Q1 Your business has conducted an information audit to map personal data flows.

Q2 Your business has documented what personal data you hold, where it came from, who you share it with and what you do with it.

Q3 Your business has identified your lawful bases for processing and documented them.

Q4 Your business has reviewed how you ask for and record consent.

Q5 Your business has systems to record and manage ongoing consent.

Q6 If your business relies on consent to offer online services directly to children, you have systems in place to manage it.

Q7 If you may be required to process data to protect the vital interests of an individual, your business has clearly documented the circumstances where it will be relevant. Your business documents your justification for relying on this basis and informs individuals where necessary.

Q8 If you are relying on legitimate interests as the lawful basis for processing, your business has applied the three part test and can demonstrate you have fully considered and protected individual’s rights and interests.

Q9 Your business is currently registered with the Information Commissioner's Office.

Q10 Your business has provided privacy information to individuals.

Q11 If your business offers online services directly to children, you communicate privacy information in a way that a child will understand.

Q12 Your business has a process to recognise and respond to individuals' requests to access their personal data.

Q13 Your business has processes to ensure that the personal data you hold remains accurate and up to date.

Q14 Your business has a process to securely dispose of personal data that is no longer required or where an individual has asked you to erase it.

Q15 Your business has procedures to respond to an individual’s request to restrict the processing of their personal data.

Q16 Your business has processes to allow individuals to move, copy or transfer their personal data from one IT environment to another in a safe and secure way, without hindrance to usability.

Q17 Your business has procedures to handle an individual’s objection to the processing of their personal data.

Q18 Your business has identified whether any of your processing operations constitute automated decision making and have procedures in place to deal with the requirements.

Q19 Your business has an appropriate data protection policy.

Q20 Your business monitors your own compliance with data protection policies and regularly reviews the effectiveness of data handling and security controls.

Q21 Your business provides data protection awareness training for all staff.

Q22 Your business has a written contract with any processors you use.

Q23 Your business manages information risks in a structured way so that management understands the business impact of personal data related risks and manages them effectively.

Q24 Your business has implemented appropriate technical and organisational measures to integrate data protection into your processing activities.

Q25 Your business understands when you must conduct a DPIA and has processes in place to action this.

Q26 Your business has a DPIA framework which links to your existing risk management and project management processes.

Q27 Your business has nominated a data protection lead or Data Protection Officer (DPO).

Q28 Decision makers and key people in your business demonstrate support for data protection legislation and promote a positive culture of data protection compliance across the business.

Q29 Your business has an information security policy supported by appropriate security measures.

Q30 Your business has effective processes to identify, report, manage and resolve any personal data breaches.

Q31 Your business ensures an adequate level of protection for any personal data processed by others on your behalf that is transferred outside the European Economic Area.