1. Have you invested in technology specifically to comply with GDPR?
o Yes
o No
2. Which information security framework(s) have you implemented?
3. Have you signed contractual assurances from all the third-party organisations you work with requiring that they achieve GDPR compliance by 25 May 2018?
o Yes
o No
4. Have you completed an audit to identify all files or databases that include personally identifiable information (PII) within your organisation?
o Yes
o No
5. Do you use encryption to protect all PII repositories within your organisation?
o Yes
o No
6. As part of this audit, did you clarify if PII data is being stored on, and/or accessed by:
a. Mobile devices
b. Cloud services
c. Third party contractors
7. Does the organisation employ controls that will prevent an unknown device accessing PII repositories?
o Yes
o No
8. Does your organisation employ controls that detect the security posture of a device before granting access to network resources – i.e. valid certificates, patched, AV protected, etc.
o Yes
o No
9. Should PII data be compromised, have you defined a process so you can notify the relevant supervisory authority within 72 hours?
o Yes
o No
10. Have you ever paid a ransom demand to have data returned / malware (aka ransomware) removed from systems?
o Yes
o No
11. To which positions/level does your data protection officer report? i.e. CISO, CEO, etc.
