A summary of the Information Commissioner’s Office’s 12-point GDPR checklist

  1. Ensure senior/key people are aware of GDPR and appreciate its impact.
  2. Document any personal data you hold, where it came from and who you share it with. Conduct an information audit if needed.
  3. Review your privacy notices and plan for necessary changes before GDPR comes into force.
  4. Check your procedures cover all individuals’ rights under the legislation – for example, how you would delete personal data or provide data electronically in a commonly used format.
  5. Plan how you will handle subject access requests within the new timescales and provide any additional information.
  6. Identify and document your legal basis for the various types of personal data processing you do.
  7. Review how you seek, obtain and record consent. Do you need to make any changes?
  8. Put systems in place to verify individuals’ ages and, if users are children (likely to be defined in the UK as those under 13), gather parental consent for data processing activity.
  9. Make sure you have the right procedures in place to detect, report and investigate a personal data breach.
  10. Adopt a “privacy by design” and “data minimisation” approach, as part of which you’ll need to understand how and when to implement Privacy Impact Assessments.
  11. Designate a Data Protection Officer or someone responsible for data protection compliance; assess where this role will sit within in your organisation’s structure/governance arrangements.
  12. If you operate internationally, determine which data protection supervisory authority you come under.

For more detail on each of these 12 steps, refer to the ICO guidelines here