Plan of action over 12 months for maintaining your GDPR compliance.

Plan of action over 12 months for maintaining your GDPR compliance.

Le

A compliance maintenance action plan is essential to ensure that your company is compliant with GDPR regulations. It is important to be accompanied by a DPO with proven data protection skills to ensure the effectiveness and relevance of this action plan.

The compliance maintenance action plan should include the following steps:

  • Analysis of the current compliance status: This step involves assessing the current compliance status of your company by examining existing processes, policies, and procedures for the collection, processing, storage, and protection of employee health data. This step may also include a risk analysis for the confidentiality and security of employee health data.
  • Identification of gaps: This step involves identifying areas where your company is not in compliance with GDPR rules. This step can be done by comparing company policies and procedures with GDPR requirements.
  • Development of an action plan: This step involves developing an action plan to address the gaps identified in the previous step. This action plan should include specific actions to be taken to ensure your company’s compliance with GDPR rules.
  • Implementation of the action plan: This step involves implementing the actions identified in the action plan. It is important to follow the steps rigorously to ensure that the actions are implemented correctly.
  • Evaluation of effectiveness: This step involves evaluating the effectiveness of the actions taken to maintain GDPR compliance. This evaluation may include compliance testing, security assessments, and employee satisfaction surveys.

Compliance maintenance action plan: First quarter 2023.

Monitoring employees’ consent for the collection and processing of their health data, as well as the effectiveness of the methods for collecting and storing this data in compliance with GDPR standards.

Monitoring employees’ consent for the collection and processing of their health data involves ensuring that employees have given their consent explicitly, freely, informed, and unambiguously for the collection, processing, and storage of their health data.

To do this, it is necessary to verify that employees have been clearly and transparently informed about the purposes for which their health data is collected, the recipients of this data, their rights regarding data protection, and the duration of the retention of this data.

It is also important to verify that employees have been clearly and precisely informed of their right to withdraw their consent at any time and that procedures have been put in place to facilitate the exercise of this right.

Logiciel RGPD

It is also important to ensure the effectiveness of the methods for collecting and storing this data in compliance with GDPR standards, for example by verifying that health data is collected proportionately to the purpose of the processing, that technical and organizational measures have been put in place to ensure data security, that access to data is limited to those who need it, and that the data is retained for a duration that does not exceed the necessary duration for the purpose of the processing.

Audit ChecklistCompliance with GDPRYesNoN/A
Consent for employee health data collection and processingArticle 7
Employees are informed of data collection purposes and recipientsArticle 13, 14
Employees are informed of their data protection rightsArticle 13, 14, 15, 16, 17, 18, 20, 21, 77, 79
Employees are informed of data retention durationArticle 13, 14
Procedures in place for employee consent withdrawalArticle 7
Proportional collection and processing of health dataArticle 5, 9
Technical and organizational measures for data securityArticle 32
Access to data limited to those with need-to-knowArticle 32
Data retention duration is not excessiveArticle 5

In this example, the checklist includes specific GDPR articles that relate to each item. The “Yes,” “No,” and “N/A” columns can be used to indicate whether the audited item is compliant, non-compliant, or not applicable.

Ensuring that workers have easy access to their health data and that requests for deletion or modification of this data are processed in accordance with GDPR regulations.

Ensuring that workers have easy access to their health data and that requests for deletion or modification of this data are processed in accordance with GDPR regulations involves ensuring that workers can exercise their rights of access, rectification, erasure, or portability of their health data easily and quickly.

To do this, it is important to verify that workers have access to a simple and effective procedure for exercising their rights and that designated persons within the company are responsible for responding to workers’ requests. It is also important to ensure that workers are informed clearly and transparently about the conditions for exercising their rights, the response times, and the means of contacting the designated persons to respond to their requests.

In addition, it is important to verify that requests for deletion or modification of health data are processed in accordance with GDPR regulations. This involves verifying that the health data in question is accurate, relevant, and up to date, that the request is justified, and that workers’ rights are respected. In case of a request for deletion or modification of health data, it is also important to ensure that all relevant data is deleted or modified and that evidence of this action is properly retained.

Audit ChecklistCompliance with GDPRYesNoN/A
Workers have easy access to their health dataArticle 15
Workers can exercise their rights of access, rectification, erasure, or portabilityArticles 15, 16, 17, 20
Simple and effective procedure for exercising rights in placeArticles 12, 15, 16, 17, 20, 21
Designated persons responsible for responding to workers’ requestsArticles 12, 15, 16, 17, 20, 21
Workers are informed clearly and transparently about exercising their rightsArticles 12, 15, 16, 17, 20, 21
Workers are informed of response times and means of contactArticles 12, 15, 16, 17, 20, 21
Requests for deletion or modification of health data are processed in accordance with GDPR regulationsArticles 5, 16, 17, 18
Health data is accurate, relevant, and up to dateArticle 5
Request for deletion or modification is justifiedArticle 17
Workers’ rights are respectedArticles 12, 15, 16, 17, 20, 21, 77, 79
Relevant data is deleted or modified and evidence is properly retainedArticles 5, 17, 18, 24, 30

This checklist includes specific GDPR articles that relate to each item. The “Yes,” “No,” and “N/A” columns can be used to indicate whether the audited item is compliant, non-compliant, or not applicable.

Verifying that the exchange of health data with third parties is carried out in compliance with GDPR rules on security, confidentiality, and consent.

Verifying that the exchange of health data with third parties is carried out in compliance with GDPR rules on security, confidentiality, and consent involves ensuring that all health data shared with third parties is protected and processed in compliance with GDPR rules.

To do this, it is important to verify that the company has implemented appropriate technical and organizational security measures to ensure the security and confidentiality of health data during its transmission and storage with third parties. It is also important to ensure that the third parties have signed data processing contracts that comply with GDPR requirements.

It is also important to verify that workers are informed clearly and transparently about the exchange of health data with third parties, the purposes of these exchanges, and the recipients of this data. Workers must also give their explicit, free, informed, and unambiguous consent for their health data to be shared with third parties.

Finally, it is important to verify that the exchange of health data with third parties is carried out in compliance with GDPR rules on data retention, purpose of processing, and workers’ rights. This involves ensuring that health data is collected proportionally to the purpose of the processing and that the duration of data retention is compliant with GDPR legislation.

Audit ChecklistCompliance with GDPRYesNoN/A
Technical and organizational security measures in placeArticle 32
Third parties have signed GDPR-compliant data processing contractsArticle 28
Workers are informed clearly and transparently about the exchange of health data with third partiesArticles 12, 13, 14
Workers give explicit, free, informed, and unambiguous consent for health data to be shared with third partiesArticle 7
Data is collected proportionally to the purpose of processingArticle 5
Data retention duration is compliant with GDPR legislationArticle 5
Finality of processing is compliant with GDPR legislationArticle 5
Workers’ rights are respectedArticles 12, 15, 16, 17, 20, 21, 77, 79

This checklist includes specific GDPR articles that relate to each item. The “Yes,” “No,” and “N/A” columns can be used to indicate whether the audited item is compliant, non-compliant, or not applicable.

Evaluating the compliance of data security policies and the implementation of appropriate technical and organizational measures to ensure the security of employee health data.

Evaluating the compliance of data security policies and the implementation of appropriate technical and organizational measures to ensure the security of employee health data involves verifying that the company has implemented security measures to protect employee health data.

To evaluate the compliance of these security policies, it is important to verify that the company has implemented technical measures such as health data encryption, password management, access limitation, and strong authentication. The company must also have implemented organizational measures such as staff training, security policies, and internal controls to protect health data.

It is also important to ensure that the company has conducted a risk analysis to identify potential risks to the security of health data and has implemented measures to mitigate them.

Finally, it is important to verify that the company has implemented security policies for mobile devices such as laptops and smartphones, and that these policies are compliant with GDPR rules. The company must also have established procedures for erasing data on mobile devices in case of loss or theft.

Audit ChecklistCompliance with GDPRYesNoN/A
Technical security measures are in placeArticle 32
Organizational security measures are in placeArticle 32
Risk analysis has been conductedArticle 35
Risks have been mitigatedArticle 32
Encryption of health data is usedArticle 32
Password management is usedArticle 32
Access limitation is usedArticle 32
Strong authentication is usedArticle 32
Staff training is in placeArticle 32
Security policies are in placeArticle 32
Internal controls are in placeArticle 32
Policies for mobile devices are in placeArticle 32
Procedures for erasing data on mobile devices are in placeArticle 32

This checklist includes specific GDPR articles that relate to each item. The “Yes,” “No,” and “N/A” columns can be used to indicate whether the audited item is compliant, non-compliant, or not applicable.

Ensuring that employees receive regular training on GDPR rules, risks to the confidentiality and security of their health data, and ways to protect them is a key element of GDPR compliance in occupational health services.

To ensure this compliance, it is important to set up regular training sessions for all employees, including medical personnel and those responsible for managing health data. This training should cover the following key points:

The fundamental principles of GDPR regulations on personal data protection and health data confidentiality. Employee rights related to data protection, including their right to access, rectify, erase, and transfer their health data. Risks to the confidentiality and security of health data, such as cyberattacks, security breaches, human errors, etc. Technical and organizational measures to protect health data, such as secure passwords, restricted access, monitoring of suspicious activity, etc. Internal procedures to report data breaches and to respond quickly and effectively in case of a security incident.

In addition to initial training, it is also important to offer regular training sessions to keep employees’ knowledge up to date and to provide them with access to online resources such as best practices guides, newsletters, webinars, etc.

It is also important to ensure that employees understand the importance of protecting health data and the need to comply with GDPR rules, by explaining the potential consequences for the company and for themselves in case of non-compliance.

Audit ChecklistCompliance with GDPR (Article)YesNoN/A
Data Protection Officer (DPO)Article 37
Compliance Action PlanArticle 24
Consent for Health DataArticle 7
Data Exchange with Third PartiesArticle 28
Employee Data AccessArticle 15
Employee TrainingArticle 39
Security MeasuresArticle 32
Data Breach ManagementArticle 33
Records of Processing ActivitiesArticle 30

Compliance Maintenance Action Plan: Second Quarter 2023

Assessing the compliance of contracts with external service providers for the collection, processing and storage of employee health data to ensure they comply with GDPR rules is a crucial step in protecting employee health data.

To achieve this, it is important to verify that the data processing contracts signed with external providers contain standard contractual clauses that comply with GDPR requirements. These clauses must include, among other things, the purposes of data collection, processing and storage, the duration of data retention, employee data protection rights, data security, and data breach notification obligations.

It is also important to ensure that external service providers comply with GDPR requirements for data security, including technical and organizational measures to protect health data, data encryption, access management, network security, and more.

Finally, it is important to verify that external service providers have a clear and transparent policy on personal data protection, which should be available to affected employees and accessible on their website.

The goal is to ensure that external service providers comply with GDPR standards and provide a level of protection equivalent to that of the company. If external service providers do not comply with GDPR requirements, corrective measures must be implemented or alternative service providers sought.

Audit ChecklistCompliance with GDPR Art. XXYesNoN/A
Policy for data protectionArt. 5
Procedure for responding to data breachesArt. 33
Employee training on GDPR and data protectionArt. 39
Procedures for managing data subject requestsArt. 12-23
Records of processing activitiesArt. 30
Contracts with third-party data processorsArt. 28
Technical and organizational measures for data securityArt. 32
Regular reviews and audits of data protection practicesArt. 24
Ensuring easy access for employees to their health dataArt. 15
Evaluating compliance of data exchanges with third partiesArt. 44-50
Evaluating compliance of contracts with external service providersArt. 28

Ensuring that collected health data is relevant, limited to what is necessary, and proportionate to the purpose of processing, and that the data retention period is compliant with GDPR legislation is a key point of GDPR compliance.

It is important to verify that the health data collected is necessary for the purpose of processing and limited to what is relevant and proportionate to that purpose. It is important to limit the data collected to that which is necessary for the purpose of processing in order to minimize privacy and data security risks.

It is also important to ensure that the data retention period is compliant with GDPR legislation. Health data must be retained for a limited period, which must be justified by the purpose of processing and must not exceed the time necessary to achieve that purpose.

To evaluate the company’s compliance with this point, it is important to verify that the health data collected is necessary for the purpose of processing and limited to what is relevant and proportionate to that purpose. It is also important to verify that the data retention period is compliant with GDPR legislation. Additionally, it is important to verify that procedures have been put in place to delete health data that is no longer necessary in accordance with GDPR provisions.

Audit ChecklistCompliance with GDPRYesNoN/A
Privacy Policy and NoticeArticle 13, 14
Data Subject RightsArticles 15-22
Legal Basis for Data ProcessingArticle 6
ConsentArticle 7
Data Breach Notification and ResponseArticles 33-34
Data Protection Officer (DPO) AppointmentArticle 37
Data Protection Impact Assessment (DPIA)Article 35
Processor ContractsArticle 28
International Data TransfersChapter V
Records of Processing ActivitiesArticle 30
Technical and Organizational Data SecurityArticle 32
Employee Data Protection TrainingArticle 39
External Service Provider ComplianceArticle 28
Relevant and Limited Data CollectionArticle 5

Controlling the security and confidentiality of health data during their transmission and storage is crucial to ensure GDPR compliance.

It is important to verify that health data is protected during transmission and storage. This involves verifying that data is transmitted securely using encryption protocols, such as SSL or TLS, and that data is stored securely using appropriate technical and organizational measures, such as encryption, password management, and restricted access to data.

Additionally, it is important to ensure that access to data is limited to those who need to access it to perform their work, and that these individuals have been trained on GDPR rules and the risks associated with protecting health data.

To assess the company’s compliance with this point, it is important to verify that health data is transmitted securely using encryption protocols, such as SSL or TLS, and that data is stored securely using appropriate technical and organizational measures, such as encryption, password management, and restricted access to data. Additionally, it is important to verify that access to data is limited to those who need to access it to perform their work, and that these individuals have been trained on GDPR rules and the risks associated with protecting health data.


Audit Checklist
Compliance with GDPRYesNoN/A
Data mapping and inventoryArticle 30
Consent managementArticles 6, 7, and 8
Individual rights managementArticles 12-23
Third-party managementArticle 28
Data securityArticle 32
Data breach managementArticles 33 and 34
Employee trainingArticle 39
Data retentionArticle 5
Data processing impact assessmentArticle 35
International data transfersChapter 5

Checking that data breach notification procedures are in place and that staff is trained to identify, report and respond to data breaches in compliance with GDPR requirements is essential to ensure GDPR compliance.

It is important to verify that data breach notification procedures are clearly defined and that staff is trained to understand and implement them. It is also important to ensure that data breaches are reported immediately to the supervisory authority in compliance with the timeframes specified in GDPR legislation. Employees should be trained to identify data breaches and to report any data breaches immediately to the designated person within the company.

In addition, it is important to ensure that data breach response procedures are in place and that staff is trained to respond to them. This involves ensuring that emergency plans are established to deal with data breaches, that designated persons are informed of their role in the event of a data breach, and that corrective measures are taken to prevent future data breaches.

To assess the company’s compliance with this point, it is important to verify that data breach notification procedures are in place and that staff is trained to identify, report, and respond to data breaches in compliance with GDPR requirements. It is also important to verify that data breaches are reported immediately to the supervisory authority in compliance with the timeframes specified in GDPR legislation, and that emergency plans are established to deal with data breaches.

Audit ChecklistCompliance with GDPR ArticleYesNoN/A
Ensuring employees receive regular training on GDPR rules, risks to privacy and security of health data, and ways to protect itArticle 39
Evaluating compliance of contracts with external service providers for collecting, processing, and storing employee health dataArticle 28
Ensuring collected health data is relevant, limited to what is necessary, and proportional to the processing purpose, and that the retention period is compliant with GDPRArticle 5
Controlling the security and confidentiality of health data during transmission and storage, including verifying the use of encryption, password management, and restricted access to dataArticle 32
Verifying that data breach notification procedures are in place and that personnel are trained to identify, report, and respond to data breaches in compliance with GDPR requirementsArticle 33

Evaluating the processes for transferring health data to third countries is important to ensure GDPR compliance. It is essential to ensure that appropriate transfer mechanisms are in place and that the rights of the affected workers are protected in accordance with GDPR standards.

It is important to verify that transfers of health data to third countries are authorized by GDPR legislation and that appropriate transfer mechanisms are in place, such as standard contractual clauses, binding corporate rules, and codes of conduct. It is also important to ensure that workers are clearly and transparently informed about transfers of health data to third countries, the purposes of these transfers, and the recipients of this data.

Furthermore, it is important to ensure that the rights of affected workers are protected in accordance with GDPR standards. This involves ensuring that workers have given their explicit, free, informed, and unambiguous consent for the transfer of their health data to third countries, that transfers of health data are necessary for the purpose of the processing, that health data is kept for a duration that does not exceed the time required for the purpose of the processing, and that workers have the right to withdraw their consent at any time.

To evaluate the company’s compliance with this point, it is important to verify that appropriate transfer mechanisms are in place and that the rights of affected workers are protected in accordance with GDPR standards. Additionally, it is important to ensure that workers are clearly and transparently informed about transfers of health data to third countries, the purposes of these transfers, and the recipients of this data, and that workers have given their explicit, free, informed, and unambiguous consent for the transfer of their health data to third countries.

Audit ChecklistCompliance with GDPRYesNoN/A
Data Protection Officer appointmentArticle 37
Data protection policies and proceduresArticle 24, 25
Data protection impact assessments (DPIAs)Article 35
Record of processing activitiesArticle 30
Lawful basis for processing personal dataArticle 6, 9
Consent requirementsArticle 7, 8
Data subject rightsArticle 12-23
Data breaches and incident managementArticle 33, 34
Third-party data processing agreementsArticle 28
Security and confidentiality of personal dataArticle 32
Transfer of personal data outside the EU/EEAChapter V
Compliance monitoring and trainingArticle 39, 47

Compliance Maintenance Action Plan: Third Quarter 2023

Controlling the accuracy and completeness of workers’ contact information for notifications and consent requests, as well as identity verification processes to ensure that health data is not disclosed to unauthorized third parties, is important for GDPR compliance.

It is important to ensure that contact data is accurate and complete to enable workers to receive notifications and consent requests. It is also important to verify that identity verification processes are in place to ensure that health data is not disclosed to unauthorized third parties. Identity verification processes should be proportionate to the risks associated with the disclosure of health data and should ensure that only authorized persons have access to health data.

To evaluate a company’s compliance with this point, it is important to verify that workers’ contact information is accurate and complete and that identity verification processes are in place to ensure that health data is not disclosed to unauthorized third parties.

It is also important to verify that notification and consent procedures are in place to ensure that workers are informed in a clear and transparent manner about the purposes of collecting, processing, and storing their health data, and that workers have given their explicit, freely given, informed, and unambiguous consent.

Finally, it is important to verify that technical and organizational measures are in place to ensure the security and confidentiality of health data during transmission and storage, and that access to data is limited to authorized personnel.

Audit ChecklistCompliance with GDPRYesNoN/A
Evaluate compliance of contracts with external service providers for collection, processing and storage of employee health data to ensure compliance with GDPR rules.Article 28
Ensure that the collected health data is relevant, limited to what is necessary and proportional to the purpose of processing, and that the data retention period complies with GDPR legislation.Article 5
Control the security and confidentiality of health data during transmission and storage, including checking the use of encryption, password management and restricted access to data.Article 32
Verify that procedures for data breach notification are in place and that personnel are trained to identify, report and respond to data breaches in compliance with GDPR requirements.Article 33, 34
Evaluate the processes for transferring health data to third countries, ensuring that appropriate transfer mechanisms are in place and the rights of affected workers are protected in accordance with GDPR standards.Article 44
Control the accuracy and completeness of workers’ contact information for notifications and consent requests, as well as identity verification processes to ensure that health data is not disclosed to unauthorized third parties.Article 5, 12

The compliance check consists of verifying the compliance of the processes for the deletion and rectification of health data, ensuring that all employee health data is deleted or rectified when necessary and that evidence of this action is properly retained.

It is also important to verify that health data is deleted or rectified in its entirety, and that all copies of such data are also deleted or rectified. It is also necessary to check that health data is retained for a limited duration in accordance with GDPR rules and that it is deleted when this duration is reached.

To evaluate the company’s compliance with this point, it is important to verify that the processes for the deletion and rectification of health data are in compliance with GDPR rules, that health data is deleted or rectified in its entirety, that evidence of this action is properly retained, and that employees are informed of any changes made to their health data. It is also important to check

Audit ChecklistCompliance with GDPRYesNoN/A
Verify the accuracy and completeness of employee health dataArt. 5, 6, 9 and 32
Ensure that the collection of health data is relevant, limited, and proportionateArt. 5 and 9
Control the security and confidentiality of health data during transmission and storageArt. 5, 32 and 34
Verify that procedures for data breach notifications are in placeArt. 33 and 34
Evaluate the processes for transferring health data to third countriesArt. 44-49
Verify compliance of processes for deletion and rectification of health dataArt. 5, 16, 17, and 32
Ensure that the rights of data subjects are respectedArt. 12-22
Verify that employees are trained in data protectionArt. 39 and 47
Verify that data protection impact assessments are conductedArt. 35 and 36
Ensure that the retention period for health data is compliant with the GDPRArt. 5 and 32

The compliance check consists of evaluating the compliance of the security protocols for remote or mobile worker data, such as device encryption, Wi-Fi connection security, and management of data stored on personal devices.

To do so, it is necessary to verify that mobile devices used by workers are protected by appropriate technical and organizational security measures, such as data encryption, the use of strong passwords, and the installation of up-to-date security software.

It is also important to ensure that Wi-Fi connections used by workers are secure, for example by verifying that public Wi-Fi networks are not used for the transmission of sensitive data, and that private Wi-Fi connections are secured with strong passwords and appropriate encryption protocols.

Furthermore, it is important to verify that workers are informed of the risks associated with using their personal devices to store sensitive data, and that procedures have been put in place to manage data stored on these devices.

To evaluate the company’s compliance with this point, it is important to check that the security protocols for remote or mobile worker data are compliant with GDPR rules, that mobile devices are protected by appropriate technical and organizational security measures, that Wi-Fi connections used by workers are secure, and that procedures have been put in place to manage data stored on personal devices.

Audit ChecklistCompliance with GDPR ArticleYesNoN/A
Verification of the company’s GDPR compliance programArticle 24
Review of the company’s data protection policyArticle 30
Verification of the company’s record of processing activitiesArticle 30
Evaluation of the company’s lawful basis for processing personal dataArticle 6
Verification of the company’s consent management processArticle 7
Verification of the company’s data breach notification processArticle 33
Review of the company’s data protection impact assessment processArticle 35
Verification of the company’s process for handling data subject access requestsArticle 15
Verification of the company’s process for handling data portability requestsArticle 20
Review of the company’s data retention and deletion policyArticle 5
Evaluation of the company’s vendor management processArticle 28
Verification of the security and confidentiality of health data during transmission and storageArticle 32
Verification of the company’s procedures for reporting data breachesArticle 33
Evaluation of the company’s data transfer processes to third countriesArticle 44
Verification of the accuracy and completeness of employee contact informationArticle 5
Verification of the company’s data deletion and rectification processesArticle 17
Evaluation of the compliance of security protocols for remote or mobile worker dataArticle 32

The checkpoint is to verify compliance with the access and physical security control procedures for the premises and equipment where health data is stored, and to ensure that