mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-11 21:54:56 +03:00
mukul975
6.1 KiB
6.1 KiB
GDPR Compliance Audit Checklist
Organization Information
| Field | Value |
|---|---|
| Organization Name | |
| Role | Controller / Processor / Joint Controller |
| DPO Name and Contact | |
| Lead Supervisory Authority | |
| Assessment Date | |
| Assessor |
Article 5: Data Processing Principles
- Lawfulness: All processing has documented lawful basis (Art. 6)
- Fairness: Processing is fair and does not cause unjustified adverse effects
- Transparency: Privacy notices provided at point of collection (Art. 13/14)
- Purpose Limitation: Data collected for specified, explicit, and legitimate purposes
- Data Minimization: Only data necessary for the purpose is collected
- Accuracy: Processes exist to keep personal data accurate and up to date
- Storage Limitation: Retention periods defined and enforced for all data categories
- Integrity and Confidentiality: Technical and organizational security measures in place
- Accountability: Ability to demonstrate compliance with all principles
Article 6: Lawful Basis
- Lawful basis identified for each processing activity
- Consent is freely given, specific, informed, and unambiguous where used
- Consent withdrawal mechanism available and easy to use
- Legitimate interest assessments documented where Art. 6(1)(f) relied upon
- Legal bases recorded in ROPA
Articles 13-14: Transparency
- Privacy notice provided at time of data collection (Art. 13)
- Privacy notice provided when data obtained indirectly (Art. 14)
- Notices include: controller identity, purposes, lawful basis, recipients, retention, rights, DPO contact
- Notices are concise, transparent, intelligible, and in plain language
- Notices available in appropriate languages
Articles 15-22: Data Subject Rights
- Process for receiving and handling DSRs documented
- Identity verification procedure before fulfilling requests
- Response within one month (extendable by two months for complex requests)
- Right of access (Art. 15): can provide copy of personal data
- Right to rectification (Art. 16): can correct inaccurate data
- Right to erasure (Art. 17): can delete data across all systems including backups
- Right to restriction (Art. 18): can restrict processing when contested
- Right to portability (Art. 20): can export data in machine-readable format
- Right to object (Art. 21): can cease processing when objected to
- Automated decision-making (Art. 22): safeguards for solely automated decisions
Article 25: Data Protection by Design and Default
- Privacy considerations integrated into system design processes
- Default settings are most privacy-protective
- Only personal data necessary for each purpose is processed by default
- Data protection integrated into development lifecycle
Article 28: Processors
- All processors identified and documented
- Data Processing Agreements (DPAs) in place with all processors
- DPAs include required Art. 28 provisions
- Processor security measures verified
- Sub-processor notification process in place
Article 30: Records of Processing Activities (ROPA)
- ROPA maintained and up to date
- All processing activities documented
- Controller details, purposes, data categories, recipients, transfers, retention, security measures recorded
- Available for supervisory authority on request
Article 32: Security of Processing
- Risk-appropriate technical measures:
- Encryption of personal data (at rest and in transit)
- Pseudonymization implemented where appropriate
- Access controls and authentication
- Logging and monitoring of access to personal data
- Data loss prevention controls
- Risk-appropriate organizational measures:
- Information security policies
- Staff training on data protection
- Confidentiality agreements
- Access review processes
- Ability to restore availability and access after incident
- Regular testing and evaluation of security measures
Articles 33-34: Breach Notification
- Breach detection and assessment procedures documented
- 72-hour notification to supervisory authority process in place
- Data subject notification process for high-risk breaches
- Breach register maintained
- Breach response plan tested within last 12 months
Article 35: Data Protection Impact Assessment
- DPIA criteria documented (when DPIA is required)
- DPIA process documented
- DPIAs conducted for all high-risk processing
- DPO consulted on DPIAs
- DPIAs reviewed when processing changes
Articles 44-49: International Transfers
- All international transfers identified and documented
- Transfer mechanisms in place (adequacy, SCCs, BCRs)
- Transfer Impact Assessments conducted for non-adequate countries
- Supplementary measures implemented where required
- Standard Contractual Clauses (new 2021 modular version) executed
Articles 37-39: Data Protection Officer
- DPO appointed (if required: public authority, core activity large-scale monitoring, core activity special categories)
- DPO has expert knowledge of data protection law
- DPO involved in all data protection matters
- DPO reports to highest management level
- DPO contact details published and communicated to supervisory authority
Summary
| GDPR Area | Items | Compliant | Non-Compliant | N/A |
|---|---|---|---|---|
| Principles (Art. 5) | ||||
| Lawful Basis (Art. 6) | ||||
| Transparency (Art. 13-14) | ||||
| Data Subject Rights (Art. 15-22) | ||||
| Privacy by Design (Art. 25) | ||||
| Processors (Art. 28) | ||||
| ROPA (Art. 30) | ||||
| Security (Art. 32) | ||||
| Breach Notification (Art. 33-34) | ||||
| DPIA (Art. 35) | ||||
| International Transfers (Art. 44-49) | ||||
| DPO (Art. 37-39) | ||||
| Total |
Sign-off
| Role | Name | Signature | Date |
|---|---|---|---|
| DPO | |||
| CISO | |||
| Legal Counsel | |||
| Senior Management |