, you can undertake the assessment with colleagues who have greater insight on the GDPR subject such as the Data Controller/Processor or Data Protection Officer. There are also a number of free online live polling tools that you can use to enable others in the organisation to provide their informed view on the questions which may provide a broader organisational perspective. Finally, you can undertake a facilitated assessment with your professional services provider. Using their anonymous voting software in a workshop setting, you and your team will get a more complete picture of your organisation’s approach to GDPR compliance.
We take data security seriously
The GRCReady environment has been designed and built to comply with the Center for Internet Security (CIS) Amazon Web Services Foundations Benchmarks and follows the ‘Secure by Design’ (SBD) principles, ensuring that security controls are implemented within and across each component layer. Rest assured that any personal information you provide by registering to complete these questionnaires, including your response to the questions, will be protected by us in accordance with our privacy policy
About the questionnaires
We use a five-point Likert scale ranging from 'strongly agree' to 'strongly disagree' to allow you to express how much you agree or disagree with a particular statement. You will need to first register in order to complete a questionnaire and view the scorecard showing the results of your assessment. The results will be accompanied by some general comments on potential actions that can be taken to improve GDPR practices in your business. The potential actions listed on the scorecard should not be construed as providing legal or commercial advice. They are area(s) that have been identified, where you may wish to seek professional advice or purchase documents, tools and resources from the GRCReady library of GDPR products to support further work in these area(s).
Completion of any of the questionnaires will help identify areas where you could do with a little support as well as provide practical tips to help improve your GDPR management practices. With your permission, we may share the results of your GDPR questionnaire with your professional advisor to enable them to have an informed conversation to help improve your GDPR practices.
I consent to GRCReady sharing the results of my General Data Protection Regulation questionnaire with my professional adviser