[GDPR] Getting Ready Checklist


  1. Training and staff awareness
    1. Name a member of your company as your designated Data Protection Officer or at least the designated person responsible for data protection within your business (It’s worth saying that if you hire or designate a DPO and you’re a fairly small company with a low level of data then you’ll be held responsible to a higher standard). If you’re a small company or a sole-trader then this is a responsibility you’ll have to take on. If you are the DPO then make sure you read up on your legal responsibilities and the laws you will need to adhere to. GDPR is a baptism of fire for any new DPO and it’s important that you understand the process and attend training or seek help if needed. 
    2. Identify anyone who in your company needs to be aware of GDPR, who defines your data plans, handles it or has access to it. It’s essential that you organise or provide training to these individuals on how the new processes may affect them and new rules procedures that you’ll be putting in place.
  2. Internal System and Processes
    1. Review all of your processes and IT setup. 
      1. What personal data do you actually store? Document and audit where and why you need/process/store data and which legal basis you do it under.
        1. Can you evidence your consent in line with GDPR? You must be able to demonstrate that if consent was the legal basis used, then it was given freely and individually, It cannot be assumed from silence or given through pre-ticked boxes or even ‘opt out’ boxes.
        2. Does all of your data remain in the EU or is it processed elsewhere like the US? Make sure there are agreements in place such as the EU-US Data Shield before continuing. 
      2. Do you share your personal data with any third parties (Google Analytics, Adwords, tracking software etc).
      3. How do you currently store your data?
      4. Do you put in place steps to limit access to only those who need it? Is it kept securely?
      5. How long do you retain the data for?
      6. Do you have evidenced consent or another legal basis for storing the personal data?
      7. When is the last time you performed a security audit or commissioned a third party to do so? If you handle card payments is your PCI agreement up-to-date and passing?
      8. Remember to involve all of your teams in the process –
        1. For example, marketing:
          1. How is the marketing team handling data? 
          2. How do they collect and gain consent?
          3. Can this be evidenced?
          4. Do you need to regain all of your consent prior to GDPR to make sure you can keep using it afterwards?
          5. Is there a policy in place that defines what the team uses the data for? 
          6. What about the new rights in place? Does the team have approved written processes in place to edit, export or even erase requested personal data?
    2. Be aware of timescales. The ICO, under GDPR, introduces and enforces timescales for you to ‘action’ certain requests or scenarios, such as data breaches or data access requests.
    3. Review all of your current privacy notices. These could be as part of your terms of service, or even the contract agreement between you and your suppliers, or you and your staff. Make sure all of your privacy notices are now in line with the ICO guidelines on GDPR.
    4. Make sure all your policies cover all of the new rights for individuals that are coming in under GDPR, such as the right to erasure, removal in full or partial of consent to use data, data transparency etc. 
    5. If you handle sensitive data or data of those younger than 13, for which there are additional rules and rights to follow, then ensure that you have GDPR-specific procedures and policies in place for both gathering and storing.
    6. Put in place a procedure for a data breach/misuse of data. Make sure you and your team know ahead of time exactly what the action will be to report and investigate a breach in a timely fashion including when you legally need to report it to the ICO.
    7. Look at the ICO guidance on Data Privacy Impact Assessments (DPIAs). DPIAs are essentially the review and investigation into the processes you have in place including your assessment of the risk to personal data and the mitigations you’ve put in place to protect it. 
    8. Review any digital security accreditations you have. If you don’t have any in place beyond your own internal policy then perhaps look into those supported by the Government such as the ‘Cyber Essentials’ Program https://www.cyberessentials.ncsc.gov.uk/getting-certified/ 
  3. External systems and your website
    1. Are your website’s policies up-to-date and easy for the average user to understand what they are consenting to and the restrictions that may be in place?
    2. Do you have policies or steps in place on your website to prevent those who cannot give consent from doing so (such as those under the age of 13)?
    3. Is each of the forms or data collection/processes on your website clearly labelled with what they do? Is there an option for the subject to understand what it is they are consenting to or for what legal basis you require their information?
    4. Have you audited the use of cookies or third-party tools used on your website? What personal data do they collect? Have you informed your visitor/subject of this and provided them with a basis for collection or the ability not to consent?
  4. Your clients
    1. Contact all of your clients to inform them and remind them of what your GDPR obligations are and how your processes may be altering from 25th May 2018. If you’re still working out the details then look to submit a Statement of Intent to give them the confidence that you are looking to be compliment by the deadline. – If you’re looking at this post GDPR implementation then this is a level of privacy assumed and you don’t need to contact them and reassure them.
    2. If you don’t have consent or another legal basis for processing/storing their personal data prior to the 25th May, contact your clients to obtain that consent or set about removing them from your system and notifying them if required.
    3. Speak to your suppliers and any third-party processors (such as web hosts, payment gateways, marketing agencies etc) about the personal data you may share and find out their timetables and plans for GDPR implementation.

The ICO has been providing fantastic content from the start to help SMEs and Large controllers and processors get ready to be compliant with GDPR.

The ICO – 12 Steps to take now GDPR preparation guide

Guide to General Data Protection regulation:

Understanding GDPR Myths

Confident?  Complete the ICO Controllers Checklist.