2. Does my company process personal data?
The first thing any company needs to know is whether or not it processes personal data. This is relevant in order for the company to identify what type of personal data it has, does it include sensitive data? where is the personal data stored? who has access to this data? is this data shared with third parties? do you transfer the data outside the EU? Knowing the answers to these questions will improve efficiency, and enable you to access the data and act on it quickly and reliably.
3. Which lawful basis for processing is used by my company?
GDPR provides several lawful bases (consent, legitimate interests etc.) for the processing of personal data. The company needs to identify which one it uses to process personal data. It is important to identify the lawful basis you use for processing because it has an effect on individual rights. For instance, if you rely on someone’s consent to process their data, they will generally have stronger rights (e.g. request to have their data deleted).