GDPR - Getting ready

The Information Commissioner's Office (ICO) has published a handy guide, Preparing for the General Data Protection Regulation, which sets out some key steps.

  • Be aware of the changes.
  • Carry out an information audit to find personal data you hold, where it came from and who you share it with.
  • Publish privacy notices that provide accessible information to data subjects about how their personal data will be used.
  • Ensure your procedures cover all the data subject’s rights, including how you would delete personal data or provide data to them electronically.
  • Update your procedures and plan how you will handle subject access requests within the new time scales.
  • Identify the lawful basis (see below) for your processing activity and explain it in your privacy notice.
  • Review how you seek, record and manage consent. Refresh consents that don’t meet the GDPR standard.
  • Identify data on children and obtain parental or guardian consent, if required.
  • Ensure you have procedures in place to detect, report and investigate a personal data breach.
  • Familiarise yourself with the ICO’s code of practice on Privacy Impact Assessments as well as guidance from the Article 29 Working Party and work out how and when to implement these within your organisation
  • Designate someone to take responsibility for data protection compliance and assess where this will fit with structure and governance in your organisation. You should consider whether you are required to formally designate a DPO.
  • If you operate in more than one EU member state, you should determine your lead supervisory authority.