1. Have you invested in technology specifically to comply with GDPR?
a. Yes
b. No 

2. Which information security framework(s) have you implemented?
The ICT Acceptable Use Policy and Network & ICT Security Policy cover aspects of information security including the Heath & Social Care Information Centre (HSCIC) Good Practice Guidelines, National Cyber Security Centre: 10 Steps to Cyber Security Guidance, and the Cyber Essentials Assurance Framework.

3. Have you signed contractual assurances from all the third-party organisations you work with requiring that they achieve GDPR compliance by 25 May 2018?
a. Yes
b. No 

4. Have you completed an audit to identify all files or databases that include personally identifiable information (PII) within your organisation?
a. Yes
b. No 
A data flow mapping exercise is currently ongoing with the trust which will provide this information.

5. Do you use encryption to protect all PII repositories within your organisation?
a. Yes
b. No 

6. As part of this audit, did you clarify if PII data is being stored on, and/or accessed by:
a. Mobile device
b. Cloud services
c. Third party contractors
Yes

7. Does the organisation employ controls that will prevent an unknown device accessing PII repositories?
a. Yes
b. No 
Not for Heartland, Good Hope and Solihul Hospital.

8. Does your organisation employ controls that detect the security posture of a device before granting access to network resources – i.e. valid certificates, patched, AV protected, etc.
a. Yes
b. No 
Not for Heartland, Good Hope and Solihul Hospital.

9. Should PII data be compromised, have you defined a process so you can notify the relevant supervisory authority within 72 hours?
a. Yes 
b. No

10. Have you ever paid a ransom demand to have data returned / malware (aka ransomware) removed from systems?
a. Yes
b. No 

11. To which positions/level does your data protection officer report? i.e. CISO, CEO, etc.
SIRO/ Director or Corporate Affairs