General Data Protection Regulation – the ICO 12 step plan

General Data Protection Regulation – the ICO 12 step plan
Reading Time: 2 minutes

Recently we exhibited at this year’s Information & Records Management Society Conference. The hot topic was the forthcoming General Data Protection Regulation (GDPR) and how to prepare for it.

A brief overview of the GDPR (the new EU-wide data protection legislation that will replace the 1998 Data Protection Act) was outlined in this article.

The General Data Protection Regulation comes into force on 25th of May 2018. Therefore, the Information Commissioner’s Office has published a useful 12 step guide to help organisations prepare for the GDPR.

General Data Protection Regulation

1. Awareness
Make sure that decision makers in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.

2. Information you hold
You should document what personal data you hold, where it came from and also who you share it with. You may need to organise an information audit.

3. Communicating privacy information
Review your current privacy notices. Put a plan in place for making any necessary changes in time for GDPR implementation.

4. Individuals’ rights
Check your procedures to ensure they cover all the rights individuals have, including also how you would delete personal data or provide data electronically and in a commonly used format.

5. Subject access requests
Also update your procedures and plan how you will handle requests within the new timescales and provide any additional information.

6. Legal basis for processing personal data
Look at the various types of data processing you carry out, identify your legal basis for carrying it out and also document it.

7. Consent
Review how you seek, record and also manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.

8. Children
Start thinking now about putting systems in place to verify individuals’ ages and to also gather parental or guardian consent for the data processing activity.

9. Data breaches
In addition, make sure you have the right procedures in place to detect, report and investigate a personal data breach.

10. Data Protection by Design and Data Protection Impact Assessments
Familiarise yourself now with the guidance the ICO has produced on Privacy Impact Assessments and work out how and when to implement them in your organisation.

11. Data Protection Officers
Designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance and also assess where this role will sit within your organisation’s structure and governance arrangements.

12. International
Furthermore, if your organisation operates internationally, you should determine which data protection supervisory authority you come under.


Finally, this General Data Protection Regulation article contains public sector information licensed under the Open Government Licence v3.0.
Also (C) Information Commissioner’s Office, [Preparing for the General Data Protection Regulation (GDPR) 12 steps to take now Version 1.1 13/03/2017], also licensed under the Open Government Licence.
iStock image used by permission of Ricoh Europe PLC


Posted in Security

1 Response to General Data Protection Regulation – the ICO 12 step plan

    Leave a Comment

    Capital on the move in Aberdeen

    Capital on the move in Aberdeen

    Capital Document Solutions are investing in state-of-the-art premises on the South of Aberdeen at City…

    The Future Flexible Firm Forum in Edinburgh

    The Future Flexible Firm Forum in Edinburgh

      The Future Flexible Firm Forum is coming to Edinburgh this October.  The event will…