The ICO (Information Commissioner’s Office) has produced a checklist, highlighting the main steps organisations can take immediately to prepare for the GDPR, which will apply from 25th May 2018.

It is important to use this checklist and other ICO resources to identify the main differences between the current Data Protection Act (DPA) and the GDPR.

Below are three steps taken from the list which are worth knowing about!


You should make sure that decision makers within your organisation are aware that the law is changing to the GDPR. They must understand the impact it is likely to have and identify areas that could cause compliance problems under the GDPR. Start off by looking at your company’s risk register (if you have one).

Compliance will be more difficult if you leave your preparations until the last minute. This is especially the case for larger, more complex organisations with lots of resources.

2). Communicating privacy information

People are advised to review their current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.

As things stand currently, when you collect personal data you must give people certain information, such as your identity and how you intend to use their information. This is traditionally done through a privacy notice. However, under the GDPR, there will be more things you will have to tell people. For instance, you will have to explain your lawful basis for processing the data, your data retention periods and that individuals have a right to complain to the ICO if they think there is an issue with the way you are handling their data.

3). Lawful basis for processing personal data

You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.

Most organisations won’t have even considered their lawful basis for processing personal data. But, under the GDPR, individual’s rights will be modified depending on your lawful basis for processing their personal data. People will have a stronger right to have their data deleted where you use consent as your lawful basis for processing.

You will also have to explain your lawful basis for processing personal data in your privacy notice and when you answer a subject access request. The lawful bases in the GDPR are broadly the same as in the DPA.  It should be possible to review the types of processing activities you carry out and to identify your lawful basis for doing so. It is also strongly advised that you document your lawful bases in order to help you comply with the GDPR’s ‘accountability’ requirements.

4). Get in line with Cyber Essentials

There is no single product that will provide a complete guarantee of security for your business. Instead, organisations are advised to follow the approach of using a set of security controls that complement each other but will require ongoing support in order to maintain an appropriate level of security.

Cyber Essentials, the UK government – backed scheme, was designed to help organisations protect themselves against common online threats. Cyber Essentials is suitable for all organisations, of any size, in any sector.