Questions

A1.1 What is your organisation's name (for companies: as registered with Companies House)?

Your business documents procedures to determine, collect and analyse appropriate data to demonstrate the suitability, adequacy and effectiveness of the Quality Management System. These procedures include the determination of appropriate methods, statistical techniques and the extent of their use.

The analysis of data includes data generated as a result of monitoring and measurement, and from other relevant sources include, at a minimum, input from:

• feedback;
• conformity to product requirements;
• characteristics and trends of processes and product, including opportunities for improvement;  
• suppliers;
• audits; and,
• service reports, as appropriate.

Your business ensures that if analysis of data shows that the Quality Management System is not suitable, adequate or effective, then this analysis is used to the improve production processes as required. 

Your business maintains records of the results of any analysis.

Your business performs rework in accordance with documented procedures that takes into account the potential adverse effect of the rework on the product. These procedures undergo the same review and approval as the original procedure. 

Your business ensures that after the completion of any rework, the product is verified to ensure that it meets all applicable acceptance criteria and regulatory requirements. 

Your business ensures that all records of rework are maintained.

Your business ensures that product which does not conform to product requirements is identified and controlled to prevent its unintended use or delivery. Your organisation documents a procedure to define the controls and related responsibilities and authorities for the identification, documentation, segregation, evaluation and disposition of the nonconforming product.

Your business, as part of the evaluation of nonconformity, determines the need for an investigation and notification of any external party responsible for the nonconformity.

Your business maintains records of the nature of all nonconformities and any subsequent action taken, including the evaluation, any investigation and the rationale for any decisions taken.

Your business maintains evidence to demonstrate the product conforms to the acceptance criteria. The identity of the person authorising release of product is recorded. As appropriate, records identify the test equipment used to perform measurement activities.

Product release and service delivery does not proceed until the planned and documented arrangements have been satisfactorily completed.

For implanted medical devices your business records the identify of personnel performing any inspection or testing.

Your business has management responsible for the area being audited who ensure that any necessary corrections and corrective actions are taken without undue delay to eliminate detected nonconformities and their causes. Follow-up activities include the verification of the actions taken and the reporting of verification results.

Your business conducts internal audits at planned intervals to determine whether the Quality Management System:

• conforms to planned and documented arrangements, requirements of this International Standard, and Quality Management System requirements established by your organisation, and applicable regulatory requirements;
• additionally, is effectively implemented and maintained.

Your business documents the procedure to describe the responsibilities and requirements for planning and conducting internal audits and recording and reporting audit results.

If your business is governed by regulatory requirements that require notification of complaints that meet specified reporting criteria of adverse events or the issue of advisory notices, your business has documented procedures for providing notification to the appropriate Regulatory authorities.

Records of the reporting to the regulatory authorities are maintained.

The procedures for complaint handling include at a minimum, requirements and responsibilities for:

• receiving and recording information;
• evaluating information to determine if the feedback constitutes a complaint;
• investigating complaints;
• determining the need to report the information to the appropriate regulatory authorities;
• handling of complaint-related product; and,
• determining the need to initiate corrections or corrective actions.

If any complaint is not investigated, the justification for the decision is documented. Any correction or corrective action resulting from the complaint handling process is also be documented.

If an investigation determines activities outside your organisation contributed to the complaint, relevant information should be exchanged between your organisation and the external party involved, a record of the investigation/exchange are maintained.

All complaint handling records are maintained.

Your business, as one of the measurements of the effectiveness of the quality management system, gathers and monitors information relating to whether your organisation has met its customer requirements. The methods for obtaining and using this information are documented.

Your business documents procedures for the feedback process. This feedback process includes provisions to gather data from production as well as post-production activities.

The information gathered in the feedback process serves as potential input into risk management for monitoring and maintaining the product requirements as well as the product realisation or improvement processes.

If applicable, regulatory requirements may require your organisation to gain specific experience from postproduction activities, your review of this experience should form part of the feedback process.

Your business plans and implements the monitoring, measurement, analysis and improvement processes needed to:

• demonstrate conformity of product;
• ensure conformity of the Quality Management System; and to,
• maintain the effectiveness of the Quality Management System.

This includes the determination of appropriate methods, including statistical techniques, and the extent of their use.

Your business plans and documents arrangements for the control of contaminated or potentially contaminated product in order to prevent contamination of the work environment, personnel, or product.

Where sterile medical devices are used, your business documents requirements for control of contamination with microorganisms or particulate matter, and maintains the required cleanliness during assembly or packaging processes.

Your business documents the requirements for health, cleanliness and clothing of personnel if contact between such personnel and the product, or work environment, could affect medical device safety or performance.

Your business ensures that all personnel who are required to work temporarily under special environmental conditions within the work environment, are competent or supervised by a competent person.

Your business documents the requirements for the work environment needed to achieve conformity to product requirements.

Where the conditions in the work environment can have an adverse effect on product quality, your business also documents the requirements for the work environment, and the procedures to monitor and control the work environment.

Your business provides training or takes other actions to achieve or maintain the necessary competences. The provision of training or other actions taken is evaluated to ensure it is effective.

Your business documents the requirements for the infrastructure needed to:

• achieve conformity to product requirements;
• prevent product mix-up; and,
• ensure orderly handling of product.

Infrastructure includes:

• buildings, workspace and associated utilities;
• process equipment (both hardware and software);
• supporting services (such as transport, communication, or information systems).

Your business documents the requirements for infrastructure maintenance activities, including the interval of performing the maintenance activities, when such maintenance activities, or lack thereof, that can affect product quality. These requirements apply to equipment used in production, the control of the work environment, and monitoring and measurement.

These infrastructure maintenance records are maintained.

Sufficient resources are determined and provided to implement the Quality Management System and to maintain its effectiveness. 

Records of the results and conclusion of all validation arising from the control of monitoring and measuring equipment, and necessary actions from the validation, including the validation of computer software used for monitoring and measurement of requirement, are maintained.

To ensure valid results, your business ensures measuring equipment:

• is calibrated or verified, or both, at specified intervals, or prior to use, against measurement standards traceable to international or national measurement standards. When no such standards exist, the basis used for calibration or verification is recorded;
• is adjusted or re-adjusted as necessary. Such adjustments or re-adjustments are recorded;
• has identification in order to determine its calibration status;
• is safeguarded from adjustments that would invalidate the measurement result; and
• is protected from damage and deterioration during handling, maintenance and storage.

Your business performs calibration or verification in accordance with the documented procedures.

Additionally, your business assesses and records the validity of the previous measuring results when the equipment is found not to conform to requirements and takes appropriate action in regard to the equipment and any product affected.

Records of the results of calibration and verification are maintained.

Your business determines the monitoring and measurements to be undertaken, and the monitoring and measuring equipment needed to provide evidence of conformity of product to determined requirements.

Your business documents procedures to ensure that monitoring and measurements can be carried out, and are carried out in a manner that is consistent with the monitoring and measurement requirements.

Your business requires suppliers of distribution services or distributors to maintain records of the distribution of medical devices, to allow traceability and that these records are available for inspection.

Your business requires these organisations to record the names and addresses of the shipping package consignees, and these records are maintained.

Your business identifies, verifies, protects, and safeguards customer property provided for use, or incorporation into the product, while it is under your organisation’s control or being used by your organisation. If any customer property is lost, damaged or otherwise found to be unsuitable for use, your business reports this to the customer and maintains records.

Your business documents procedures for preserving the conformity of product to specific requirements during processing, storage, handling, and distribution. Preservation applies to all the constituent parts of a medical device.

Your business protects products from alteration, contamination or damage when exposed to expected conditions and hazards during processing, storage, handling, and distribution by:

• designing and constructing suitable packaging and shipping containers;
• documenting requirements for special conditions needed if packaging alone cannot provide preservation.

If special conditions are required, they are controlled and recorded with the appropriate records being maintained.

Your business documents procedures for traceability. These procedures define the extent of traceability in accordance with applicable regulatory requirements and the records maintained. The records required for traceability include records of components, materials, and conditions for the work environment used, where these could cause the medical device not to satisfy its specified safety and performance requirements.

Your business records the names and addresses of the shipping package consignees, and these records are maintained.

Your business documents procedures for product identification, and identifies products by suitable means throughout product realisation.

Your business identifies product status with respect to monitoring and measurement requirements throughout product realisation. Identification of product status is maintained throughout production, storage, installation and servicing of product to ensure that only product that has passed the required inspections and tests, or released under an authorised concession, are dispatched, used or installed.

If required by applicable regulatory requirements, your business documents a system to assign unique device identification to the medical device.

Your Business documents procedures for the validation of processes for sterilisation and sterile barrier systems.

Processes for sterilisation and sterile barrier systems are validated prior to implementation and following product or process changes, as appropriate.

Records of the results and, conclusion of validation and necessary actions from the validation are maintained.

Your business undertakes validation for any processes for production and service provision where the resulting output cannot be or is not verified by subsequent monitoring or measurement and, as a consequence, deficiencies become apparent only after the product is in use or the service has been delivered. Validation demonstrates the ability of these processes to achieve planned results consistently. 

Documented procedures for validation of processes, include:

• a defined criteria for review and approval of the processes;
• equipment qualification and qualification of personnel;
• use of specific methods, procedures and acceptance criteria;
• where appropriate, statistical techniques documenting the rationale for sample sizes;
• requirements for records;
• revalidation, including criteria for revalidation; and,
• approval of changes to the processes.

Records of the results and conclusions of validation and the necessary actions from the validation are maintained.

Your business documents procedures for the validation of the application of computer software used in production and service provision. Such software applications are validated prior to initial use and, as appropriate, after changes to such software or its application. The specific approach and activities associated with software validation and revalidation are proportionate to the risk associated with the use of the software, including the effect on the ability of the product to conform to specifications.

Your business records of the results and conclusions of validation of processes for production and service provision, and the necessary actions resulting from the validation are be maintained.

Your business documents the requirements for medical device installation and as well as the acceptance criteria for verification of installation.

If your agreed customer requirements allow installation of the medical device to be performed by an external party (other than your business or its supplier), you provide documented requirements for medical device installation and verification of installation.

Your business maintains records of medical device installation and verification of installation performed by your business or its supplier.

If servicing of the medical device is a specified requirement, then servicing procedures, reference materials, and reference measurements, as necessary, for performing servicing activities, and procedures for verifying that the product requirements are met, are all documented.

Your business analyses records of servicing activities carried out by your business or its supplier:

• to determine if the information is to be handled as a complaint; and,
• as appropriate, for input to the improvement process.

Records of servicing activities carried out by your business or its supplier are maintained.

Your business documents procedures to control design and development changes. Your business determines the significance of the change to function, performance, usability, safety and applicable regulatory requirements for the medical device and its intended use.

Your business identifies changes to design and development changes, before they are implemented the changes are:

• reviewed;
• verified;
• validated (as appropriate), and;
• approved.

The review of design and development changes include evaluation of the effect of the changes on constituent parts and product in process or already delivered, inputs or outputs of risk management and product realisation processes.

Records of changes, their review and any necessary actions are maintained.

Your business establishes and implements the inspection or other activities necessary for ensuring that purchased product meets specified purchasing requirements. The extent of verification activities are based on the supplier evaluation results and are proportionate to the risks associated with the purchased product.

Purchasing information that allows traceability of product is maintained by your business, which includes relevant purchasing information in the form of documents and records.

Your business plans production and service provision, which is carried out, monitored and controlled to ensure that product conforms to specification. Production controls include (where appropriate), but are not limited to:

• documentation of procedures and methods for the control of production;
• qualification of infrastructure;
• implementation of monitoring and measurement of process parameters and product characteristics;
• availability and use of monitoring and measuring equipment;
• implementation of defined operations for labelling and packaging; 
• implementation of product release, delivery and post-delivery activities.

Your business has established and maintains a record for each medical device, or batch of medical devices, that provides traceability, identifies the amount manufactured and amount approved for distribution. These records are verified and approved.

Your business has a system in place to identify any changes to the purchased product, and when these changes to the purchased product are identified, it can determined whether these changes will affect the product realisation process or the medical device. This determination is documented.

Your business undertakes planned monitoring and re-evaluation of suppliers. Supplier performance in meeting requirements for the purchased product is also monitored.

The results of the monitoring provide an input into the supplier re-evaluation process. 

Your business monitors and addresses the non-fulfilment of purchasing requirements with the supplier proportionately to the risk associated with the purchased product and compliance with applicable regulatory requirements.

As part of the purchase process, your business maintains records of the results of any evaluation, selection, monitoring and re-evaluation of supplier capability or performance and any necessary actions arising from these activities.

Your business documents procedures for transfer of design and development outputs to manufacturing. These procedures must ensure that design and development outputs are verified as suitable for manufacturing before becoming final production specifications and that production capability can meet product requirements.

The results and conclusions of the transfer is recorded and these records are maintained. 

Your business documents the procedures to ensure that purchased product conforms to specific purchasing information.

Your business has an established criteria for the evaluation and selection of suppliers. The evaluation and selection of suppliers is based on the:

• supplier’s ability to provide product that meets your business’s requirements;
• performance of the supplier;
• effect of the purchased product on the quality of the medical device; and,
• be proportionate to the risk associated with the medical device.

In planning product realisation, your business determines the following (where appropriate):

• quality objectives and requirements for the product;
• the need to establish processes and documents, and provides resources specific to the product, including infrastructure and work environment;
• the required verification, validation, monitoring, measurement, inspection and test, handling, storage, distribution and traceability activities specific to the product together with the criteria for product acceptance; 
• the records needed to provide evidence that the realisation processes and resulting product meet requirements.

Your business documents the output of this planning in a form suitable for the business's method of operations.

Your business determines the requirements related to the product (customer related processes):

• the requirements specified by the customer, including the requirements for delivery and post-delivery activities;
• requirements not stated by the customer but necessary for the specification or intended use, as known;
• any applicable regulatory requirements related to the product;
• any user training necessary to ensure specified performance and safe use of the medical device; and,
• any additional requirements determined by the business.

Your business undertakes design and development validation which is performed in accordance with planned and documented arrangements to ensure that the resulting product is capable of meeting the requirements for the specified application or intended use.

Your business documents validation plans that include methods, acceptance criteria and, as appropriate, statistical techniques with the rationale for sample size.

Your business reviews the requirements related to the product (customer related requirements). These reviews are conducted prior to your business's commitment to supply the product to the customer (e.g. submission of tenders, acceptance of contracts or orders, acceptance of changes to contracts or orders).

Your business ensures that these reviews ensure that:

• product requirements are defined and documented;
• contract or order requirements differing from those previously expressed are resolved;
• any applicable regulatory requirements are met;
• any user training that has been identified is available or planned for; and,
• your business has the ability to meet the defined requirements.

Your business records of the results of the review and any actions arising from the review, these are maintained.

When the customer provides no documented statement of requirement, the customer requirements are confirmed by the business before acceptance. 

Your business maintains records to identify the inputs needed to meet the product requirements, and how these are determined.

These design and development inputs include:

• functional, performance, usability and safety requirements, according to the intended use;
• applicable regulatory requirements and standards;
• applicable output(s) of risk management;
• information derived from previous similar designs (where appropriate); and,
• other requirements essential for design and development of the product and processes.

These inputs are reviewed for adequacy and approved.

Your business ensures that the design and development inputs are complete, unambiguous, able to be verified or validated, and not in conflict with each other.

Your business has a suitable system in place to monitor design and development outputs, to ensure they:

• meets the input requirements for design and development;
• provide the appropriate information for purchasing, production and service provision;
• contain or reference product acceptance criteria; and,
• specify the characteristics of the product that are essential for its safe and proper use.

Your business ensures that the outputs of design and development are in a form suitable for verification against the design and development inputs, and are approved prior to release.

Your business documents and maintains records of the design and development outputs.

Your business, at suitable stages, systematically reviews design and development, in accordance with planned and documented arrangements, to evaluate the ability of the results of design and development to meet requirements, and to identify and propose any necessary actions.

Participants involved in such reviews include representatives of functions concerned with the design and development stage being reviewed, as well as other specialist personnel.

Your business maintains records of the results of Design and Development Reviews and any necessary actions, this includes the identification of the design under review, the participants involved and the date of the review.

Your business undertakes design and development verification in accordance with planned and documented arrangements to ensure that the design and development outputs have met the design and development input requirements.

Your business documents verification plans that include methods, acceptance criteria and, as appropriate, statistical techniques with rationale for sample size.

Where the intended use requires that the medical device be connected to, or have an interface with, other medical device(s), verification includes confirmation that the design outputs meet design inputs when connected or interfaced.

Your business records and maintains results and conclusions of any verifications undertaken, together with any necessary actions undertaken.

As part of design and development validation, your business performs clinical evaluations or performance evaluations of the medical device in accordance with applicable regulatory requirements. A medical device used for clinical evaluation or performance evaluation is not considered to be released for use to the customer.

If the intended use requires that the medical device be connected to, or have an interface with, other medical device(s), validation includes confirmation that the requirements for the specified application or intended use have been met when so connected or interfaced.

Validation is completed prior to release for the use of the product to the customer.

Records of the results and conclusions of validation and necessary actions are maintained.

Your business documents validation plans that include methods, acceptance criteria and, as appropriate, statistical techniques with the rationale for sample size.

When product requirements are changed (customer related process), your business has processes in place to ensure that the relevant documents are amended, and that relevant personnel are made aware of the changed requirements.

Your business reviews the requirements related to the product. These reviews are conducted prior to your business's commitment to supply the product to the customer (e.g. submission of tenders, acceptance of contracts or orders, acceptance of changes to contracts or orders).

Your business plans and develops the processes needed for product realisation. Planning of product realisation is consistent with the requirements of the other processes of the Quality Management System.

The output from Management Reviews are recorded, this includes the inputs reviewed, any decisions and actions relating to:

• improvements needed to maintain the suitability, adequacy, and effectiveness of the Quality Management System and its processes;
• improvement of product related to customer requirements;
• any changes needed to respond to applicable new or revised regulatory requirements; and,
• any resources needs.

The Management Review, includes as a minimum, reviewing information arising from: feedback, complaint handling, reporting to regulatory authorities, audits, monitoring and measurement of processes, monitoring and measurement of product, corrective action, preventive action, follow-up actions from previous management reviews, changes that could affect the Quality Management System, recommendations for improvement, and applicable new or revised regulatory requirements.

The procedures for Management Reviews are documented. Top management reviews the business’s Quality Management System at documented planned intervals, to ensure its continuing suitability, adequacy and effectiveness. The Review includes an assessment of the opportunities for improvement and the need to change to the Quality Management System, including quality policy and quality objectives.

Records from management reviews are maintained. 

Top management ensures that appropriate communication processes are established within the busines, and that communication takes place regarding the effectiveness of the Quality Management system.

Top management have appointed a member of management who, irrespective of other responsibility, has the responsibility and authority for ensuring that processes needed for the Quality Management System are documented. They report to top management on the effectiveness of the Quality Management System and any need for improvement. They also ensure the promotion of awareness of the applicable regulatory requirements and Quality Management System requirements throughout the organisation.

Top management ensures that responsibilities and authorities of personnel are defined, documented and communicated within the organisation.

Additionally, top management documents the interrelation of all personnel who manage, perform and verify work affecting quality. They also safeguard the independence and authority necessary to perform these tasks.

Your top management ensures that the planning of the Quality Management System is carried out in order to meet the general requirements of the Quality Management System as well as the quality objectives.

The integrity of the Quality Management System is maintained when changes to the Quality Management System are planned and implemented.

Your top management ensures that quality objectives, including those needed to meet applicable regulatory requirements and requirements for product, are established at the relevant functions and levels within the organisation.

The quality objectives are measurable and consistent with the quality policy.

Your top management ensures that the Quality Policy:

• is applicable to the purpose of the organisation;
• it includes a commitment to comply with any requirements and to maintain the effectiveness of the Quality Management System;
• provides a framework for establishing and reviewing quality objectives;
• is communicated and understood within your business; and,
• is reviewed for continuing suitability.

Your top management provides evidence of its commitment to the development and implementation of the Quality Management System, and the maintenance of its effectiveness by:

• communicating to the business on the importance of meeting customer as well as applicable regulatory requirements;
• establishing the quality policy;
• ensuring that quality objectives are established;
• conducting management reviews; and,
• ensuring the availability of resources.

Records are maintained to provide evidence of conformity to the requirements, and the effective operation, of the Quality Management System.

Your business documents the procedures that define the controls needed for the identification, storage, security and integrity, retrieval, retention time and disposition of records.

Procedures are defined and implemented for protecting confidential health information contained in the records in accordance with the applicable regulatory requirements.

Your business ensures that records are retained for at least the lifetime of the medical device as defined by the organisation, or as specified by the applicable regulatory requirements, but not less than two years from the medical device is released. 

Records must remain legible, readily identifiable and retrievable. Changes to a record must remain identifiable. 

The documents required by your Quality Management System are controlled. Records are a special type of document and are controlled. A document in the Quality Management System defines the controls needed to:

• review and approve documents for adequacy prior to issue;
• review, update as necessary and re-approve documents;
• ensure that the current revision status of and changes to documents are identified;
• ensure that relevant versions of applicable documents are available at points of use;
• ensure that documents remain legible and readily identifiable;
• ensure that documents of external origin, determined by your business to be necessary for the planning and operation of the Quality Management System, are identified and their distribution controlled;
• prevent deterioration or loss of documents;
• prevent the unintended use of obsolete documents and apply suitable identification to them.

Your business has for each medical device type or medical device family, one or more Medical Device files. Your Medical Device file/s contain or reference documents that demonstrate conformity to this International Standard and compliance with applicable regulatory requirements. These files should be accurately maintained and kept up to date.

Your Medical Device files include the following:

• a general description of the medical device, its intended use or purpose, the labelling, and any instructions for use;
• product specifications;
• specifications or procedures for manufacturing, packaging, storage, handling, and distribution;
• procedures for measuring and monitoring;
• any requirements for installation as appropriate; and,
• procedures for servicing, if appropriate.

Your Quality Manual includes:

• the scope of the Quality Management System, and includes details of and the justification for any exclusions or non-applications;
• the documented procedures for the Quality Management System, or reference to them;
• the procedures for the Quality Management System, or references to them; and,
• a description of the interaction between the various processes in the Quality Management System.

Your Quality Manual outlines the structure of the documentation used in the Quality Management System.

Your Quality Management System includes the following documented sections:

• statements of your quality policy and quality objectives;
• a quality manual;
• procedures and records required by the International Standard;
• together with any other documents, including records, which your business has determined to be necessary to ensure the effective planning, operation, and control of its processes; and,
• additionally, any other documentation specified by the applicable regulatory requirements.

Your business documents the procedures required for the validation of the application of computer software used in the Quality Management System. Such software applications are validated prior to initial use and, as appropriate, after changes to the software of its application.

The specific approach and activities associated with software validation and revalidation are proportionate to the risk associated with the use of the software.  

Records of such activities are maintained

When your business chooses to outsource any process that affects product conformity requirements, your business monitors and ensures control over such processes. Additionally, your business retains responsibility of conformity to this International Standard, and to customer and applicable regulatory requirements for outsourced processes. The controls are proportionate to the risk involved and the ability of the external party to meet with requirements. These controls include written quality agreements.

Your business manages the Quality Management Systems processes in accordance with the requirements of this International Standards and the applicable regulatory requirements. Changes to be made to the processes in your business's Quality Management System are considered and evaluated against:

• their impact on the Quality Management System;
• their impact on the medical devices produced under the Quality Management System; and,
• are controlled in accordance with the requirements of this International Standard and any applicable regulatory requirements.

For each Quality Management System process, your business:

• determines the criteria and methods needed to ensure that both the operation and control of these processes are effective;
• ensures there is availability of resources and information necessary to support the operation and monitoring of these processes;
• implements the necessary actions to achieve planned results and maintain the effectiveness of these processes;
• monitors, measures (as appropriate), and analyses these processes; and,
• establishes and maintains the records needed to demonstrate conformance and compliance with ISO 13485 and applicable regulatory requirements.

Your business determines the processes needed for the Quality Management System and the application of these processes throughout the whole organisation, taking into account of the roles undertaken by the organisation.

Your business documents the role(s) undertaken by the business under the applicable regulatory requirements.

Roles undertaken by the business can include manufacturer, authorised representative, importer or distributor.

Your business establishes, implements and maintains any requirement, procedure, activity or arrangement required to be documented by this International Standard or applicable regulatory requirements.

Your business documents preventative action procedures to describe requirements for:

• determining potential nonconformities and their causes;
• evaluating the need for action to prevent occurrence of nonconformities;
• planning and documenting action needed and implementing such action, including, as appropriate, updating documentation;
• verifying that the action does not adversely affect the ability to meet applicable regulatory requirements or the safety and performance of the medical device;
• reviewing the effectiveness of the preventive action taken, as appropriate.

Your business maintains results of any investigations and of any action taken. 

Your business takes corrective action to eliminate the cause of nonconformities in order to prevent recurrence. Any necessary corrective actions are taken without undue delay. Corrective actions are proportionate to the effects of the nonconformities encountered.

Your business documents procedures to define requirements for:

• reviewing nonconformities (including complaints);
• determining the causes of nonconformities;
• evaluating the need for action to ensure that nonconformities do not recur;
• planning and documenting action needed and implementing such action, including, as appropriate, updating documentation;
• verifying that the corrective action does not adversely affect the ability to meet applicable regulatory requirements or the safety and performance of the medical device; and,
• reviews the effectiveness of corrective action taken.

Your organisation maintains records of the results of any investigation, and of any actions taken.

Your business ensures that nonconforming product is accepted by concession only, if the justification is provided, approval is obtained and applicable regulatory requirements are met. Records of the acceptance by concession and the identity of the person authorising the concession must be maintained.

Your business deals with nonconforming product before delivery by one or more of the following ways:

• taking action to eliminate the detected nonconformity;
• taking action to preclude its original intended use or application;
• authorising its use, release or acceptance under concession.

Your business maintains records of the nature of all nonconformities and any subsequent action taken, including the evaluation, any investigation and the rationale for any decisions taken.

Your business, as part of the evaluation of nonconformity, determines the need for an investigation and notification of any external party responsible for the nonconformity.

Your business has a planned internal audit program, taking into consideration the status and importance of the processes and area to be audited, as well as the results of previous audits. The audit criteria, scope, interval and methods is defined and recorded. The selection of auditors and conduct of audits ensure objectivity and impartiality of the audit process. Your auditors do not audit their own work.

Your business documents procedures for the timely handling of complaints in accordance with any applicable regulatory requirements.

Your business, as one of the measurements of the effectiveness of the quality management system, gathers and monitors information relating to whether your organisation has met its customer requirements. The methods for obtaining and using this feedback information is documented.

Your business performs calibration or verification in accordance with documented procedures.

Additionally, your business assesses and records the validity of the previous measuring results when the equipment is found not to conform to requirements and takes appropriate action in regard to the equipment and any product affected.

Your business documents procedures for preserving the conformity of product (preservation of product) to specific requirements during processing, storage, handling, and distribution. Preservation applies to all the constituent parts of a medical device.

Your business validates any processes used for production and service provision where the resulting output cannot be or is not verified by subsequent monitoring or measurement, and therefore as a consequence, deficiencies may only become apparent after the product is in use or the service has been delivered.

Your business demonstrates the ability of these processes to achieve planned results consistently.

Your business documents the requirements for cleanliness of product and/or contamination control of product if the:

• product is cleaned by your business prior to sterilisation or its use;
• product is supplied non-sterile and is to be subjected to a cleaning process prior to sterilisation or its use;
• product cannot be cleaned prior to sterilisation or its use, and its cleanliness is of significance in use;
• product is supplied to be used non-sterile, and its cleanliness is of significance in use;
• process agents are to be removed from product during manufacture.

Note, if product is cleaned by your business prior to sterilisation or its use, or, the product is supplied non-sterile and is to be subjected to a cleaning process prior to sterilisation or its use; then the requirement that your business documents health cleanliness and clothing of personnel, if contact between such personnel and the product or work environment could affect medical device safety or performance, does not apply prior to the cleaning process. 

When your business or its customers intends to perform verification at the supplier’s premises, your business can state in advance what the intended verification activities will be and method of product release in the purchasing information.

The records of verification of purchased product methods and activities are maintained.

Your business ensures that purchasing information is available that describes or references the product to be purchased. Project purchasing information includes the following:

• products specifications;
• the requirements for product acceptance, procedures, processes and equipment;
• the requirements for qualification of supplier personnel; 
• the quality management system requirements.

Your business identifies changes to design and development and before they are implemented the changes are:

reviewed;

verified;

validated (as appropriate); and,

approved.

Your business plans and documents arrangements for communicating with customers in relation to: product information; enquiries, contracts or order handling, and any amendments; customer feedback, including complaints; and advisory notices.

During design and development planning, your business documents the following:

• the design and development stages;
• the review(s) needed at each design and development stage;
• the verification, validation, and design transfer activities that are appropriate at each design and development stage;
• the responsibilities and authorities for design and development;
• the methods to ensure traceability of design and development outputs to design and development inputs; and,
• the resources needed, including necessary competence of personnel.

Your business documents the output of this planning of product realisation in a form suitable for the businesses' method of operations.

Your business documents one or more processes for risk management in product realisation.

Records of risk management activities are maintained.

Your business maintains records of education, training, skills and experience, as identifed in the Quality Management System for those personnel performing work affecting the product quality.

Your business documents the procedures that define the controls needed for the identification, storage, security and integrity, retrieval, retention time and disposition of records.

Your Medical Device files include the following:

• a general description of the medical device, its intended use or purpose, the labelling, and any instructions for use;
• product specifications;
• any procedures or specifications for manufacturing, storage or any handling, any packaging or distribution information;
• the procedures for measuring and monitoring; and,
• any requirements for installation or servicing etc, if appropriate."

Your business uses a risk based approach to control the appropriate processes required for the Quality Management System, and your business determines the sequence and interactions of these processes.

Your business identifies the period for which at least one copy of obsolete documents should be retained for. This period should ensure that documents to which medical devices have been manufactured and tested are available for at least the lifetime of the medical device, as set out by your organisation, but not less than the retention period of any resulting record or as specified by any applicable regulatory requirements.

Procedures are defined and implemented for protecting confidential health information contained in the records, in accordance with the applicable regulatory requirements.

Your business ensures that records are retained for at least the lifetime of the medical device as defined by your organisation, or as specified by the applicable regulatory requirements.

A3.2 If you have answered "yes" to the last question then your company is eligible for the included cyber insurance if you gain certification. If you do not want this insurance element please opt out here.

A3.3 What is your total gross revenue? Please provide figure to the nearest £100K. You only need to answer this question if you are taking the insurance.

A3.4 Is the company or its subsidiaries any of the following: medical, call centre, telemarketing, data processing (outsourcers), internet service provider, telecommunications or an organisation regulated by the FCA? You only need to answer this question if you are taking the insurance.

A3.5 Does the company have any domiciled operation or derived revenue from the territory or jurisdiction of Canada and / or USA?

A3.6 What is the organisation email contact for the insurance documents? You only need to answer this question if you are taking the insurance.

A2.7 Please list the quantities of tablets and mobile devices within the scope of this assessment. You must include model and operating system version for all devices.

A2.8 Please provide a list of the networks that will be in the scope for this assessment

A2.9 Please provide a list of network equipment that will be in scope for this assessment (including firewalls and routers).

A2.10 Please provide the name and role of the person who is responsible for managing the information systems in the scope of this assessment?

A3.1 Is your head office domiciled in the UK and is your gross annual turnover less than £20m?

A2.2 If it is not the whole organisation, then what scope description would you like to appear on your certificate and website?

A2.3 Does your organisation hold or process personal data (as defined by your country's data protection legislation)?

A2.4 Is your usage of personal data subject to the EU GDPR?

A2.5 Please describe the geographical locations of your business which are in the scope of this assessment.

A2.6 Please list the quantities of laptops, computers and servers within the scope of this assessment. You must include model and operating system versions for all devices.

A1.6 What is the size of your organisation?

A1.7 How many staff are home workers?

A1.8 Is this application a renewal of an existing certification or is it the first time you have applied for certification?

A1.9 What is your main reason for applying for certification?

A2.1 Does the scope of this assessment cover your whole organisation? Please note: Your organisation is only eligible for free Cyber Insurance if your assessment covers your whole company, if you answer "No" to this question you will not be invited to apply for insurance.

A1.2 What is your organisation's registration number (if you have one)?

A1.3 What is your organisation's address (for companies: as registered with Companies House)?

A1.4 What is your main business?

A1.5 What is your website address?

10.8.1 You have a dashboard giving a high-level summary of all key data protection and information governance KPIs.

10.8.2 The group(s) providing oversight of data protection and information governance regularly discuss KPIs and the outcomes of monitoring and reviews.

10.8.3 Data protection and information governance KPIs and the outcomes of monitoring and reviews are discussed regularly by groups at operational level, for example in team meetings.

10.7.1 You have Key Performance Indicators (KPIs) regarding SAR performance (the volume of requests and the percentage completed within statutory timescales).

10.7.2 You have KPIs regarding the completion of data protection and information governance training, including a report showing the percentage of staff who have complete the training.

10.7.3 You have KPIs regarding information security, including the number of security breaches, incidents and near misses.

10.7.4 You have KPIs regarding records management, including the use of metrics such as file retrieval statistics, adherence to disposal schedules, and the performance of the system in place to index and track paper files containing personal data.

10.6.1 You monitor your own data protection compliance and you regularly test the effectiveness of the measures you have in place.

10.6.2 Your organisation regularly tests staff adherence to data protection and information governance policies and procedures.

10.6.3 You routinely conduct informal, ad-hoc monitoring and spot checks.

10.6.4 You make sure that your monitoring of policy compliance is unbiased by keeping it separate from those who implement the policies.

10.6.5 There is a central audit plan/schedule in place evidencing the planning of data protection and information governance internal audits.

10.6.6 Audit reports are produced to document the findings.

10.6.7 You have a central action plan in place to take forward the outputs from data protection and information governance audits.

10.5.1 Your organisation completes externally-provided self-assessment tools to provide assurances on compliance with data protection and information security compliance.

10.5.2 Your organisation is subject to or employs the services of an external auditor to provide independent assurances (or certification) on data protection and information security compliance.

10.5.3 Your organisation adheres to an appropriate code of conduct or practice for your sector (if one exists).

10.5.4 You produce audit reports to document the findings.

10.5.5 You have a central action plan in place to take forward the outputs from data protection and information governance audits.

10.4.1 You analyse all personal data breach reports to prevent a recurrence.

10.4.2 Your organisation monitors the type, volume and cost of incidents.

10.4.3 You undertake trend analysis on breach reports over time to understand themes or issues, and outputs are reviewed by groups with oversight for data protection and information governance.

10.4.4 Groups with oversight for data protection and information governance review the outputs.

10.3.1 You have a procedure setting out how you will tell affected individuals about a breach when it is likely to result in a high risk to their rights and freedoms.

10.3.2 You tell individuals about personal data breaches in clear, plain language without undue delay.

10.3.3 The information you provide to individuals includes the DPO's details, a description of the likely consequences of the breach and the measures taken (including mitigating actions and any possible adverse effects).

10.3.4 You provide individuals with advice to protect themselves from any effects of the breach.

10.2.1 You have a procedure to assess the likelihood and severity of the risk to individuals as a result of a personal data breach.

10.2.2 You have a procedure to notify the ICO of a breach within 72 hours of becoming aware of it (even when all the information is not yet available) and you notify the ICO on time.

10.2.3 The procedure includes details of what information must be given to the ICO about the breach.

10.2.4 If you consider it unnecessary to report a breach, you document the reasons why your organisation considers the breach is unlikely to result in a risk to the rights and freedoms of individuals.

10.1.1 You have appropriate training in place so that staff are able to recognise a security incident and a personal data breach.

10.1.2 A dedicated person or team manages security incidents and personal data breaches.

10.1.3 Staff know how to escalate a security incident promptly to the appropriate person or team to determine whether a breach has occurred.

10.1.4 Procedures and systems facilitate the reporting of security incidents and breaches.

10.1.5 Your organisation has a response plan for promptly addressing any security incidents and personal data breaches that occur.

10.1.6 You centrally log/record/document both actual breaches and near misses (even if they do not need to be reported to the ICO or individuals).

10.1.7 The log documents the facts relating to the near miss or breach including: its causes; what happened; the personal data affected; the effects of the breach; and any remedial action taken and rationale.

9.12.1 You have a risk-based business continuity plan to manage disruption and a disaster recovery plan to manage disasters, which identify records that are critical to the continued functioning of the organisation.

9.12.2 You take back-up copies of electronic information, software and systems (and ideally store them off-site).

9.13.3 The frequency of backups reflects the sensitivity and importance of the data.

9.13.4 You regularly test back-ups and recovery processes to make sure that they remain fit for purpose.

9.11.1 You protect secure areas (areas that contain either sensitive or critical information) by appropriate entry controls such as doors and locks, alarms, security lighting or CCTV.

9.11.2 You have visitor protocols in place such as signing-in procedures, name badges and escorted access.

9.11.3 You implement additional protection against external and environmental threats in secure areas such as server rooms.

9.11.4 Office equipment is appropriately placed and protected to reduce the risks from environmental threats and opportunities for unauthorised access.

9.11.5 You store paper records securely and control access to them.

9.11.6 You operate a clear desk policy across the organisation where personal data is processed.

9.11.7 You have regular clear desk 'sweeps' or checks and issues are fed back appropriately

9.11.8 You operate a 'clear screen' policy across your organisation where personal data is processed.

9.10.1 You have a mobile device and a home/remote working policy that demonstrates how your organisation will manage the associated security risks.

9.10.2 You have protections in place to avoid the unauthorised access to, or disclosure of, the information processed by mobile devices, for example encryption and remote wiping capabilities.

9.10.3 You implement security measures to protect information processed when home or remote working, for example VPN and two factor authentication.

9.10.4 Your organisation uses the most up-to-date version of its remote access solution. You are able to support and update devices remotely.

9.10.5 Where you have a business need to store personal data on removable media, you minimise personal data and your organisation implements a software solution that can set permissions or restrictions for individual devices, as well as an entire class of devices.

9.10.6 You do not allow equipment, information or software to be taken off-site without prior authorisation, and you have a log of all mobile devices and removeable media used and who they are allocated to.

9.9.1 You restrict access to systems or applications processing personal data to the absolute minimum in accordance with the principle of least privilege (for example read/write/delete/execute access rules are applied).

9.9.2 You apply minimum password complexity rules and limited log on attempts to systems or applications processing personal data.

9.9.3 You have password management controls in place, including default password changing, controlled use of any shared passwords and secure password storage (not in plain text).

9.9.4 Emails content and attachment security solutions (encryption) appropriately protect emails containing sensitive personal data.

9.9.5 You log and monitor user and system activity to detect anything unusual.

9.9.6 You implement anti-malware and anti-virus (AV) protection across the network and on critical or sensitive information systems if appropriate.

9.9.7 Anti-malware and anti-virus protection is kept up-to-date and you configure it to perform regular scans.

9.9.8 Your organisation has access to and acts upon any updates on technical vulnerabilities to systems or software, for example vendor’s alerts or patches.

9.9.9 You regularly run vulnerability scans.

9.9.10 You deploy URL or web content filtering to block specific websites or entire categories.

9.9.11 You strictly control or prohibit the use of social media, or messaging apps such as WhatsApp to share personal data.

9.9.12 You have external and internal firewalls and intrusion detection systems in place as appropriate, to make sure that the information in networks and systems is protected from unauthorised access or attack, for example denial of service attacks.

9.9.13 You do not have unsupported operating systems in use, for example Windows XP, Windows Server 2003.

9.8.1 You have an Access Control policy which specifies that users must follow your organisation's practices in the use of secret authentication information, for example passwords or tokens.

9.8.2 You implement a formal user access provisioning procedure to assign access rights for staff (including temporary staff) and third party contractors to all relevant systems and services required to fulfil their role, for example 'new starter process'.

9.8.3 You restrict and control the allocation and use of privileged access rights.

9.8.4 You keep a log of user access to systems holding personal data.

9.8.5 You regularly review users' access rights and adjust or remove rights where appropriate, for example when an employee changes role or leaves the organisation.

9.7.1 You have Acceptable Use or terms and conditions of use procedures in place.

9.7.2 You have system operating procedures which document the security arrangements and measures in place to protect the data held within systems or applications.

9.7.3 Your organisation monitors compliance with Acceptable Use rules and makes sure that staff are aware of any monitoring.

9.6.1 Your organisation has an asset register that holds details of all information assets (software and hardware) including: asset owners; asset location; retention periods; and security measures deployed.

9.6.2 You review the register periodically to make sure it remains up-to-date and accurate.

9.6.3 You periodically risk-assess assets within the register and you carry out physical checks to make sure that the hardware asset inventory remains accurate.

9.5.1 For paper documents, you use locked waste bins for records containing personal data, and either in-house or third party cross shredding or incineration is in place.

9.5.2 For information held on electronic devices, wiping, degaussing or secure destruction of hardware (shredding) is in place.

9.5.3 You either hold, collect or send away securely confidential waste awaiting destruction.

9.5.4 You have appropriate contracts in place with third parties to dispose of personal data, and they provide you with appropriate assurance that they have disposed of the data securely, for example through audit checks and destruction certificates.

9.5.5 You have a log of all equipment and confidential waste sent for disposal or destruction.

9.4.1 You have a retention schedule based on business need with reference to statutory requirements and other principles (for example the National Archives).

9.4.2 The schedule provides sufficient information to identify all records and to implement disposal decisions in line with the schedule.

9.4.3 You assign responsibilities to make sure that staff adhere to the schedule and you review it regularly.

9.4.4 You regularly review retained data to identify opportunities for minimisation, pseudonymisation, or anonymisation, and you document this in the schedule.

9.3.1 You conduct regular data quality reviews of records containing personal data to make sure they are accurate, adequate and not excessive.

9.3.2 You make staff aware of data quality issues following data quality checks or audits to prevent recurrence.

9.3.3 Records containing personal data (whether 'active' or archived) are 'weeded' periodically to reduce the risks of inaccuracies and excessive retention.

9.2.1 You document rules to protect the internal and external transfer of records by post, fax and electronically, for example in a transfer policy or guidance.

9.2.2 You minimise data transferred off-site and keep it secure in transit.

9.2.3 When you transfer data off site, you use an appropriate form of transport, (for example, secure courier, encryption, secure file transfer protocol (SFTP) or Virtual Private Network (VPN)), and you check to make sure that the information has been received.

9.2.4 You have agreements in place with any third parties used to transfer business information between your organisation and third parties.

9.1.1 You have policies and procedures to make sure that you appropriately classify, title and index new records in a way that facilitates management, retrieval and disposal.

9.1.2 You identify where you use manual and electronic record-keeping systems and maintain a central log or information asset register.

9.1.3 You know the whereabouts of records at all times, you track their movements, and you attempt to trace records that are missing or not returned.

9.1.4 You index records stored off-site with unique references to enable accurate retrieval and subsequent tracking.

8.5.1 You have a procedure to consult the ICO if you cannot mitigate residual high risks.

8.5.2 You integrate outcomes from DPIAs into relevant work plans, project action plans and risk registers.

8.5.3 You do not start high risk processing until mitigating measures are in place following the DPIA.

8.5.4 You have a procedure to communicate the outcomes of DPIAs to appropriate stakeholders, eg through a formal summarised report.

8.5.5 You consider actively publishing DPIAs where possible, removing sensitive details if necessary.

8.5.6 You agree and document a schedule for reviewing the DPIA regularly or when the nature, scope, context or purposes of the processing changes.

8.4.1 Your organisation has a standard, well-structured DPIA template which is written in plain English.

8.4.2 DPIAs include: the nature, scope, context and purposes of the processing; assess necessity, proportionality and compliance measures; identify and assess risks to individuals; and identify any additional measures to mitigate those risks.

8.4.3 DPIAs clearly set out the relationships and data flows between controllers, processors, data subjects and systems.

8.4.4 DPIAs identify measures that can be put in place to eliminate, mitigate or reduce high risks.

8.4.5 You have a documented process, with appropriate document controls, that you review periodically to make sure that it remains up-to-date.

8.4.6 You record your DPO's advice and recommendations, and the details of any other consultations.

8.4.7 Appropriate people sign off DPIAs, such as a project lead or senior manager.

8.3.1 You have a DPIA policy which includes: clear procedures to decide whether you conduct a DPIA; what the DPIA should cover; who will authorise it; and how you will incorporate it into the overall planning.

8.3.2 You have a screening checklist to consider if you need a DPIA, including all the relevant considerations on the scope, type and manner of the proposed processing.

8.3.3 If the screening checklist indicates that you do not need a DPIA, you document this.

8.3.4 Your procedure includes the requirement to seek advice from the DPO and other internal staff as appropriate.

8.3.5 Your procedure includes consultation with controllers, data processors, individuals, their representatives and any other relevant stakeholders as appropriate.

8.3.6 Staff training includes the need to consider a DPIA at the early stages of any plan involving personal data, and where relevant, you train staff in how to carry out a DPIA.

8.3.7 You assign responsibility for completing DPIAs to a member of staff who has enough authority over a project to effect change, eg a project lead or manager.

8.2.1 You reference DPIA requirements in all risk, project and change management policies and procedures, with links to DPIA policies and procedures.

8.2.2 Your procedures state that, if required, a DPIA should begin at the project's outset, before processing starts, and that the DPIA must run alongside the planning and development process.

8.2.3 You anticipate risks and privacy-invasive events before they occur, making sure that at the initial design phase of any system, product or process and throughout, you consider the: intended processing activities; risks that these may pose to the rights and freedoms of individuals; and possible measures available to mitigate the risks.

8.1.1 An information risk policy (either a separate document or part of a wider corporate risk policy) sets out how your organisation and its data processors manage information risk, and how you monitor compliance with the information risk policy.

8.1.2 You have a process to help staff report and escalate data protection and information governance concerns and risks to a central point, for example staff forums.

8.1.3 You identify and manage information risks in an appropriate risk register, which includes clear links between corporate and departmental risk registers and the risk assessment of information assets.

8.1.4 You have formal procedures to identify, record and manage risks associated with information assets in an information asset register.

8.1.5 If you identify information risks, you have appropriate action plans, progress reports and a consideration of the lessons learnt to avoid future risk.

8.1.6 You put measures in place to mitigate the risks identified within risk categories and you test these regularly to make sure that they remain effective.

7.7.1 Contracts include clauses to allow your organisation to conduct audits or checks, to confirm the processor is complying with all contractual terms and conditions.

7.7.2 You carry out routine compliance checks, proportionate to the processing risks, to test that processors are complying with contractual agreements.

7.8.1 When third parties supply products or services to process personal data, you choose suppliers that design their products or services with data protection in mind.

7.9.1 Your organisation only shares the personal data necessary to achieve its specific purpose.

7.9.2 When information is shared, it is pseudonymised or minimised wherever possible. You also consider anonymisation so that the information is no longer personal data.

7.5.1 The contract or other legal act includes terms or clauses stating that the processor must:
• only act on the controller’s documented instructions, unless required by law to act without such instructions;
• make sure that the people processing the data are subject to a duty of confidence; 
•  help the controller respond to requests from individuals to exercise their rights; submit to audits and inspections.

7.5.2 Contracts include the technical and organisational security measures the processor will adopt (including encryption, pseudonymisation, resilience of processing systems and backing up personal data in order to be able to reinstate the system).

7.5.3 The contract includes clauses to make sure that the processor either deletes or returns all personal data to the controller at the end of the contract. The processor must also delete existing personal data unless the law requires its storage.

7.5.4 Clauses are included to make sure that the processor assists the controller in meeting its GDPR obligations regarding the security of processing, the notification of personal data breaches and DPIAs.

7.6.1 The procurement process builds in due diligence checks proportionate to the risk of the processing before you agree a contract with a processor.

7.6.2 The due diligence process includes data security checks, eg site visits, system testing and audit requests.

7.6.3 The due diligence process includes checks to confirm a potential processor will protect data subject's rights.

7.4.1 You have written contracts with all processors.

7.4.2 If using a processor, you assess the risk to individuals and make sure that these risks are mitigated effectively.

7.4.3 An appropriate level of management approves the contracts and both parties sign. The level of management required for approval is proportionate to the value and risk of the contract.

7.4.4 Each contract (or other legal act) sets out details of the processing including the:
• subject matter of the processing;
• duration of the processing;
• nature and purpose of the processing;
• type of personal data involved;
• categories of data subject; and
• controller’s obligations and rights, in accordance with the list set out in Article 28(3) of the GDPR.

7.4.5 You keep a record or log of all current processor contracts, which you update when processors change.

7.4.6 You review contracts periodically to make sure they remain up-to-date.

7.4.7 If a processor uses a sub-processor to help with the processing it is doing on your behalf, they have written authorisation from your organisation and a written contract with that sub-processor.

7.3.1 You consider whether the restricted transfer is covered by an adequacy decision or by 'appropriate safeguards' listed in data protection law, such as contracts incorporating standard contractual data protection clauses adopted by the Commission or Binding Corporate Rules (BCRs).

7.3.2 If a restricted transfer is not covered by an adequacy decision nor an appropriate safeguard, you consider whether it is covered by an exemption set out in Article 49 of the GDPR.

7.2.1 You agree data sharing agreements with all the relevant parties and senior management signs them off.

7.2.2 The data sharing agreement includes details about: the parties' roles; the purpose of the data sharing; what is going to happen to the data at each stage; and sets standards (with a high privacy default for children).

7.2.3 Where necessary, procedures and guidance covering each organisation's day-to-day operations support the agreements.

7.2.4 If your organisation is acting as a joint controller (within the meaning of Article 26 of the GDPR), you set out responsibilities under an arrangement or a data sharing agreement, and you provide appropriate privacy information to individuals.

7.2.6 There is a central log of the current data sharing agreements.

7.1.1 You have a review process, through a DPIA or similar exercise, to assess the legality, benefits and risks of the data sharing.

7.1.2 You document all sharing decisions for audit, monitoring and investigation purposes and you regularly review them.

7.1.3 Your organisation has clear policies, procedures and guidance about data sharing, including who has the authority to make decisions about systematic data sharing or one-off disclosures, and when it is appropriate to do so.

7.1.4 Your organisation adequately trains all staff likely to make decisions about data sharing, and makes them aware of their responsibilities. You refresh this training appropriately.

6.10.1 The LIA identifies the legitimate interest, the benefits of the processing and whether it is necessary.

6.10.2 The LIA includes a 'balancing test' to show how your organisation determines that its legitimate interests override the individuals' and considers the following issues:
• not using people's data in intrusive ways or in ways which could cause harm, unless there is a very good reason;
• protecting the interests of vulnerable groups such as people with learning disabilities or children;
• whether you could introduce safeguards to reduce any potentially negative impact;
• whether you could offer an opt-out; and
• whether you require a DPIA.

6.10.3 You clearly document the decision and the assessment.

6.10.4 You complete the LIA prior to the start of the processing.

6.10.5 You keep the LIA under review and refresh it if changes affect the outcome.

6.9.1 Your organisation makes reasonable efforts to check the age of those giving consent, particularly where the individual is a child.

6.9.2 You have a reasonable and effective procedure to determine whether the individual in question can provide their own consent, and if not, an effective way to gain and record parental or guardian consent.

6.9.3 When providing online services to children, your organisation has risk-based age checking systems in place to establish age with a level of certainty that is appropriate based on the risks to children's rights and freedoms.

6.9.4 When providing online services to children, if the child is under 13, you have records of parental or guardian consent which are reviewed regularly, and you make reasonable efforts to verify that the person giving consent has parental or guardian responsibility. You give particular consideration when a child reaches the age of 13 and is able to provide their own consent.

6.8.1 You have a procedure to review consents to check that the relationship, the processing and the purposes have not changed and to record any changes.

6.8.2 Your organisation has a procedure to refresh consent at appropriate intervals.

6.8.3 Your organisation uses privacy dashboards or other preference-management tools to help people manage their consent.

6.6.1 You make information about the purposes of the processing, your lawful basis and relevant conditions for processing any special category data or criminal offence data publicly available in your organisation's privacy notice(s).

6.6.2 You provide information in an easily understandable format.

6.6.3 If there is a genuine change in circumstances, or if your lawful basis must change due to a new and unantipated purpose, you inform individuals in a timely manner and record the changes.

6.7.1 Consent requests: are kept separate from other terms and conditions; require a positive opt-in and do not use pre-ticked boxes; are clear and specific (not a pre-condition of signing up to a service); inform individuals how to withdraw consent in an easy way; and give your organisation's name as well as the names of any third parties relying on consent.

6.7.2 You have records of what an individual has consented to, including what they were told and when and how they consented. The records are thorough and easy for relevant staff to access, review and withdraw if required.

6.7.3 You have evidence and examples of how consent is sought from individuals, for example online forms or notices, opt in-tick boxes, and paper-based forms.

6.5.1 Your organisation selects the most appropriate lawful basis (or bases) for each activity following a review of the processing purposes.

6.5.2 You document the lawful basis (or bases) relied upon and the reasons why.

6.5.3 If your organisation processes special category data or criminal offence data, you identify and document a lawful basis for general processing and an additional condition for processing this type of data (or in the case of criminal offence data only, you identify the official authority to process).

6.5.4 In the case of special category or criminal offence data, you document consideration of the requirements of Article 9 or 10 of the GDPR and Schedule 1 of the DPA 2018 where relevant.

6.5.5 Where Schedule 1 requires it, there is an appropriate policy document including: which schedule 1 conditions you are relying on; what procedures you have in place to ensure compliance with the data protection principle; how special category or criminal offence data will be treated for retention and erasure purposes; a review date; and details of an individual assigned responsibility for the processing.

6.5.6 You identify the lawful basis before starting any new processing.

6.3.2 You have an internal record of all processing activities carried out by any processors on behalf of your organisation.

6.3.1 The ROPA includes (as a minimum):
•Your organisation's name and contact details, whether it is a controller or a processor (and where applicable, the joint controller, their representative and the DPO);
•the purposes of the processing;
•a description of the categories of individuals and personal data;
•the categories of recipients of personal data;
•details of transfers to third countries, including a record of the transfer mechanism safeguards in place;
•retention schedules; and
•a description of the technical and organisational security measures in place.

6.4.1 The ROPA also includes, or links to documentation covering:
•information required for privacy notices, such as the lawful basis for the processing and the source of the personal data;
•records of consent;
•controller-processor contracts;
•the location of personal data;
• DPIA reports;
•records of personal data breaches;
•information required for processing special category data or criminal conviction and offence data under the Data Protection Act 2018 (DPA 2018); and
•retention and erasure policy documents.

6.1.1 Your organisation carries out Information audits (or data mapping exercises) to find out what personal data is held and to understand how the information flows through your organisation.

6.1.2 The data map is kept up-to-date and you clearly assign the responsibilities for maintaining and amending it.

6.1.3 You consult staff across your organisation to make sure that there is an accurate picture of processing activities, for example by using questionnaires and staff surveys.

6.2.1 You record processing activities in electronic form so you can add, remove or amend information easily.

6.2.2 Your organisation regularly reviews the record against processing activities, policies and procedures to make sure that it remains accurate and up-to-date, and you clearly assign responsibilities for doing this.

6.2.3 You regularly review the processing activities and types of data you process for data minimisation purposes.

5.7.1 Privacy policies are clear and easy for members of the public to access.

5.7.2 You provide individuals with tools, such as secure self-service systems, dashboards and just-in-time notices, so they can access, determine and manage how you use their personal data.

5.7.3 Your organisation offers strong privacy defaults and user-friendly options and controls.

5.7.4 You help children to exercise their data protection rights, where relevant, in an easily accessible way that they understand.

5.7.5 You implement appropriate measures to protect children using digital services.

5.6.1 You review privacy information against the records of processing activities, to make sure it remains up-to-date and that it actually explains what happens with individuals’ personal data.

5.6.2 You maintain a log of historical privacy notices, including the dates you made any changes, in order to allow a review of what privacy information was provided to individuals and when.

5.6.3 Your organisation carries out user-testing to evaluate how effective their privacy information is.

5.6.4 You analyse complaints from the public about how you use personal data, and in particular, any complaints about how you explain that use.

5.6.5 If you plan to use personal data for a new purpose, you have a procedure to update the privacy information and communicate the changes to individuals before starting any new processing.

5.5.1 You arrange organisation-wide staff training about privacy information.

5.5.2 Front-line staff receive more specialised or specific training.

5.5.3 Staff are aware of the various ways in which the organisation provides privacy information.

5.4.1 You have procedures for individuals to access the personal data you use to create profiles, so they can review for accuracy and edit if needed.

5.4.2 If the decision is solely automated and has legal or similarly significant effects, you tell individuals about the processing - including what information you are using, why and what the impact is likely to be.

5.4.3 If the purpose is initially unclear, you give individuals an indication of what your organisation is going to do with their data, and you proactively update your privacy information as this becomes clearer.

5.4.4 If the decision is solely automated and has legal or similarly significant effects, your organisation explains the processing in a meaningful way that enables individuals to exercise their rights including obtaining human intervention, expressing their point of view and contesting the decision.

5.3.4 You take particular care to write privacy information for children in clear, plain language, that is age-appropriate, and explains the risks involved in the processing and what safeguards are in place.

5.3.3 You write privacy information in clear and plain language that the intended audience can understand, and offer it in accessible formats if required.

5.3.2 You provide privacy information to individuals in electronic and hard-copy form, using a combination of appropriate techniques, such as a layered approach, icons and mobile and smart device functionalities.

5.3.1 You proactively make individuals aware of privacy information and have a free, easy way to access it.

5.2.2 If you obtain personal data from a source other than the individual it relates to, you provide privacy information to individuals within a reasonable period no later than one month of obtaining the data.

5.2.1 Individuals receive privacy information when their personal data is collected (eg when they fill in a form) or by observation (eg when using CCTV or people are tracked online).

5.1.1 Privacy information includes all relevant contact information, eg the name and contact details of your organisation (and your representative if applicable) and the DPO's contact details.

5.1.2 Privacy information includes the purposes of the processing and the lawful bases (and, if applicable, the legitimate interests for the processing).

5.1.3 Privacy information includes the types of personal data you obtain and the data source, if the personal data is not obtained from the individual it relates to.

5.1.4 Privacy information includes details of all personal data that you share with other organisations and, if applicable, details of transfers to any third countries or international organisations.

5.1.5 Privacy information includes retention periods for the personal data, or if that is not possible, the criteria used to determine the period.

5.1.6 Privacy information includes details about individuals' rights including, if applicable, the right to withdraw consent and the right to make a complaint.

5.1.7 Privacy information includes details of whether individuals are under a statutory or contractual obligation to provide the personal data (if applicable, and if you collect the personal data from the individual it relates to).

5.1.8 You provide individuals with privacy information about the source of the processed personal data if you don't obtain it from the individual concerned, eg if the data is from publicly accessible sources such as social media, the open electoral register and Companies House.

4.11.1 You have procedures to handle data protection complaints raised by individuals and you report their resolution to senior management.

4.11.2 The DPO's contact details or alternative contact points are publicly available if individuals wish to make a complaint about the use of their personal data.

4.11.3 You tell individuals about their right to make a complaint to the ICO in your privacy information.

4.10.1 You complete additional checks for vulnerable groups, such as children, for all automated decision-making and profiling.

4.10.2 Your organisation only collects the minimum data needed and has a clear retention policy for the profiles created.

4.10.3 If your organisation uses solely automated decisions that have legal or similarly significant effects on individuals, you have a recorded process to make sure that these decisions only occur in accordance with Article 22 of the GDPR. If this applies, your organisation must carry out a data protection impact assessment (DPIA).

4.10.4 Where the decision is solely automated and has legal or similarly significant effects on individuals, a recorded process allows simple ways for individuals to request human intervention, express their opinion, and challenge decisions.

4.10.5 You conduct regular checks for accuracy and bias to make sure that systems are working as intended, and you feed this back into the design process.

4.8.1 Your organisation restricts personal data in a way that is appropriate for the type of processing and the system, eg temporarily moving the data to another system or removing it from a website.

4.8.2 If the personal data has been disclosed to others, your organisation contacts each recipient to tell them about the restriction (unless this is impossible or involves disproportionate effort).

4.8.3 If asked to, your organisation tells the data subject which third parties have received the personal data.

4.9.1 When requested, you provide personal data in a structured, commonly used and machine readable format.

4.9.2 Where possible and if an individual requests it, your organisation can directly transmit the information to another organisation.

4.7.1 You erase personal data from back-up systems as well as live systems where necessary, and you clearly tell the individual what will happen to their personal data.

4.7.2 If the personal data is disclosed to others, your organisation contacts each recipient to inform them about the erasure, unless this is impossible or involves disproportionate effort.

4.7.3 If asked to, your organisation tells the data subject which third parties have received the personal data.

4.7.4 If personal data has been made public in an online environment, you take reasonable steps to tell other controllers, if they are processing it, to erase links to, copies or replication of that data.

4.7.5 Your organisation gives particular weight to a request for erasure where the processing is or was based on a child's consent, especially when processing any personal data on the internet.

4.6.1 Your organisation takes proportionate and reasonable steps to check the accuracy of the personal data held and, if necessary, is able to rectify it.

4.6.2 If your organisation is satisfied that the data is accurate, you have a procedure to explain this to the individual. You need to inform the individual of their right to complain, and as a matter of good practice, record on the system the fact that the individual disputes the accuracy of the information.

4.6.3 If personal data has been disclosed to others, your organisation contacts each recipient to inform them about the rectification, unless this is impossible or involves disproportionate effort.

4.6.4 If asked, your organisation tells the data subject which third parties have received the personal data.

4.5.1 The staff responsible for managing requests meet regularly to discuss any issues.

4.5.2 You produce regular reports on performance and case quality assessments to make sure that requests are handled appropriately.

4.5.3 You share reports with senior management, that they review and action as appropriate at meetings.

4.5.4 Your organisation analyses any trends in the nature or cause of requests to improve performance or reduce volumes.

4.4.1 You action all requests within statutory timescales.

4.4.2 The staff responsible for managing requests meet regularly to discuss any issues and investigate, prioritise or escalate any delayed cases.

4.4.3 If you need an extension, you update individuals on the progress of their request and keep them informed.

4.4.4 If a request is refused, you have records about the reasons why and you inform individuals about the reasons for any refusals or exemptions.

4.3.1 You have processes in place to make sure that the log is accurate and updated as appropriate.

4.3.2 The log shows the due date for requests, the actual date of the final response and the action taken.

4.3.3 A checklist records the key stages in the request handling process, eg which systems or departments have been searched. This is either part of the log or a separate document.

4.3.4 You have records of your organisation's request responses, and any information disclosed to, or withheld from, individuals.

4.2.1 A specific person/s or team are responsible for managing and responding to requests.

4.2.2 Staff receive specialised training to handle requests, including regular refresher training.

4.2.3 You have sufficient resources to deal with requests.

4.2.4 If a staff member is absent, other staff are trained to carry out key tasks.

4.1.1 You give individuals clear and relevant information about their rights and how to exercise them.

4.1.2 Your policies and procedures set out processes for dealing with requests from individuals about their rights.

4.1.3 All staff receive training and guidance about how to recognise requests and where to send them.

3.5.1 Your organisation regularly uses a variety of appropriate methods to raise staff awareness and the profile of data protection and information governance, for example by emails, team briefings and meetings, posters, handouts, and blogs.

3.5.2 You make it easy for staff to access relevant material, and find out who to contact if they have any queries relating to data protection and information governance.

3.4.1 You conduct an assessment at the end of the training to test staff understanding and make sure that it is effective, which could include a minimum pass mark.

3.4.2 You keep copies of the training material provided on record as well as details of who receives the training.

3.4.3 You monitor training completion in line with organisationl requirements at all levels of the organisation, and you follow up with staff who do not complete the training.

3.4.4 staff are able to provide feedback on the training they receive.

3.3.1 You complete a training needs analysis for data protection and information governance staff to inform the training plan and to make sure it is specific to the individual's responsibilities.

3.3.2 You set out training and skills requirements in job descriptions.

3.3.3 You have evidence to confirm that key roles complete up-to-date and appropriate specialised training and professional development, and they receive proportionate refresher training.

3.3.4 You keep on record copies of the training material provided as well as details of who receives the training.

3.2.1 Appropriate staff, such as the DPO or an information governance manager, oversee or approve induction training.

3.2.2 All staff receive induction and refresher training, regardless of how long they will be working for your organisation, their contractual status, or grade.

3.2.3 Your staff receive induction training prior to accessing personal data and within one month of their start date.

3.2.4 Your staff complete refresher training at appropriate intervals.

3.1.1 The programme incorporates national and sector-specific requirements.

3.1.2 The programme is comprehensive and includes training for all staff on key areas of data protection such as handling requests, data sharing, information security, personal data breaches and records management.

3.1.3 You consider the training needs of all staff and use this information to compile the training programme.

3.1.4 You assign responsibilities for managing data protection and information governance training across your organisation and you have training plans or strategies in place to meet training needs within agreed time-scales.

3.1.5 You have dedicated and trained resources available to deliver training to all staff.

3.1.6 You regularly review your programme to make sure that it remains accurate and up-to-date.

3.1.7 Senior management sign off your programme.

2.4.1 Where relevant, you consider policies and procedures across your organisation with data protection in mind.

2.4.2 You have policies and procedures to make sure that data protection issues are considered when systems, services, products and business practices involving personal data are designed and implemented, and that personal data is protected by default.

2.4.3 Your organisation's approach to implementing the data protection principles and safeguarding individuals' rights, such as data minimisation, pseudonymisation and purpose limitation, is set out in policies and procedures.

2.4.4 The personal data of vulnerable groups, eg children, is given extra protection in policies and procedures.

2.3.1 Your staff read and understand the policies and procedures, including why they are important to implement and comply with.

2.3.2 You tell staff about updated policies and procedures.

2.3.3 You make policies and procedures readily available for all staff on your organisation's intranet site (or equivalent shared area) or provide them in other ways that are easy to access.

2.3.4 Guidelines, posters or publications help to emphasise key messages and raise staff awareness of policies and procedures.

2.2.1 All policies and procedures follow an agreed format and style.

2.2.2 An appropriately senior staff member reviews and approves all new and existing policies and procedures.

2.2.3 Existing policies and procedures are reviewed in line with documented review dates, are up-to-date and fit for purpose.

2.2.4 You update policies and procedures without undue delay when they require changes, eg because of operational change, court or regulatory decisions, or changes in regulatory guidance.

2.2.5 All policies, procedures and guidelines show document control information, including version number, owner, review date and change history.

2.1.1 The policy framework stems from strategic business planning for data protection and information governance, which the highest management level endorses.

2.1.2 Policies cover data protection, records management and information security.

2.1.3 You make operational procedures, guidance and manuals readily available to support data protection policies and provide direction to operational staff.

2.1.4 Policies and procedures clearly outline roles and responsibilities.

1.6.1 The groups meet and are attended by relevant staff regularly.

1.6.2 The groups produce minutes of the meetings and action plans.

1.6.3 The agenda shows the groups discuss appropriate data protection and information governance issues regularly.

1.6.4 Any data protection and information governance issues and risks that arise are reported to the oversight group.

1.5.1 Key staff, eg the DPO, regularly attend the oversight group meetings.

1.5.2 An appropriately senior staff member chairs the group, eg the DPO or senior information risk owner (SIRO).

1.5.3 Clear terms of reference set out the group's aims.

1.5.4 The group's meeting minutes record what takes place.

1.5.5 The group covers a full range of data protection related topics including Key Performance Indicators (KPIs), issues and risks.

1.5.6 The group has a work or action plan that is monitored regularly.

1.5.7 The board, or highest management level, considers data protection and information governance issues and risks reported by the oversight group.

1.4.4 Data protection and information governance staff have the authority, support and resources to carry out their responsibilities effectively.

1.4.1 Data protection and information governance staff have clear responsibilities for making sure that your organisation is data protection compliant.

1.4.2 Your staff manage all records effectively and they keep information secure.

1.4.3 A network of support or nominated data protection leads help implement and maintain data protection policies at a local level.

1.3.1 Staff know who the DPO is, what their role is and how to contact them.

1.3.2 All data protection issues involve the DPO in a timely manner.

1.3.3 Your organisation follows the DPO’s advice and takes account of their knowledge about data protection obligations.

1.3.4 The DPO performs their tasks independenly, without any conflicts of interest, and does not take any direct operational decisions about the manner and purposes of processing personal data within your organisation.

1.3.5 The DPO directly advises senior decision-makers and raises concerns with the highest management level.

1.3.6 The DPO provides regular updates to senior management about data protection compliance.

1.2.1 The DPO has specific responsibilities in line with Article 39 of the GDPR for data protection compliance, data protection policies, awareness raising, training, and audits.

1.2.2 The DPO has expert knowledge of data protection law and practices.

1.2.3 The DPO has the authority, support and resources to do their job effectively.

1.2.4 If your organisation is not required to appoint a DPO, you record the decision.

1.2.5 If your organisation is not required to appoint a DPO, you appropriately assign responsibility for data protection compliance and you have enough staff and resources to manage your obligations under data protection law.

1.1.2 Decision-makers lead by example and promote a proactive, positive culture of data protection compliance.

1.1.3 You have clear reporting lines and information flows between relevant groups; such as from a management board to an audit committee, or from an executive team to an information governance steering group.

1.1.4 Policies clearly set out the organisational structure for managing data protection and information governance.

1.1.5 Job descriptions clearly set out responsibilities and reporting lines to management.

1.1.6 Job descriptions are up-to-date, fit for purpose and are reviewed regularly.

1.1.7 Data Protection and information governance staff understand the organisational structure and their responsibilities.

1.1.1 The board, or highest senior management level, has overall responsibility for data protection and information governance.

4.2.5 Your organisation can deal with any increase in requests or reduction in staffing levels.

B13.3 Do you test the business continuity and disaster recovery plans at least once per year by running a simulation exercise that includes cyber incidents?

B13.3 Do you test the business continuity and disaster recovery plans at least once per year by running a simulation exercise that includes cyber incidents?

B13.2 Do you review the business continuity and disaster recovery plans at least once per year? Who is involved in the review?

B13.2 Do you review the business continuity and disaster recovery plans at least once per year? Who is involved in the review?

B13.1 Do you ensure that business impact assessments, business continuity and disaster recovery plans are produced for your critical information, applications, systems and networks?

B13.1 Do you ensure that business impact assessments, business continuity and disaster recovery plans are produced for your critical information, applications, systems and networks?

B12.8 Do you test your incident response process at least once per year?

B12.8 Do you test your incident response process at least once per year?

B12.7 Do all staff involved with incident management have clear roles and responsibilities and have they all received appropriate training?

B12.6 Is a record kept of the outcome of all security incident investigations to ensure all lessons have been learned from each event?

B12.6 Is a record kept of the outcome of all security incident investigations to ensure all lessons have been learned from each event?

B12.5 Do you report incidents to external bodies as required, such as law enforcement for criminal activity and the relevant authorities (such as the UK ICO) for personal data breaches?

B12.5 Do you report incidents to external bodies as required, such as law enforcement for criminal activity and the relevant authorities (such as the UK ICO) for personal data breaches?

B12.4 If required as a result of an incident, is data isolated to facilitate forensic examination? How is this done?

B12.4 If required as a result of an incident, is data isolated to facilitate forensic examination? How is this done?

B12.3 Do you formally investigate information security incidents to establish their cause and their impact with a view to avoiding similar events?

B12.3 Do you formally investigate information security incidents to establish their cause and their impact with a view to avoiding similar events?

B12.2 Are users who install software or other active code on the organisation’s systems without permission subject to disciplinary action?

B12.2 Are users who install software or other active code on the organisation’s systems without permission subject to disciplinary action?

B12.1 Are all information security incidents or suspected weaknesses reported and recorded, and do you provide a method for all employees and contractors to report security incidents without risk of recrimination (or anonymously)?

B12.1 Are all information security incidents or suspected weaknesses reported and recorded, and do you provide a method for all employees and contractors to report security incidents without risk of recrimination (or anonymously)?

B11.3 Is a backup copy held in a different physical location?

B11.3 Is a backup copy held in a different physical location?

B11.2 How do you ensure all backups are secured with an appropriate level of protection for the type of data they contain?

B11.2 How do you ensure all backups are secured with an appropriate level of protection for the type of data they contain?

B11.1 Are data stored on the business premises backed up regularly (at least weekly) and restores tested at appropriate intervals (at least monthly)?

B11.1 Are data stored on the business premises backed up regularly (at least weekly) and restores tested at appropriate intervals (at least monthly)?

B10.2 Is an audit trail of system access and/or data use by staff maintained in a central location for all relevant systems and reviewed on a regular basis? Describe how you achieve this.

B10.2 Is an audit trail of system access and/or data use by staff maintained in a central location for all relevant systems and reviewed on a regular basis? Describe how you achieve this.

B10.3 Do you ensure all you devices have their time set accurately to ensure logs and audit trails are in sync with each other?

B10.3 Do you ensure all you devices have their time set accurately to ensure logs and audit trails are in sync with each other?

B10.4 Do you ensure that any event logs and audit trails are kept secure and do not expose sensitive information to unauthorised users?

B10.4 Do you ensure that any event logs and audit trails are kept secure and do not expose sensitive information to unauthorised users?

B10.1 Does the organisation review event logs (including alerts and errors) at least weekly?

B10.1 Does the organisation review event logs (including alerts and errors) at least weekly?

B9.2 Where identified as necessary in your risk assessment, when was the last time you had a penetration test carried out on your critical business systems?

B9.2 Where identified as necessary in your risk assessment, when was the last time you had a penetration test carried out on your critical business systems?

B9.1 When was the last time you had a vulnerability scan on your system?

B9.1 When was the last time you had a vulnerability scan on your system?

A8.6 (C) Where you use application sandboxing, do you ensure that applications within the sandbox are unable to access data stores, sensitive peripherals and your local network? Describe how you achieve this.

A8.6 (C) Where you use application sandboxing, do you ensure that applications within the sandbox are unable to access data stores, sensitive peripherals and your local network? Describe how you achieve this.

A8.5 (B) Where you use an app-store or application signing, do you ensure that users only install applications that have been approved by your organisation and do you document this list of approved applications?

A8.5 (B) Where you use an app-store or application signing, do you ensure that users only install applications that have been approved by your organisation and do you document this list of approved applications?

A8.4 (B) Where you use an app-store or application signing, are users restricted from installing unsigned applications?

A8.4 (B) Where you use an app-store or application signing, are users restricted from installing unsigned applications?

A8.3 (A) Where you have anti-malware software installed, is it set to scan web pages you visit and warn you about accessing malicious websites?

A8.3 (A) Where you have anti-malware software installed, is it set to scan web pages you visit and warn you about accessing malicious websites?

A8.2 (A) Where you have anti-malware software installed, is it set to update daily and scan files automatically upon access?

A8.2 (A) Where you have anti-malware software installed, is it set to update daily and scan files automatically upon access?

A7.11 If no, is this because two-factor authentication is not available for some or all of your devices or systems? List the devices or systems that do not allow two-factor authentication.

A7.11 If no, is this because two-factor authentication is not available for some or all of your devices or systems? List the devices or systems that do not allow two-factor authentication.

A8.1 Are all of your computers, laptops, tablets and mobile phones protected from malware by either A - having anti-malware software installed, B - limiting installation of applications to an approved set (i.e. using an App Store and a list of approved applications) or C - application sandboxing (i.e. by using a virtual machine)?

A8.1 Are all of your computers, laptops, tablets and mobile phones protected from malware by either A - having anti-malware software installed, B - limiting installation of applications to an approved set (i.e. using an App Store and a list of approved applications) or C - application sandboxing (i.e. by using a virtual machine)?

A7.10 Have you enabled two-factor authentication for access to all administrative accounts?

A7.10 Have you enabled two-factor authentication for access to all administrative accounts?

A7.9 Do you review who should have administrative access on a regular basis?

A7.9 Do you review who should have administrative access on a regular basis?

A7.8 Do you formally track which users have administrator accounts in your organisation?

A7.8 Do you formally track which users have administrator accounts in your organisation?

A7.7 How do you ensure that administrator accounts are not used for accessing email or web browsing?

A7.7 How do you ensure that administrator accounts are not used for accessing email or web browsing?

A7.6 How do you ensure that staff only use administrator accounts to carry out administrative activities (such as installing software or making configuration changes)?

A7.6 How do you ensure that staff only use administrator accounts to carry out administrative activities (such as installing software or making configuration changes)?

A7.5 Do you have a formal process for giving someone access to systems at an “administrator” level? Describe the process.

A7.5 Do you have a formal process for giving someone access to systems at an “administrator” level? Describe the process.

A7.4 Do you ensure that staff only have the privileges that they need to do their current job? How do you do this?

A7.4 Do you ensure that staff only have the privileges that they need to do their current job? How do you do this?

A7.3 How do you ensure you have deleted, or disabled, any accounts for staff who are no longer with your organisation?

A7.3 How do you ensure you have deleted, or disabled, any accounts for staff who are no longer with your organisation?

A7.2 Can you only access laptops, computers and servers in your organisation (and the applications they contain) by entering a unique user name and password?

A7.2 Can you only access laptops, computers and servers in your organisation (and the applications they contain) by entering a unique user name and password?

A7.1 Are users only provided with user accounts after a process has been followed to approve their creation? Describe the process.

A7.1 Are users only provided with user accounts after a process has been followed to approve their creation? Describe the process.

B8.11 Do you have Data Processing Agreements in place with all suppliers that process personal data on your behalf?

B8.11 Do you have Data Processing Agreements in place with all suppliers that process personal data on your behalf?

B8.10 How do you ensure that all your suppliers (including cloud providers and sub-contractors) follow information security procedures that are certified to be the same as, or more comprehensive than, the information security procedures followed by your own organisation for the data involved in that contract?

B8.9 If, after assessing all the risks in the DPIA, there is a high level risk left, do you have processes for reporting this to your country's data protection office?

B8.10 How do you ensure that all your suppliers (including cloud providers and sub-contractors) follow information security procedures that are certified to be the same as, or more comprehensive than, the information security procedures followed by your own organisation for the data involved in that contract?

B8.9 If, after assessing all the risks in the DPIA, there is a high level risk left, do you have processes for reporting this to your country's data protection office?

B8.8 Do you ensure that a Data Protection Impact Assessment (DPIA) is carried out for new systems and projects?

B8.7 Do you use firewalls or other technology to block and monitor access to malicious internet locations/domains at the boundary of your networks?

B8.8 Do you ensure that a Data Protection Impact Assessment (DPIA) is carried out for new systems and projects?

B8.7 Do you use firewalls or other technology to block and monitor access to malicious internet locations/domains at the boundary of your networks?

"B8.6 When you deploy wireless and wired networks, do you ensure that access is restricted only to authorised users? "

"B8.6 When you deploy wireless and wired networks, do you ensure that access is restricted only to authorised users? "

B8.5 Where identified as necessary in your risk assessment, have you identified and segregated critical business systems and applied appropriate network security controls to them? Explain how this has been achieved.

B8.5 Where identified as necessary in your risk assessment, have you identified and segregated critical business systems and applied appropriate network security controls to them? Explain how this has been achieved.

B8.4 Are changes to information systems, applications or networks reviewed and approved, and are users disallowed from making changes without approval? Describe the approval process.

B8.3 Are all computers and servers provisioned only with approved software from a list of authorised applications that you maintain? Explain how you achieve this.

B8.4 Are changes to information systems, applications or networks reviewed and approved, and are users disallowed from making changes without approval? Describe the approval process.

B8.3 Are all computers and servers provisioned only with approved software from a list of authorised applications that you maintain? Explain how you achieve this.

B8.2 Does the organisation ensure that all new and modified information systems, applications and networks include security provisions, are correctly sized, comply with security requirements, are compatible with existing systems and are approved before they commence operation? Describe how you achieve this.

B8.2 Does the organisation ensure that all new and modified information systems, applications and networks include security provisions, are correctly sized, comply with security requirements, are compatible with existing systems and are approved before they commence operation? Describe how you achieve this.

B8.1 Is management of computers and networks controlled using documented procedures that have been authorised? Describe how you achieve this.

B8.1 Is management of computers and networks controlled using documented procedures that have been authorised? Describe how you achieve this.

A6.6 Have you removed any applications on your devices that are no longer supported and no longer received regular fixes for security problems?

A6.6 Have you removed any applications on your devices that are no longer supported and no longer received regular fixes for security problems?

A6.5 Are all high-risk or critical security updates for applications (including any associated files and any plugins such as Adobe Flash) installed within 14 days of release? Describe how you achieve this.

A6.5 Are all high-risk or critical security updates for applications (including any associated files and any plugins such as Adobe Flash) installed within 14 days of release? Describe how you achieve this.

A6.4 Are all high-risk or critical security updates for operating systems and firmware installed within 14 days of release? Describe how do you achieve this.

A6.4 Are all high-risk or critical security updates for operating systems and firmware installed within 14 days of release? Describe how do you achieve this.

A6.3 Is all software licensed in accordance with the publisher’s recommendations?

A6.3 Is all software licensed in accordance with the publisher’s recommendations?

A6.2 Are all applications on your devices supported by a supplier that produces regular fixes for any security problems?

A6.2 Are all applications on your devices supported by a supplier that produces regular fixes for any security problems?

A6.1 Are all operating systems and firmware on your devices supported by a supplier that produces regular fixes for any security problems?

A6.1 Are all operating systems and firmware on your devices supported by a supplier that produces regular fixes for any security problems?

A5.10 Is "auto-run" or "auto-play" disabled on all of your systems?

A5.10 Is "auto-run" or "auto-play" disabled on all of your systems?

A5.9 If yes, do you have a password policy that guides all your users?

A5.9 If yes, do you have a password policy that guides all your users?

A5.8 If yes, are your systems set to lockout after ten or fewer unsuccessful login attempts, or limit the number of login attempts to no more than ten within five minutes?

A5.8 If yes, are your systems set to lockout after ten or fewer unsuccessful login attempts, or limit the number of login attempts to no more than ten within five minutes?

A5.7 If yes, do you ensure that you change passwords if you believe that they have been compromised?

A5.7 If yes, do you ensure that you change passwords if you believe that they have been compromised?

A5.6 If yes, do you ensure all users of these services use a password of at least 8 characters and that your systems do not restrict the length of the password?

A5.6 If yes, do you ensure all users of these services use a password of at least 8 characters and that your systems do not restrict the length of the password?

A5.5 Do you run software that provides sensitive or critical information (that shouldn't be made public) to external users across the internet?

A5.5 Do you run software that provides sensitive or critical information (that shouldn't be made public) to external users across the internet?

A5.4 Do all your users and administrators use passwords of at least 8 characters?

A5.4 Do all your users and administrators use passwords of at least 8 characters?

A5.3 Have you changed the default password for all user and administrator accounts on all your laptops, computers, servers, tablets and smartphones to a non-guessable password of 8 characters or more?

A5.3 Have you changed the default password for all user and administrator accounts on all your laptops, computers, servers, tablets and smartphones to a non-guessable password of 8 characters or more?

A5.2 Have you ensured that all your laptops, computers, servers, tablets and mobile devices only contain necessary user accounts that are regularly used in the course of your business?

A5.2 Have you ensured that all your laptops, computers, servers, tablets and mobile devices only contain necessary user accounts that are regularly used in the course of your business?

A5.1 Where you are able to do so, have you removed or disabled all the software that you do not use on your laptops, computers, servers, tablets and mobile phones? Describe how you achieve this.

A5.1 Where you are able to do so, have you removed or disabled all the software that you do not use on your laptops, computers, servers, tablets and mobile phones? Describe how you achieve this.

A4.12 If no, is this because software firewalls are not commonly available for the operating system you are using? Please list the operating systems.

A4.11 Do you have software firewalls enabled on all of your computers and laptops?

A4.12 If no, is this because software firewalls are not commonly available for the operating system you are using? Please list the operating systems.

A4.11 Do you have software firewalls enabled on all of your computers and laptops?

A4.10 If yes, is the access to the settings protected by either two-factor authentication or by only allowing trusted IP addresses to access the settings? List which option is used.

A4.9 If yes, is there a documented business requirement for this access?

A4.8 Are your internet routers or hardware firewalls configured to allow access to their configuration settings over the internet?

A4.10 If yes, is the access to the settings protected by either two-factor authentication or by only allowing trusted IP addresses to access the settings? List which option is used.

A4.9 If yes, is there a documented business requirement for this access?

A4.8 Are your internet routers or hardware firewalls configured to allow access to their configuration settings over the internet?

A4.7 Have you configured your internet routers or hardware firewall devices so that they block all other services from being advertised to the internet?

A4.7 Have you configured your internet routers or hardware firewall devices so that they block all other services from being advertised to the internet?

A4.6 If you do have services enabled on your firewall, do you have a process to ensure they are disabled in a timely manner when they are no longer required? Describe the process.

A4.5 Do you have any services enabled that are accessible externally from your internet routers or hardware firewall devices for which you do not have a documented business case?

A4.6 If you do have services enabled on your firewall, do you have a process to ensure they are disabled in a timely manner when they are no longer required? Describe the process.

A4.5 Do you have any services enabled that are accessible externally from your internet routers or hardware firewall devices for which you do not have a documented business case?

A4.3 Is the new password on all your internet routers or hardware firewall devices at least 8 characters in length and difficult to guess?

A4.3 Is the new password on all your internet routers or hardware firewall devices at least 8 characters in length and difficult to guess?

"A4.2 When you first receive an internet router or hardware firewall device it will have had a default password on it. Has this initial password been changed on all such devices? How do you achieve this? "

A4.1 Do you have firewalls at the boundaries between your organisation's internal networks and the internet?

A4.2 When you first receive an internet router or hardware firewall device it will have had a default password on it. Has this initial password been changed on all such devices? How do you achieve this?

A4.1 Do you have firewalls at the boundaries between your organisation's internal networks and the internet?

B7.5 Do all business premises have effective physical protection and, if indicated by a risk assessment, surveillance and monitoring?

B7.5 Do all business premises have effective physical protection and, if indicated by a risk assessment, surveillance and monitoring?

B7.4 Are devices which require particular working conditions (such as heating and cooling) provided with a suitable environment within the guidelines set out by their respective manufacturers? How do you achieve this?

B7.4 Are devices which require particular working conditions (such as heating and cooling) provided with a suitable environment within the guidelines set out by their respective manufacturers? How do you achieve this?

B7.3 Where indicated as necessary in your risk assessment, do you have dedicated machines to scan physical media for viruses and malware?

B7.3 Where indicated as necessary in your risk assessment, do you have dedicated machines to scan physical media for viruses and malware?

B7.2 Is the use of physical media on your systems controlled either by physical access restrictions or by a technical solution (such as by configuring devices to blocking USB storage devices)?

B7.2 Is the use of physical media on your systems controlled either by physical access restrictions or by a technical solution (such as by configuring devices to blocking USB storage devices)?

B7.1 Are only authorised personnel who have a justified and approved business case given access to restricted areas containing information systems or stored data? How do you achieve this?

B7.1 Are only authorised personnel who have a justified and approved business case given access to restricted areas containing information systems or stored data? How do you achieve this?

B6.24 If yes to above, are the systems that you use to store credit card information compliant to PCI-DSS regulation?

B6.24 If yes to above, are the systems that you use to store credit card information compliant to PCI-DSS regulation?

B6.23 Do you store credit card information?

B6.23 Do you store credit card information?

B6.22 List any local or international laws relating to risk treatment or information security which apply to your business.

B6.22 List any local or international laws relating to risk treatment or information security which apply to your business.

B6.21 List any business sector-specific regulations relating to risk treatment or information security which apply to your business.

B6.21 List any business sector-specific regulations relating to risk treatment or information security which apply to your business.

B6.20 Do the contracts with all your suppliers ensure that they meet a set of security requirements that you have defined around handling data and keeping information secure? Please explain the requirements you have set and the reasons why you have chosen them.

B6.20 Do the contracts with all your suppliers ensure that they meet a set of security requirements that you have defined around handling data and keeping information secure? Please explain the requirements you have set and the reasons why you have chosen them.

B6.19 Are your information security policies part of all employees’ contractual obligations?

B6.19 Are your information security policies part of all employees’ contractual obligations?

B6.18 Are your information security policies distributed to all employees?

B6.18 Are your information security policies distributed to all employees?

B6.17 Do your policies refer to handling personal data (and, where appropriate, reference your data protection policy)?

B6.17 Do your policies refer to handling personal data (and, where appropriate, reference your data protection policy)?

B6.16 Do your policies refer to home and mobile working?

B6.16 Do your policies refer to home and mobile working?

B6.15 Do your policies refer to business continuity measures?

B6.15 Do your policies refer to business continuity measures?

B6.14 Do your policies refer to security incident management?

B6.14 Do your policies refer to security incident management?

B6.13 Do your policies refer to security from malware and intrusion?

B6.12 Do your policies refer to monitoring and acceptable usage of systems/data?

B6.12 Do your policies refer to monitoring and acceptable usage of systems/data?

B6.11 Do your policies refer to computer and network security?

B6.11 Do your policies refer to computer and network security?

B6.10 Do your policies refer to physical and environmental security?

B6.10 Do your policies refer to physical and environmental security?

B6.9 Do your policies refer to user authentication and access management?

B6.9 Do your policies refer to user authentication and access management?

B6.8 Do your policies refer to asset management (including removable media)?

B6.8 Do your policies refer to asset management (including removable media)?

B6.7 Do your policies refer to personnel security?

B6.7 Do your policies refer to personnel security?

B6.6 Do your policies refer to intellectual property rights and legal requirements?

B6.6 Do your policies refer to intellectual property rights and legal requirements?

B6.5 Is there a policy review and consultation process?

B6.5 Is there a policy review and consultation process?

B6.4 Provide the name and role of the person who approved the policies?

B6.4 Provide the name and role of the person who approved the policies?

B6.3 Do your information security policies cover the scope of this assessment?

B6.3 Do your information security policies cover the scope of this assessment?

B6.2 Have your policies been reviewed in the last 12 months?

B6.1 Do you have a policy or a set of policies that cover information security?

B6.1 Do you have a policy or a set of policies that cover information security?

B5.8 On termination of employment, are user access privileges immediately withdrawn and the employee de-briefed on their post-employment confidentiality responsibilities? How do you do this?

B5.8 On termination of employment, are user access privileges immediately withdrawn and the employee de-briefed on their post-employment confidentiality responsibilities? How do you do this?

B5.7 Are employees with responsibility for information security, or with privileged access to business systems, appropriately qualified and suitably trained?

B5.7 Are employees with responsibility for information security, or with privileged access to business systems, appropriately qualified and suitably trained?

B5.6 Do employee contracts include security obligations (such as an obligation to comply with the security policy) and are reminders given at regular intervals?

B5.6 Do employee contracts include security obligations (such as an obligation to comply with the security policy) and are reminders given at regular intervals?

B5.5 Do you give new employees a briefing on their corporate and security responsibilities before, or immediately after employment, preferably reinforced by reference literature? How do you do this?

B5.5 Do you give new employees a briefing on their corporate and security responsibilities before, or immediately after employment, preferably reinforced by reference literature? How do you do this?

B5.4 Do all staff and contractors receive regular information security and data protection training (at least annually)? Describe how this is done.

B5.4 Do all staff and contractors receive regular information security and data protection training (at least annually)? Describe how this is done.

B5.3 Provide the name and role of the person responsible for security and data protection training and awareness.

B5.3 Provide the name and role of the person responsible for security and data protection training and awareness.

B5.2 Where criminal record checks are carried out, do you ensure that explicit consent has been obtained from employees and that such checks are carried out for lawful purposes?

B5.2 Where criminal record checks are carried out, do you ensure that explicit consent has been obtained from employees and that such checks are carried out for lawful purposes?

B5.1 Do you take up references or confirm employment history (or carry out any other pre-employment checks to meet regulatory requirements) when employing new staff? How do you do this?

B5.1 Do you take up references or confirm employment history (or carry out any other pre-employment checks to meet regulatory requirements) when employing new staff? How do you do this?

B4.19 Where you disclose personal data to a supplier/provider does the contract explicitly impose the obligation to maintain appropriate technical and organisational measures to protect personal data in line with relevant legislation?

B4.19 Where you disclose personal data to a supplier/provider does the contract explicitly impose the obligation to maintain appropriate technical and organisational measures to protect personal data in line with relevant legislation?

B4.18 Where you have decided to hold data under the lawful purpose of Legitimate Interest of the Controller or Third Party, have you completed the three-part Legitimate Interest test and kept a record of the results?

B4.18 Where you have decided to hold data under the lawful purpose of Legitimate Interest of the Controller or Third Party, have you completed the three-part Legitimate Interest test and kept a record of the results?

B4.17 In each contract you hold with suppliers and customers involving the processing of personal data, do you confirm whether you are the data controller or data processor?

B4.17 In each contract you hold with suppliers and customers involving the processing of personal data, do you confirm whether you are the data controller or data processor?

B4.16 For each piece of personal information you hold, do you record whether your organisation is the data processor or the data controller?

B4.16 For each piece of personal information you hold, do you record whether your organisation is the data processor or the data controller?

B4.15 For each piece of personal information and special category data you hold, do you record the justification for obtaining it? Where is this recorded?

B4.15 For each piece of personal information and special category data you hold, do you record the justification for obtaining it? Where is this recorded?

B4.14 Do you have mechanisms in place which make it as easy for the data subject to remove consent for the data processing under the consent lawful purpose?

B4.14 Do you have mechanisms in place which make it as easy for the data subject to remove consent for the data processing under the consent lawful purpose?

B4.13 Where you are holding data based upon the consent of the data subject, how do you record details of the consent?

B4.13 Where you are holding data based upon the consent of the data subject, how do you record details of the consent?

B4.12 Do you have a data privacy statement compliant with the requirements of GDPR and does the statement provide a point of contact for data protection issues? Who is the point of contact?

B4.12 Do you have a data privacy statement compliant with the requirements of GDPR and does the statement provide a point of contact for data protection issues? Who is the point of contact?

B4.11 Do you have documented data classification criteria?

B4.11 Do you have documented data classification criteria?

B4.10 Do you have documented data retention periods and do these cover contractual and legal requirements?

B4.10 Do you have documented data retention periods and do these cover contractual and legal requirements?

B4.9 Do you make it clear to data subjects how they should contact your organisation to exercise their rights and to raise complaints?

B4.9 Do you make it clear to data subjects how they should contact your organisation to exercise their rights and to raise complaints?

B4.8 What is your process for dealing with Subject Access or Data Portability requests within 30 days? Do you have processes in place to maintain the rights of the individual, within the time limits laid down by the Regulation?

B4.8 What is your process for dealing with Subject Access or Data Portability requests within 30 days? Do you have processes in place to maintain the rights of the individual, within the time limits laid down by the Regulation?

B4.7 Where you collect data from children, do you actively seek parental consent? How do you record this?

B4.7 Where you collect data from children, do you actively seek parental consent? How do you record this?

B4.6 When your organisation collects personal data from a subject do you clearly state what it is being collected for, how it will be processed and who will process it and does the data subject have to provide consent for this?

B4.5 If you fall into the category of requiring a Data Protection Officer have you appointed one?

B4.5 If you fall into the category of requiring a Data Protection Officer have you appointed one?

B4.4 Do policies and procedures set clear responsibilities for handling of personal data, including where appropriate reference to responsibilities held by your Data Protection Officer?

B4.4 Do policies and procedures set clear responsibilities for handling of personal data, including where appropriate reference to responsibilities held by your Data Protection Officer?

B4.3 Is Data Protection referred to in employee contracts of employment?

B4.3 Is Data Protection referred to in employee contracts of employment?

B4.2 Are these policies and procedures provided to all employees, required to be followed in everyday practice and linked to disciplinary procedures? How do you achieve this?

B4.2 Are these policies and procedures provided to all employees, required to be followed in everyday practice and linked to disciplinary procedures? How do you achieve this?

B4.1 Have you put policies and procedures in place to mitigate risks to personal data?

B4.1 Have you put policies and procedures in place to mitigate risks to personal data?

B3.6 Was the risk assessment approved at board/director/partner/trustee level?

B3.6 Was the risk assessment approved at board/director/partner/trustee level?

B3.5 Do you have an action plan to implement any actions identified in the risk assessment?

B3.5 Do you have an action plan to implement any actions identified in the risk assessment?

B3.4 Does the risk assessment identify which actions you will be taking for each risk (such as reduce or accept)?

B3.4 Does the risk assessment identify which actions you will be taking for each risk (such as reduce or accept)?

B3.3 Does the risk assessment cover the scope of this assessment?

B3.3 Does the risk assessment cover the scope of this assessment?

B3.2 Has your risk assessment been reviewed in the last 12 months? Who reviewed it?

B3.2 Has your risk assessment been reviewed in the last 12 months? Who reviewed it?

B3.1 Do you have a current Risk Assessment which includes information security risks and includes risks to data subjects for the information you hold?

B3.1 Do you have a current Risk Assessment which includes information security risks and includes risks to data subjects for the information you hold?

B2.16 Is your data encrypted whilst being stored by your cloud provider(s) (i.e. encrypted at rest)?

B2.16 Is your data encrypted whilst being stored by your cloud provider(s) (i.e. encrypted at rest)?

B2.15 Is your data encrypted before being passed between your site and your cloud provider(s) (i.e. encrypted in transit)?

B2.15 Is your data encrypted before being passed between your site and your cloud provider(s) (i.e. encrypted in transit)?

B2.14 Which security accreditations are held by the cloud providers used by your organisation?

B2.14 Which security accreditations are held by the cloud providers used by your organisation?

B2.13 Please describe which provisions have been put in place to ensure that the requirements of the GDPR are met fully for the data held in your cloud services?

B2.13 Please describe which provisions have been put in place to ensure that the requirements of the GDPR are met fully for the data held in your cloud services?

B2.12 Where do your cloud providers store your data?

B2.12 Where do your cloud providers store your data?

B2.11 Do you use cloud providers to share company information between employees or with customers (such as instant messaging or collaboration tools)? If so, please list all providers.

B2.11 Do you use cloud providers to share company information between employees or with customers (such as instant messaging or collaboration tools)? If so, please list all providers.

B2.10 Do you use cloud providers to store company information (such as files, emails, data backups)? If so, please list all providers.

B2.9 When assets are no longer required, is all data securely wiped from them or are the assets securely destroyed? Describe how this is done.

B2.9 When assets are no longer required, is all data securely wiped from them or are the assets securely destroyed? Describe how this is done.

B2.8 Is all sensitive information identified (e.g. by protective marking) and properly protected?

B2.8 Is all sensitive information identified (e.g. by protective marking) and properly protected?

B2.7 How do you ensure all flows of personal and special category data are documented, including where data was obtained, where it is stored and all destinations of data?

B2.7 How do you ensure all flows of personal and special category data are documented, including where data was obtained, where it is stored and all destinations of data?

B2.6 Is all personal data and special category data identified (e.g. by protective marking) and properly protected? Describe how this is done.

B2.6 Is all personal data and special category data identified (e.g. by protective marking) and properly protected? Describe how this is done.

B2.5 Are all mobile phones, tablets and laptops tracked in the asset register, pin/ password protected and encrypted? Please describe how you have achieved this for all criteria within this question.

B2.5 Are all mobile phones, tablets and laptops tracked in the asset register, pin/ password protected and encrypted? Please describe how you have achieved this for all criteria within this question.

B2.4 Is all removable media tracked in the asset register and encrypted? Please describe how you achieve this.

B2.4 Is all removable media tracked in the asset register and encrypted? Please describe how you achieve this.

B2.3 Do all assets (both physical and information assets) have named owners?

B2.3 Do all assets (both physical and information assets) have named owners?

B2.2 How does your asset register track information assets (i.e. categories of information)?

B2.2 How does your asset register track information assets (i.e. categories of information)?

B2.1 Does your organisation have up-to-date information and physical asset registers?

B2.1 Does your organisation have up-to-date information and physical asset registers?

B1.4 How do you ensure that you provide sufficient funding and a suitable number of appropriately skilled staff to develop and maintain good information security and data protection?

B1.4 How do you ensure that you provide sufficient funding and a suitable number of appropriately skilled staff to develop and maintain good information security and data protection?

B1.3 Please provide the name and role of the person who has overall responsibility for managing security in your organisation?

B1.3 Please provide the name and role of the person who has overall responsibility for managing security in your organisation?

B1.2 Is information security and data protection (including a review of any recent incidents) a standing agenda item for your board/director/partner/trustee meetings?

B1.2 Is information security and data protection (including a review of any recent incidents) a standing agenda item for your board/director/partner/trustee meetings?

B1.1 Please provide the name of the board member/director/partner/trustee who has responsibility for information security and data protection?

6.10.2 The LIA includes a 'balancing test' to show how your organisation determines that its legitimate interests override the individuals' and considers the following issues:

• not using people's data in intrusive ways or in ways which could cause harm, unless there is a very good reason;

• protecting the interests of vulnerable groups such as people with learning disabilities or children;

• whether you could introduce safeguards to reduce any potentially negative impact;

• whether you could offer an opt-out; and

• whether you require a DPIA.

6.7.1 Consent requests: are kept separate from other terms and conditions; require a positive opt-in and do not use pre-ticked boxes; are clear and specific (not a pre-condition of signing up to a service); inform individuals how to withdraw consent in an easy way; and give your organisation's name as well as the names of any third parties relying on consent.

7.4.4 Each contract (or other legal act) sets out details of the processing including the: • subject matter of the processing; • duration of the processing; • nature and purpose of the processing; • type of personal data involved; • categories of data subject; and • controller’s obligations and rights, in accordance with the list set out in Article 28(3) of the GDPR.