1. How would you describe your GDPR preparedness?

1. Already compliant
2. On target to be compliant by May 25^th 2018
3. Project underway but suffering difficulties
4. Barely started
5. Haven’t started

The Trust does not meet any of these descriptions in relation to GDPR preparedness.  I can confirm that work to prepare us is on-going and will continue.

1. Have you identified all your data processing partners?

1. Yes
2. No
3. Unsure

c) Unsure- It is not possible for us to confirm or deny whether all processing partners have been identified as if there are ones we are unaware of we wouldn’t know.

1. Do you have contracts in place with all your data processing partners?

1. Yes
2. No
3. Unsure                                                                                                                    c) Unsure- As above it is not possible for us to confirm or deny this. Part of the work the Trust is undertaking for GDPR is looking to update agreements where needed, but this is on-going.

1. Do you use a third party to provide data erasure or destruction services on your end of life IT infrastructure?

1. Yes
2. No (ICT have advised that they do not use any such third parties)
3. Unsure

1. If you use a third party, do you have a contract in place with them?

1. Yes
2. No
3. Unsure
4. Not Applicable

1. How have you assessed ‘sufficient guarantees’ from this company? (Please tick all that apply)

• In writing from them
• Via Contract Terms
• Relevant accreditation
• Independent Assessment/Audit
• Not Applicable

1. Does this contract include clarification on process for dealing with: (Please tick all that apply)

• Breach Notification?
• Subject Access Requests
• Changes in processing activities which require a DPIA
• Not Applicable

1. If you use a third party what is their name?

Not Applicable

1. How regularly do you or an independent third party, audit this company?

1. Never
2. Every 6 months
3. Every 12 months
4. Irregularly but over 12 months
5. Unsure
6. Not Applicable