EDPS data protection accountability questionnaire - 05/04/2016 Personal data protection accountability questionnaire for the EDPS 1 How to reply to the questionnaire To which questions shall I reply? o You will reply only to those questions where your department)/role is explicitly mentioned under the “Department(s)” box. Shall I reply to all questions concerning me? o The box “M/O” indicates whether the reply is mandatory or optional. How should I provide my response? o Responses should be provided under the boxes “Response” and “Evidence”. The box “Evidence” is there to provide explicit evidence for the response given, including hyperlinks to deliverables and resources. You do not need to describe in detail the content of the deliverables provided as evidence, but you are encouraged to highlight all you think can be useful to value your accountability stand. When shall I reply? How is the process managed? o An update to the responses of the questionnaire is expected annually, with a schedule synchronised as possible with the Annual Management Plan and/or the Risk Management exercise. For the first year the exercise will be carried out twice (every six months). o The DPO will send you the last version of the completed questionnaire and you will send back your changes using track changes. The DPO will compile all contributions for a new version, which will be posted onto the DPO section of the Intranet For your ease, find referenced the link to the EDPS Register: https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/DPO/DPO_Register. 1 EDPS data protection accountability questionnaire - 05/04/2016 2 The questionnaire 2.1 Data protection management and governance ...................................................................................................Error! Bookmark not defined. 2.2 Documentation of operations processing personal data .................................................................................Error! Bookmark not defined. 2.3 Embed data protection into operations .................................................................................................................Error! Bookmark not defined. 2.4 Data protection training and awareness ...............................................................................................................Error! Bookmark not defined. 2.5 Manage information security risks ..........................................................................................................................Error! Bookmark not defined. 2.6 Manage data protection risks from third parties................................................................................................Error! Bookmark not defined. 2.7 Maintain data protection notices .............................................................................................................................Error! Bookmark not defined. 2.8 Maintain procedures for inquiries/complaints ....................................................................................................Error! Bookmark not defined. 2.9 Protect personal data in new operational practises ...........................................................................................Error! Bookmark not defined. 2.10 Personal data breach management.........................................................................................................................Error! Bookmark not defined. 2.11 Monitoring how personal data are processed .....................................................................................................Error! Bookmark not defined. 2.12 Keeping pace with policy and technology developments ................................................................................Error! Bookmark not defined. ---------------------------------------- Some sample questions follow: 2 EDPS data protection accountability questionnaire - 05/04/2016 DP activity Assign data protection responsibility as DPO M/O M Department MB MB DP activity Assign data protection responsibility throughout the organisation Response M/O M Evidence Department(s) Question MB Have data protection responsibilities been identified in operational units, sectors and specific roles ? Response Date notes How? Are staff aware of their role in protecting personal data? Evidence Date 30/06/2016 31/12/2016 M/O O Department MB MB DP activity Report on data protection management in the organisation notes Appointment of the DPO and possible assistants. How and by whom were they appointed? Report also date of appointment and duration of the office. 30/06/2016 31/12/2016 Department MB MB DP activity Enable communication among staff accountable for data protection Department(s) Question MB Has ultimate responsibility for data protection been formally assigned? Department(s) Question MB Do DPO, controllers and senior management communicate and work together for data protection? Response notes How? When? Any tools (meetings, reports)? Evidence Date 30/06/2016 31/12/2016 M/O M Department(s) Question DPO Do you report periodically to senior management on data protection? 3 notes How? When? Any tools (meetings, reports)? EDPS data protection accountability questionnaire - 05/04/2016 Department DPO DPO DP activity Integrate data protection into the use of the IT infrastructure/devices Response Evidence Date 30/06/2016 31/12/2016 M/O M Department Department(s) Question HRBA/LISO Do you have policies/procedures for the protection of personal data in the use of mobile devices for work related purposes? Response notes What? Where? Have you maintained them? Evidence Date 30/06/2016 31/12/2016 Integrate data protection into the use of the IT infrastructure/devices M Department HRBA/LISO Do you have policies/procedures on the use of the What? Where? Have you maintained them? IT infrastructure for personal purposes? Response Evidence Date 30/06/2016 31/12/2016 DP activity Integrate data protection into practices for monitoring employees Department M/O M Department(s) Question HRBA/LISO Do you have procedures to integrate data protection into communications monitoring practices (use of e-mail, internet, and telephone)? Response notes What? Where? Have you maintained them? Evidence Date 30/06/2016 31/12/2016 4 EDPS data protection accountability questionnaire - 05/04/2016 DP activity Maintain an information security policy M/O M Department Department(s) Question LISO, LSO, RM Do you have an information security policy to protect personal data? Response notes Where? How and when do you maintain it? Are staff aware of it? Evidence Date 30/06/2016 31/12/2016 DP activity Maintain procedures to manage contracts or agreements with processors M/O M Department Department(s) Question HRBA, ALL Do you keep track of processors and of contractual provisions, including security and data protection requirements? Response notes What? Where? Have you maintained them? Evidence Date 30/06/2016 31/12/2016 DP activity Conduct due diligence around the data protection and security posture of potential vendors/processors. Department M/O M Department(s) Question ALL How do you assess the data protection and security guarantees for the prospective processors before choosing them? Response notes Evidence Date 30/06/2016 31/12/2016 5 EDPS data protection accountability questionnaire - 05/04/2016 DP activity Maintain a documented data protection incident/breach response protocol Department LISO LISO M/O M Department(s) Question LISO Do you have a personal data breach response procedure? Response notes What? When? Evidence Date 30/06/2016 31/12/2016 6
© Copyright 2024 ExpyDoc