REF: 2018-303
Subject: GDPR compliance
Request:
Have you invested in technology specifically to comply with GDPR?
o Yes
o No
Which information security framework(s) have you implemented?
Have you signed contractual assurances from all the third-party organisations you work with requiring that they achieve GDPR compliance by 25 May 2018?
o Yes
o No
Have you completed an audit to identify all files or databases that include personally identifiable information (PII) within your organisation?
o Yes
o No
Do you use encryption to protect all PII repositories within your organisation?
o Yes
o No
As part of this audit, did you clarify if PII data is being stored on, and/or accessed by:
Mobile devices
Cloud services
Third party contractors
Does the organisation employ controls that will prevent an unknown device accessing PII repositories?
o Yes
o No
Does your organisation employ controls that detect the security posture of a device before granting access to network resources – i.e. valid certificates, patched, AV protected, etc.
o Yes
o No
Should PII data be compromised, have you defined a process so you can notify the relevant supervisory authority within 72 hours?
o Yes
o No
Have you ever paid a ransom demand to have data returned / malware (aka ransomware) removed from systems?
o Yes
o No
To which positions/level does your data protection officer report? i.e. CISO, CEO, etc.
Response:
| Please find information attached.
2018-303 – FOI Request – GDPR compliance [129 kb] PDF |