Who should use this standard assessment

A key element of GDPR (brought into effect on the 25th May 2018 ) is the distinction between processor and controller. If you are a controller, you are not relieved of your obligations under GDPR where a processor is involved, as the regulation places further legal obligations on you to ensure your contracts with processors are compliant. Firms can be fined significantly for breaches under the new regulation.

As such, organisations that wish to avoid non-compliant businesses and minimise exposure to high-risk data practices can use this Standard Assessment within Rizikon Assurance. This will assist with ensuring compliance with GDPR where data processors are used, and operating a wider assurance practice that is efficient and risk-proportional, as well as comprehensive.

How this Standard Assessment was developed

This assessment has been written based on the information given by the Information Commissioner’s Office guidance notes on GDPR, as they are the sole body responsible for enforcing the legislation.

The ICO guide explains the provisions of the GDPR to help organisations comply with its requirements. The relevant sections used have been for those who have a day-to-day responsibility for data protection and are data processors. More information can be found here: (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/)

Questions, sections and scoring

The structure of the GDPR Data Processor Standard Assessment consists of an initial section requesting specific confirmation of processing data on behalf of the controller. If the answers suggest that the rest of the assessment is no longer applicable, there are no further questions. Affirmative answers yield a further 12 sections, covering necessary topics from data retention, breach notifications, international processing etc.

The questions are scored on a tiered basis – answers can be provided that are either scored Minor, Major or Fail, while compliant answers will remain unscored. These scores listed indicate that The Data Processor is potentially not compliant with the GDPR regulation with respect to meeting its obligations. The overall assessment score will be inherited from the most severe question score provided, highlighting their point of minimal compliance.