After the GDPR assessment has been completed, your Tacita assessor will collate your answers and generate a GDPR compliance report for you. The report contains:
- An executive summary providing you with an overall assurance score, an action criticality score, and a breakdown of assurance and criticalities per assessment area.
- Immediate Actions to take. Any of your answers that the Tacita assessor marked as a ‘critical priority’ are summarised alongside the actions that should be immediately taken to rectify your critical data protection issue.
- Key findings for each assessment area. The Tacita assessment covers 10 key areas: governance; policy management; culture of privacy; privacy by design/default; processes and applications; GDPR individual rights; privacy notices, website cookies and consent; data breaches; data sharing and third parties; and GDPR fundamental principles. For each of these areas, the Tacita assessor will give their summary of your current compliance.
- A full appendix of all questions, answers and recommendations. Tacita gives recommendations for all areas where you can improve your GDPR compliance (regardless of their criticality score). In this section you can see all answers which you gave during the assessment and recommendations for how to improve your data protection in this area.
Example Report Excerpt
The table below shows an excerpt of a typical Tacita GDPR compliance report. Here you can see the type of questions that Tacita asks and typical recommendations that we give. The solutions column is only available to clients who purchase the Standard Package; it will not be present in your compliance report if you have only purchased the Basic Package. The Standard Package also gives you access to Tacita's entire GDPR Toolkit.
|Policy Management||Do you have a document that describes the technical and organisational security measures (TOMs) that are in place internally?||I haven't heard that term before. I think that IT has some policies related to security, but I'm not sure what is in them.||It is a legal requirement that organisations which are processing personal data employ appropriate Technical and Organisational Measures (TOMs). These TOMs should be employed both internally (as part of policies and security measures) and they should form components of contracts with third parties.||Create and deploy suitable TOMs in your organisation. Tacita has a training presentation and guide on 'Technical and Organisational Measures' which gives an overview of TOMs. Tacita also has a selection of GDPR and security related policies which you may wish to implement in your organisation.||Critical|
|Privacy by Design/Default||Do you know what a data protection impact assessment (DPIA) is? Do you know the GDPR's legal requirements regarding DPIAs and do your DPIAs meet these obligations?||I don't know what that document is.||A DPIA is a document (created internally) that assesses the data protection surrounding a process involving personal data. The document will also include a section for remedial actions to be signed off by senior management. The GDPR has legal requirements surrounding DPIAs, including: when a DPIA must be carried out, what information must be included in a DPIA, and what to do if data processing is likely to result in a high risk to a data subject and no remedial actions are possible. Regardless of the legal requirements, Tacita recommends that DPIAs are performed for all data processing activities. DPIAs are a critical step in recognising risks to data protection and GDPR liability. They are also needed to record and implement remedial actions.||Complete the 'Tacita's Guide to Data Protection Impact Assessments' module and use Tacita's DPIA template. Assign business process owners for each data processing activity and have them fill in the DPIA template. These DPIAs will need to be regularly reviewed, particularly if a change has been made to a data processing activity.||Critical|
|Processes and Applications||For processes that do not have an associated DPIA, have process owners checked that their process complies with the 7 principles of GDPR? Including identifying a one of the 6 lawful bases for processing?||I don’t know if all of our processes have been checked against the seven principles.||A DPIA will (amongst other things) check if a process is compliant with the 7 principles of the GDPR. If a DPIA has not been completed for a process, you still need to check if it is compliant with the GDPR's 7 principles. You should record in your Record of Processing document if a process is compliant with the 7 principles.||Tacita's 'Fundamental Principles and Rights of the GDPR' training module has information on the 7 principles and Tacita's record of processing template has the appropriate headings to check for compliance with these principles.||Critical|