Skip to content
Innatus Digital
← All articles

GDPR getting ready checklist

Checklist Training and staff awareness Name a member of your company as your designated Data Protection Officer or at least the designated person responsible for data protection within your business (It’s worth saying that if you hire or designate a DPO and you’re a fairly small company

GDPR getting ready checklist

Checklist

  1. Training and staff awareness

    Name a member of your company as your designated Data Protection Officer or at least the designated person responsible for data protection within your business (It’s worth saying that if you hire or designate a DPO and you’re a fairly small company with a low level of data then you’ll be held responsible to a higher standard). If you’re a small company or a sole-trader then this is a responsibility you’ll have to take on. If you are the DPO then make sure you read up on your legal responsibilities and the laws you will need to adhere to. GDPR is a baptism of fire for any new DPO and it’s important that you understand the process and attend training or seek help if needed.
  2. Identify anyone who in your company needs to be aware of GDPR, who defines your data plans, handles it or has access to it. It’s essential that you organise or provide training to these individuals on how the new processes may affect them and new rules procedures that you’ll be putting in place.
  3. Review all of your processes and IT setup. 

    What personal data do you actually store? Document and audit where and why you need/process/store data and which legal basis you do it under.

    Can you evidence your consent in line with GDPR? You must be able to demonstrate that if consent was the legal basis used, then it was given freely and individually, It cannot be assumed from silence or given through pre-ticked boxes or even ‘opt out’ boxes.
  4. Does all of your data remain in the EU or is it processed elsewhere like the US? Make sure there are agreements in place such as the EU-US Data Shield before continuing.
  5. For example, marketing:

    How is the marketing team handling data?
  6. How do they collect and gain consent?
  7. Can this be evidenced?
  8. Do you need to regain all of your consent prior to GDPR to make sure you can keep using it afterwards?
  9. Is there a policy in place that defines what the team uses the data for?
  10. What about the new rights in place? Does the team have approved written processes in place to edit, export or even erase requested personal data?
  11. Are your website’s policies up-to-date and easy for the average user to understand what they are consenting to and the restrictions that may be in place?
  12. Do you have policies or steps in place on your website to prevent those who cannot give consent from doing so (such as those under the age of 13)?
  13. Is each of the forms or data collection/processes on your website clearly labelled with what they do? Is there an option for the subject to understand what it is they are consenting to or for what legal basis you require their information?
  14. Have you audited the use of cookies or third-party tools used on your website? What personal data do they collect? Have you informed your visitor/subject of this and provided them with a basis for collection or the ability not to consent?
  15. Contact all of your clients to inform them and remind them of what your GDPR obligations are and how your processes may be altering from 25th May 2018. If you’re still working out the details then look to submit a Statement of Intent to give them the confidence that you are looking to be compliment by the deadline. – If you’re looking at this post GDPR implementation then this is a level of privacy assumed and you don’t need to contact them and reassure them.
  16. If you don’t have consent or another legal basis for processing/storing their personal data prior to the 25th May, contact your clients to obtain that consent or set about removing them from your system and notifying them if required.
  17. Speak to your suppliers and any third-party processors (such as web hosts, payment gateways, marketing agencies etc) about the personal data you may share and find out their timetables and plans for GDPR implementation.

span style="font-weight: 400;">The ICO has been providing fantastic content from the start to help SMEs and Large controllers and processors get ready to be compliant with GDPR./span>

The ICO – 12 Steps to take now GDPR preparation guide

Guide to General Data Protection regulation:

Understanding GDPR Myths

span style="font-weight: 400;">Confident?  Complete the ICO Controllers Checklist./span>

Chris Ryan

Chris Ryan

Managing Director

17+ years in full-stack web development, most of it leading teams agency-side across e-commerce, CMS platforms, and bespoke applications. Specialises in infrastructure, system integration, and data privacy, with hands-on experience as a Data Protection Officer. Founded Innatus Digital in 2020 to offer the kind of honest, technically-led partnership that he felt was missing from the agency world.

← Back to all articles