This handy checklist should help you to feel more ready for GDPR.

  1. Awareness
  • All staff / principals are aware of the GDPR.
  • All of your clients are aware of the GDPR.
  • You have identified all data processors and controllers and initiated any staff training needs.
  • You have appointed someone (in a senior position) responsible for data protection compliance, or appointed a data protection officer if you meet the regulatory requirements to do so.
  • You have contacted all your clients to ensure they are aware of the GDPR, and explained how your policies and procedures will be updated.


You have considered and understood all the rights that individuals have under the GDPR, including the right: -

  • To be informed
  • To access
  • To rectification
  • To erasure
  • To restrict processing
  • To data portability
  • To object, and
  • To not be subject to automated decision making and profiling


  1. Review of Systems
  • You have reviewed all personal data you have access to or hold for clients
  • You have identified any special categories of personal data you process
  • You have documented what data you hold and why you are keeping it, including assessing the lawfulness of processing (that is, the legal basis for processing). You should only be gathering the data that you really need to carry out your role.
  • You can only use someone’s personal data for reasons that they have agreed to, so you must obtain their consent and you must also store the time and method by which they consented.

You have updated your privacy notices as part of a GDPR review to including what type of data you collect, why you collect it and how you plan to use it.  This should include:

  • Your business contact details
  • Reasons for collecting and using personal data
  • Any third parties that you work with
  • Details of your retention periods, and
  • Your clients’ rights (including the right to withdraw consent and the right to lodge a complaint)


  • You have deleted any data you don’t need to keep. You should only be collecting and storing the data that you really need in order to carry out the job at hand.
  • You have considered who else has access to the data and why. If you are holding inaccurate personal data and have shared this with another party, you will have to tell the other party about the inaccuracy so records can be corrected.
  • Your online security methods have been checked, and you have installed encryption software on all PCs and electronic devices. Encryption is not a requirement of the regulation but only a suggestion.
  • All data is secure, backed up regularly and retained in a secure location. If your data is held on the cloud, check that your provider is compliant with the GDPR.


  1. Updating your Policies and Processes
  • You have decided and documented who is responsible for what.
  • You document what personal data you hold, where it came from and whom you share it with.
  • You have a process/system in place to record that consent has been obtained; you must also store the time and how consent was given.
  • You have procedures in place to ensure that any data breach is detected and reported to the ICO within 72 hours, with a system to record any breaches.
  • You have a process in place to delete client data if requested to do so by the client, and are able to meet any individual’s request to be forgotten.
  • You have a process to deal with any subject access requests to make sure they are responded to within GDPR timescales. You must plan how you will handle any requests to take account of the new rules.
  • You have a process in place to carry out data protection impact assessments to assess risk, if required to do so under the regulation.
  • You have checked that all your procedures cover all the enhanced rights that individuals have under the GDPR.


For further detailed information and guidance, please check www.bit.ly/GDPR12Steps on the Information Commission


Helen Fielding

19 March 2018