GDPR compliance checklist

The General Data Protection Regulation (GDPR) applies from 25 May 2018 across all European
Union markets. This includes the UK, until the point of the UK's exit from the EU. After exit, the
UK government plans to incorporate the GDPR into domestic UK law. Read more about Brexit:
Data protection steps for a no-deal exit.

Note that if your business is not in the EU, you may still need to comply with the regulation if
you collect, share, transfer or use personal data of EU citizens.

This checklist summarises the steps your business should take to comply with the GDPR.

1. Carry out an information audit

An information audit can help you identify areas that could cause compliance problems under the
GDPR. It's important to look at what information you collect, store or process and determine:

 why you are processing it

 how did you get it
 what is the purpose of processing
 how long do you plan to keep it
 how secure is it
 who you share it with, or might share it with, and how

An inventory of all personal data you hold will help you comply with the GDPR's accountability
principle, which requires organisations to demonstrate how they comply with the data protection
principles when carryout out their business.

2. Determine the legal basis for processing personal data

For processing to be lawful under the GDPR, you must identify a legal basis before you can
process personal data. You also have to document it accordingly.

Under the previous data protection legislation, legal basis were often referred to as 'conditions
for processing'. However, under the GDPR, legal basis carry greater practical implications, due
to their effect on individuals' rights. For example, if you rely on someone's consent to process
their data, they will generally have stronger rights, for example to have their data deleted.

There are six legal basis for processing data under the GDPR, including:

 consent of the individual

 contractual necessity
 compliance with legal obligations
 vital interests of the data subjects
 public interest

This document has been classified as CONFIDENTIAL-EXTERNAL by Centenary Bank.

  legitimate interests

See more on the GDPR provisions relating to lawful processing.

3. Review your use of consent

The GDPR sets a high standard for consent. Like the preceding data protection legislation, it has
references to both 'consent' and 'explicit consent'. Both forms of consent under GDPR have to
be:

 freely given
 specific
 informed
 an unambiguous indication of the individual’s wishes

Under GDPR, consent also requires some form of clear affirmative action. This means that you
cannot presume consent from silence, pre-ticked boxes or inactivity.

You must be able to demonstrate that consent has been given. This generally means that you will
have to keep some form of record of how and when you have sought and received consent.

If you rely on an individual's consent to process their data, take steps to ensure that your
processes meet the enhanced standards needed under the GDPR. Otherwise, you may want to
find an alternative to using consent.

See the Information Commissioner's Office (ICO) GDPR consent guidance.

4. Review and update your privacy notices and policies

Under GDPR, you must provide privacy information in clear and plain language. Your policies
should be transparent and easily accessible. You must include in your privacy notices certain
additional information, such as:

 the legal basis for processing the data

 data retention periods
 rights of individuals to complain about the manner in which you handle their data
 whether data will be subject to automated decision-making

Find out more in the ICO's guidance on privacy notices, transparency and control.

5. Keep in mind individuals' rights

The GDPR introduces greater rights for data subjects. Check your procedures and systems to
ensure they align to the new or enhanced rights under the General Data Protection Regulation,
including:

This document has been classified as CONFIDENTIAL-EXTERNAL by Centenary Bank.

  subject access right (SAR)
 right to have inaccuracies corrected
 right to have information erased
 right to prevent direct marketing
 right to prevent automated decision-marking and profiling
 right to data portability

Prepare for the data subjects to exercise their rights and put in place procedures that will enable
you to deal with possible scenarios, eg someone asking you to delete their personal data, or
provide their data electronically or in commonly used formats.

See more on individuals' rights under the GDPR.

6. Prepare for new rules and timescales for SAR

The rules for dealing with subject access requests changed under the General Data Protection
Regulation. In most cases, you cannot charge for processing an access request, unless you can
demonstrate that the cost to respond will be excessive. From 25 May 2018, you also have to
respond to an access request within a month, rather than the 40 days previously allowed under
the Data Protection Act.

You may have some grounds for refusing to grant an access request. However, you must have
clear refusal policies and procedures in place, and be able to demonstrate why the request meets
these criteria.

You also need to provide some additional information to people making requests, such as your
data retention periods and the right to have inaccurate data corrected. If your organisation
handles a large number of access requests, the impact of the changes could be considerable.

Find out more about the right of access under the GDPR.

7. Prepare for new rules regarding children's personal data

The GDPR has new provisions that aim to enhance the protection of children's personal data.
These include:

 clear privacy notices for children - where services are offered directly to a child
 parent/guardian consent - where online services (eg social networking) are targeted at
children

If your organisation collects personal data of children, you should think about putting systems in
place to verify individuals' ages and to gather parental or guardian consent for the data
processing activity.

8. Prepare for data security breaches

This document has been classified as CONFIDENTIAL-EXTERNAL by Centenary Bank.

 The General Data Protection Regulation introduces a duty on all organisations to report certain
types of data breach to the ICO, and in some cases to the individuals affected. If you experience
a data breach, you must notify the ICO if the breach is likely to cause significant detrimental
effect on individuals, eg:

 result in discrimination or damage to reputation

 cause financial loss, identity theft or breach of confidentiality

You should put in place clear policies and procedures to ensure that you can detect quickly any
data breach, react appropriately and notify in time where required. Find out more about the
breach notification duties.

9. Prepare for 'privacy by design' and privacy impact assessments

Under GDPR, you must implement technical and organisational measures to show that you have
considered and integrated data protection into your processing activities. Find out more about the
'privacy by design' approach to data protection.

You must ensure that you have clear policies in place to prove that you meet the required data
protection standards under the GDPR. You can follow best practices for accountability by
establishing a culture of:

 monitoring, reviewing and assessing your data processing procedures

 minimise data processing and retention of data
 building in data protection safeguards, including regular staff training

As an integral part of this 'privacy by design' strategy, you may need to carry out a privacy
impact assessment. The assessment will help you to identify and reduce the privacy risks of
your projects.

Under GDPR, you need to carry out a privacy impact assessment:

 when using new technologies

 if the processing is likely to put at risk the rights and freedoms of individuals

Find out more about privacy impact assessments.

10. Appoint a data protection officer (DPO)

The GDPR requires some organisations to designate a DPO. For example, public authorities or
those organisations that regularly and systematically monitor individuals on a large scale.

You may appoint a single DPO to act for a group of companies, taking into account their
structure and size. An organisation can also designate a DPO on a voluntary basis, however the
same requirements will apply to his or her designation, position and tasks as if the designation
had been mandatory.

This document has been classified as CONFIDENTIAL-EXTERNAL by Centenary Bank.

 The DPO's role is to facilitate compliance with the provisions of the GDPR within an
organisation. Find out more about the role of data protection officers.

11. Know the rules on international data transfers

The General Data Protection Regulation imposes restrictions on the transfer of personal data
outside the European Union. It does so to ensure that the level of protection of individuals have
under the GDPR is not undermined.

Under GDPR, you may be able to transfer personal data:

 subject to appropriate safeguards

 on the basis of the ICO's decision regarding levels of protection in specific territories

Read more about the transfer of data under the GDPR rules.

This document has been classified as CONFIDENTIAL-EXTERNAL by Centenary Bank.