Profile information Account settings
Logout
Sign up Log in

How to make a business GDPR-compliant checklist

In the UK, the main data protection laws are the UK General Data Protection Regulations (GDPR) and the Data Protection Act 2018. All UK businesses need to be aware of their data protection responsibilities. This checklist can help you tick off the key things you have to do and consider to ensure GDPR-compliance.

Make your GDPR documents
Get started
Answer a few questions. We'll take care of the rest

Action

(✔)

Consider appointing a Data Protection Officer (DPO). This is the person responsible for ensuring data protection compliance within your business. The DPO should become familiar with data protection requirements and audit your data processing activities to ensure compliance.

 

Understand how the GDPR applies to you and your business. Any business that processes (eg stores or collect) personal data (ie identifiable information relating to individuals, such as names and addresses) must comply with the GDPR.

 

Only process personal data in accordance with the data protection principles. This means that you must be clear on what ‘processing’ is and what your business does with personal data (both internally and externally).

 

Ensure that you have a legal ground for processing any personal data. These include:

  • the data subject (ie the individual to whom the data relates) has consented to the processing

  • the processing is in the public interest (eg a local authority using personal data to collect council tax)

the processing is in a business’ legitimate interest (a Legitimate interest assessment (LIA) will need to be carried out)

 

Where relevant, review your existing process for obtaining consent from data subjects and ensure consent is valid. You should keep some form of record of consent (ie how and when consent was given, and by whom).

Ensure that you offer a proper process for individuals to withdraw consent at any time and notify them of their right to do so. For more information, read Consent for GDPR.

 

Take extra care when processing sensitive personal data (eg information about racial or ethnic origin, sexual life or health) or criminal offence data (ie information about criminal convictions and offences), as these are subject to more stringent controls.

 

Consider if your processing of personal data is likely to result in a high risk to the rights and freedoms of individuals. If so, make a Data protection impact assessment (DPIA) to help you identify and minimise data protection risks.

 

Where a DPIA was carried out, determine if an Appropriate policy document (APD) is needed.

An APD outlines your procedures for ensuring compliance with data protection principles in relation to any sensitive personal or criminal offence data processes. Read Appropriate policy documents for more information.

 

Ensure that you comply with data protection laws when dealing with staff personal data.

Make a Data protection policy to inform your employees how you use their data and what principles they must adhere to when handling personal data.

Consider informing anyone working for you about the types of data you may collect about them and what you do with it, using:

 

Make a Website privacy policy that indicates what personal data is being collected on your website, the purpose of collection, and how individuals can access this data.

 

Ensure you are aware of your obligations when data subjects make a data protection request (eg asking for their data to be erased or corrected), including what steps you have to take and how long you have to respond.

 

Be sure to understand the laws and regulations around international transfers of personal data and to only transfer personal data outside the UK where adequate data transfer mechanisms (eg standard contractual clauses) have been put in place.

 

If you are outsourcing data processing to a third party (eg a third-party service provider), make a Data processing agreement (DPA) to ensure the safety of the personal data.

 

Understand your obligations for reporting a data breach (ie a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data).

Consider appointing a specific person or setting up a dedicated team to deal with data breaches.

 

Train staff to ensure that everyone is aware of relevant data protection procedures and the responsibility everyone has.

 

Keep records of your processing activities (including why you are processing certain personal data, how long personal data will be retained and who it will be shared with) and review them regularly.

 

Bear in mind that you may need to comply with the European Union’s (EU) General Data Protection Regulation if you are processing personal data belonging to anyone based in the EU. For more information, Ask a lawyer.

 

 

For more information, read Data protection for businesses and Complying with the GDPR, and do not hesitate to Ask a lawyer if you have any questions or concerns.

Make your GDPR documents
Get started
Answer a few questions. We'll take care of the rest