GDPR compliance

Complying with GDPR requirements is your organisation’s responsibility.

Steps to Compliance

The Information Commissioner’s Office has recommended steps you must take to prepare for GDPR:

• Information you hold: document what data you hold, where it came from and who you share it with.

• Communicating privacy information: review and update your privacy notices using clear, concise language.

• Individuals’ rights: review and update your procedures on providing data and deleting data, taking account of:

  • The right to be informed

  • The right of access

  • The right to rectification

  • The right to erasure (‘right to be forgotten’)

  • The right to restrict processing

  • The right to data portability

  • The right to object

  • The right not to be subject to automated decision-making including profiling

• Subject access requests: review and update your procedures on handing subject access requests.

• Lawful basis for processing personal data: identify and document your lawful basis and update your privacy notices and responses to SARs.

• Consent: review and update your procedures on seeking, recording and managing consent.

• Children: review and update your procedures on verifying ages and parental or guardian consent.

• Data breaches: review and update your procedures on detecting, reporting and investigating data breaches.

• Data protection by design and data protection impact assessments: check the ICO code of practice on privacy impact assessments.

• Data protection officers: formally designate DPOs if required, with responsibility for ensuring compliance.

• International: if your organisation operates in more than one EU member state, determine your lead data protection supervisory authority.