LogicQ Consulting - Self-scan GDPR [ENG]
Uw gegevens
Organisatie
Website:
Uw naam
Uw e-mail adres *
Uw telefoonnummer:
Op welke vragen zou u antwoord willen hebben?
Ik wil meer weten over de volgende onderwerpen? *
| Yes | No | Other | |
|---|---|---|---|
| A1.0 Does the organization know all information-systems and -locations where personal data is stored, on-premise and in the cloud (private/public)? | |||
| A1.1 Does the organization have a retention policy for personal data? | |||
| A1.2 Does the organization have technology to search for all information-systems and -locations where personal data is stored? |
Indien anders, specificeer:
A.2: Data classification *
| Yes | No | TBA | |
|---|---|---|---|
| A2.0 Did the organization categorize the types (confidential, public) of personal data it uses? | |||
| A2.1 Does the organization have technology to assist with data classification? | |||
| A2.2 Is there a legal justification documented for using special categories of personal data (social security number, social racial, ethnic, political, religious, trade union membership, genetic, biometric data, health, sexual orientation)? |
Indien anders, specificeer:
A.3: Use of personal data *
| Yes | No | TBA | |
|---|---|---|---|
| A3.0 Does the organization have a complete registration of how and where personal data is used ? | |||
| A3.1 Does the organization have technology in place to automate updates to the registration? |
Indien anders, specificeer:
A.4: Privacy Notices *
| Yes | No | TBA | |
|---|---|---|---|
| A4.0 Does the organization provide data subjects, at first point of contact, with privacy notices that describe how their personal data is used? |
Indien anders, specificeer:
A.5: Consent *
| Yes | No | TBA | |
|---|---|---|---|
| A5.0 Can the organization obtain consent from data subjects, prior to using their personal data? |
Indien anders, specificeer:
A.6: Communication *
| Yes | No | TBA | |
|---|---|---|---|
| A6.0 Does the organization educate employees on privacy matters and do they have knowledge how to handle in case of a privacy incident? | |||
| A6.1 Does the organization have a published way for data subjects to communicate with the organization on privacy matters or requests, such as erasure and objections? |
Indien anders, specificeer:
A.7: Erase personal data *
| Yes | No | TBA | |
|---|---|---|---|
| A7.0 Can the organization locate and erase personal data on request? | |||
| A7.1 Does the organization have technology in place to automate the requested data erasure? |
To Be Answered [TBA] - Please specify this further for LogicQ Consulting
A.8: Provide personal data *
| Yes | No | TBA | |
|---|---|---|---|
| A8.0 Can the organization locate and provide the data subject with a copy of their personal data in a common, machine readable format, such as an .xls or .xml file?? | |||
| A8.1 Does the organization have technology in place to automate the requested data providing? |
To Be Answered [TBA] - Please specify this further for LogicQ Consulting
A.9: Data Protection Officer *
| Yes | No | TBA | |
|---|---|---|---|
| A9.0 Is there a person appointed as the Data Protection Officer (DPO)? | |||
| A9.1 Is there a GDPR managed service including parttime Data Protection Officer (DPO)? |
To Be Answered [TBA] - Please specify this further for LogicQ Consulting
Control
C.1: Privacy by design and default *
| Yes | No | TBA | |
|---|---|---|---|
| C1.0 Does the organization develop its processes, organizational structure and technology with privacy as key component? | |||
| C1.1 Does the organization have a policy to provide access to personal data using the principle of least privilege? |
Indien anders, specificeer:
C.2: Confidentiality, Integrity, and Availability *
| Yes | No | TBA | |
|---|---|---|---|
| C2.0 Does the organization have risk inventarisation to identify needed process, organization structure and technology measures to protect the confidentiality, integrity, and availability (CIA) of personal data? |
Indien anders, specificeer:
C.3: Secure IT-Infrastructure in place for: *
| Yes | No | TBA | |
|---|---|---|---|
| C3.0 Endpoint Protection Platform (anti-virus, anti-malware, blocking, encryption) | |||
| C3.1 Enterprise Mobility Management (device-, application management) | |||
| C3.2 Application Security (vulnerabilities, behaviour, access) | |||
| C3.3 Data Loss Prevention (blocking, encyrption) | |||
| C3.4 Next Generation Firewall (IP-address, port, protocol, user, application) | |||
| C3.5 Secure Email Gateway (email, virus, spam, content, black/white listing) | |||
| C3.6 Secure Web Gateway (website, url, content, black/white listing) | |||
| C3.7 Intrusion Prevention System (network traffic, threatdetection, behavior analysis) | |||
| C3.8 Identity & Access Management (authentication, autorisation, auditing) | |||
| C3.9 Web Application Firewall (OWASP, SQL injection, cross-site scripting) | |||
| C3.10 Backup & Recovery (fileservers, databases, endpoint) | |||
| C3.11 Security tooling (vendor specific, management, monitoring, logging) | |||
| C3.12 Security Information & Event Management (vendor independent, monitoring, logging, correlation) |
Indien anders, specificeer:
C.4: Detect, and respond to data breaches *
| Yes | No | TBA | |
|---|---|---|---|
| C4.0 Does the organization detect breaches of personal data? | |||
| C4.1 Does the organization register detailed records of data breaches? |
Indien anders, specificeer:
C.5: Testing of security measures *
| Yes | No | TBA | |
|---|---|---|---|
| C5.0 Does the organization perform testing of its security measures? | |||
| C5.1 Does the organization have technology in place to regularly test, assess, and evaluate its technical security measures? |
Indien anders, specificeer:
R.1: Reporting
R1.0 Can the organization report all activities regarding personal data, such as justification for use and types of data used by whom? *
| Yes | No | TBA | |
|---|---|---|---|
| R1.0 Can the organization report all activities regarding personal data, such as justification for use and types of data used by whom? | |||
| R1.1 Can the organization demonstrate its compliancy to relevant codes of conduct and legislation? |
Indien anders, specificeer:
R1.1 Can the organization demonstrate its compliancy to relevant codes of conduct and legislation? *
| Yes | No | TBA | |
|---|---|---|---|
| R2.0 Does the organization have documentation of ongoing personal data transfers into and out of the EU? | |||
| R2.1 Have technology in place to track and record geographical transfers of personal data, including to or from which country the data was transferred? |
Indien anders, specificeer:
R.3: Flows of personal data to third-party service providers *
| Yes | No | TBA | |
|---|---|---|---|
| R3.0 Does the organization have documentation of processes that transmit personal data to third-party service providers? | |||
| R3.1 Does the organization embed personal data protection requirements within contracts agreements with third-party service providers? |
Indien anders, specificeer:
R.4: Privacy Impact Assessment *
| Yes | No | TBA | |
|---|---|---|---|
| R4.0 Does the organization perform Privacy Impact Assessments (PIA), whenever it identifies high-risk processing personal data activities? |
Indien anders, specificeer: