12 Steps to GDPR Guide




The ICO has released 12 steps to compliance to the GDPR. Below are ICO steps along with ProCheckUp’s recommendations for attaining compliance.


1. Raise awareness

Communicate with decision makers about the changes the GDPR will bring. If they understand the impact it will have, you’ll be more likely to gain their support sooner rather than later: look at your risk register if you have one.

ProCheckUp recommends:

Look at where you are now, and look at other compliance programs which are running and the crossover with EU GDPR. An example would be ISO27000 or PCI DSS programmes, as these programmes have similar controls.

This may include education pieces for the entire organisation, not just the decision makers. Be proactive in creating awareness on GDPR regulations; anyone who does anything with customer data within your company needs to be included in this.

2. Locate information

Document the personal data you hold – where it came from and with whom it’s shared. Look within and outside your entire organisation as well as in specific areas. Consider the value of an information audit.

ProCheckUp recommends:

Think about creating a customer data flow diagram for your network. This should give you a clearer indication of the data handlers/controllers/processors and you can begin to map processes against these.

  • Know what and where all the information is
  • Investigate how the information flows through the business
  • Include ingress and egress points for data from third parties
  • Know what it’s used for and document this clearly


3. Review and update privacy notices and policies

Review your privacy notices and policies and build a plan for accommodating change.

ProCheckUp recommends:

Make these notices clear and easy to understand in plain English, keep away from any “legalese” or jargon. Privacy notices need to clearly identify the following:

  • The identity and contact details of the data controller
  • The purposes of the processing, if that is one of the conditions for lawful processing
  • The period for which the personal data will be stored
  • Countries or organisations that the processor may transfer the data to and the level of protection afforded by that country
  • The source of the data if it has not been collected from data subjects themselves
  • Whether providing personal data is voluntary or obligatory and the possible consequences of not providing the information
  • Any other information necessary to guarantee the fair processing of individuals’ data
  • Recipients or categories of recipients with whom the personal data are likely to be shared
  • The data subjects’ rights, including: right of access to own personal data, right of correction, erasure, to object to processing, and the right to lodge a complaint with the ICO


4. Know individuals’ rights

Your procedures should address all the rights given to individuals. These include: having inaccuracies

Correcting, erasing information and preventing direct marketing without consent. Make sure you know who is making decisions about deletion and if your systems support this. Don’t forget to explore data portability and the formats you use to supply information.

ProCheckUp recommends:

Be aware not only of the main rights of individuals, but also how they impact your business operation These rights include:

  • access, including where and by whom their data is being processed
  • to have inaccuracies corrected
  • to have information erased; the right to be forgotten
  • to prevent direct marketing
  • to challenge and prevent automated decision-making and profiling
  • data portability; allowing the customer to obtain their own data and use for their own purpose across different services, this must be done in an open format (CSV or otherwise)


5. Be ready for subject access requests

Update your procedures so you can handle requests within shorter timescales, including correcting inaccurate information. If you deal with a lot of requests, you may want to invest in online access.

ProCheckUp recommends:

Organisations need to be able to respond quickly to subject access requests and in most cases will be unable to charge.

Look at how data is stored and whether it is easily accessed by the correct data controller and how this can be sped up in a controlled way. Online access by the customer may speed this up but would need to be reflected in your risk register after presenting the data to the internet.

6. Have a legal basis for processing personal data

Know why you’re collecting and using personal data and make sure you have a legal basis before

you process it. You need to be able to explain legitimate interests, not just make the claim.

ProCheckUp recommends:

Remember it’s their data not yours… Understand the reason you’re collecting the data and what it’s being used for, then communicate it and ask permission to do it.

You can’t collect data unless:

  • There is a legitimate reason
  • Fully informed consent is freely given


7. Review consent

Assess how you are seeking, obtaining and recording consent. Consent needs to be freely given, specific, informed and unambiguous. Consent cannot be inferred. 

ProCheckUp recommends:

This sounds like it is one of the simplest but could be at the same time one of the most difficult items to implement.

Things to consider include:

  • Explicit consent
  • Use of plain language
  • Record retention


Also remember that consent can be revoked at any time. You are required to give them notice and inform on how their information is to be used every time the original agreement changes.

8. Look after the children

Consider how you will verify age and collect consent from parents and guardians. Your privacy notice must be suitable for children.

ProCheckUp recommends:

This is one of the major changes; if your service targets or engages children, the privacy notice has to be in a language that they can understand. If you are engaging with children, you must gain consent from their parents/guardians.

There is still some ambiguity around what is defined as “children”. In the UK, that is likely to be children younger than 13. You must identify these within your data and ensure that there are specific controls placed on these records.

9. Have procedures for data breaches

Currently, not all organisations are required to notify the ICO when a breach happens. The new regulations ask everyone to do this. Set clear procedures to detect, report and investigate breaches.

ProCheckUp recommends:

The requirements for breach notification have been significantly tightened, breaches must be reported within 72 hours. Ensure that appropriate breach notification policies and procedures are in place and know how to use them.

10. Data Protection Impact Assessments and Data Protection by Design

Certain activities, such as automated processing or processing of sensitive data on a large scale, require a prior Privacy Impact Assessment (PIA). The ICO has created a corresponding guide. In addition, particular new systems and processes must be developed with privacy in mind so that the solutions comply with the privacy principles.

ProCheckUp recommends:

Begin thinking about the protection of privacy and data at the start of a project, perform a risk assessment for the impact to personal data, ensure all the teams are aware of the impact. Check back in regularly to make sure these are maintained.

11. Appoint a data protection officer

Organisations that routinely monitor data or process sensitive data on a large scale must hire a DPO.

ProCheckUp recommends:

Appoint someone who is knowledgeable in data privacy to oversee the data privacy within your organisation. This could be a new role depending on the size and complexity of your organisation. Give them the ability to drive compliance forward for the benefit of all.

12. See the global picture

If you operate in other countries, determine which data protection supervisory authority you come under.

ProCheckUp recommends:

It doesn’t matter where you are in the world, if you touch EU citizen data you are going to have to prepare to comply with GDPR.

A useful place to begin is to map out where the data resides and to define the Authority you will sit under. Take it seriously-- the size of penalties could well break an organisation.


To book an impact assessment about how GDPR will affect your business, contact us at gdpr@procheckup.com