Preparing for the General
Data Protection Regulation
12 steps to take now
You should make sure that decision makers and key
people in your organisation are aware that the law is
changing to the GDPR. They need to appreciate the
impact this is likely to have.
Information you hold
You should document what personal data you hold,
where it came from and who you share it with. You
may need to organise an information audit.
You should check your procedures to ensure they
cover all the rights individuals have, including how
you would delete personal data or provide data
electronically and in a commonly used format.
Communicating privacy information
You should review your current privacy notices and
put a plan in place for making any necessary
changes in time for GDPR implementation.
Legal basis for processing personal data
You should look at the various types of data
processing you carry out, identify your legal basis for
carrying it out and document it.
You should make sure you have the right procedures
in place to detect, report and investigate a personal
Data Protection by Design and Data
Protection Impact Assessments
You should familiarise yourself now with the guidance
the ICO has produced on Privacy Impact Assessments
and work out how and when to implement them in
You should review how you are seeking, obtaining and
recording consent and whether you need to make any
Subject access requests
You should update your procedures and plan how you
will handle requests within the new timescales and
provide any additional information.
You should start thinking now about putting systems
in place to verify individuals’ ages and to gather
parental or guardian consent for the data processing
Data Protection Officers
You should designate a Data Protection Officer, if
required, or someone to take responsibility for data