ICO’s 12 Steps Checklist


24th March 2016

The new General Data Protection Regulation (GDPR) will significantly impact businesses with many having to change their current data protection practices and policies to ensure compliance.

By July this year it is expected that the GDPR will be in final form after completion of legal and translation checks and take effect in the summer of 2018.  Despite the two year lead-in period provided by the GDPR, businesses must not wait until 2018 to begin implementing procedures for GDPR compliance as substantive preparations will be required.

Initial preparation has been made easier for businesses by introduction of a 12 step checklist by the Information Commissioner’s Office (the ICO).  This checklist highlights and codifies the essential steps which businesses must consider now to prepare themselves for the GDPR.

The 12 Steps

Step 1 – Awareness

  • GDPR change: The GDPR will significantly amend current data protection law. Not everyone within an organisation will be aware of this.  
  • Action to be taken: Make the GDPR reforms known to key people in the business (e.g. those with supervisory or decision making powers), and make them aware of the effects of such reforms.

Step 2 – Information you hold

  • GDPR change: If a business has shared inaccurate personal data with another organisation, the GDPR requires that the business notify that other organisation of the inaccuracy.  As part of the new accountability principle, businesses will also have to be able to show how they comply with the data protection principles.
  • Action to be taken: Businesses should consider undergoing an information audit which documents the personal data held by them, the source of such data and details of with whom they share the data.

Step 3 – Communicating privacy information

  • GDPR change: Additional information must be given to individuals when their personal data is obtained.
  • Action to be taken: Review current privacy notices/policies and identify those areas which will require updating to ensure compliance with the GDPR.

Step 4 – Individuals’ rights

  • GDPR change: Individuals will have enhanced rights to:-
    • access their information;
    • have inaccuracies corrected;
    • have information erased;
    • prevent direct marketing;
    • prevent automated decision making and profiling;
    • data portability.
  • Action to be taken: Review privacy/data protection procedures and policies to ensure that they provide for each enhanced right under the GDPR.

Step 5 – Subject access requests

  • GDPR change: Current rules for subject access requests are changing – timescales for compliance will be reduced, fees will generally no longer by chargeable and additional information will require to be provided to individuals e.g. about data retention periods and the right to have inaccuracies corrected.
  • Action to be taken: Review and update current procedures for handling subject access requests.

Step 6 – Legal basis for processing personal data

  • GDPR change: The legal basis for processing will need to be explained in privacy notices and when responding to subject access requests.  The rights afforded to individuals will vary depending on the legal basis for data processing.
  • Action to be taken: Review the data processing done by the business and then identify and document the legal basis for processing.

Step 7 – Consent

  • GDPR change: Consent must be freely given, specific, informed, and unambiguous. The recording of consent is important as data controllers must be able to demonstrate that consent was given.
  • Action to be taken: Review methods for seeking, obtaining and recording consent to ensure compliance.

Step 8 – Children

  • GDPR change: Parental or guardian consent must be obtained to process personal information of children (i.e. those under 13 in the UK).  Consent must be verifiable and written in child friendly language.
  • Action to be taken: Create and implement new practices for (i) verifying the age of individuals and (ii) obtaining parental or guardian consent when processing the data of children.

Step 9 – Data breaches

  • GDPR change: The GDPR widens the number of businesses obliged to notify the ICO and private individuals of data breaches.  Failure to comply with this obligation may lead to significant fines by the ICO.
  • Action to be taken: Ensure that there are procedures in place to detect, investigate and report on personal data breaches. The ICO suggests assessing the types of data held and documenting which ones would trigger notification in the event of a breach.

Step 10 – Data protection by design and data protection impact assessments

  • GDPR change: Organisations must adopt ‘privacy by design’ (i.e. an approach that promotes privacy and data protection compliance from the outset). Organisations should also carry out a Data Protection Impact Assessment (“DPIA”) in high-risk situations.  If processing is high risk, the ICO should be consulted on whether processing complies with the GDPR
  • Action to be taken: Know when DPIAs should be used, who should be involved and the process to be adopted.  Look at the ICO’s guidance on Privacy Impact Assessments for further information.

Step 11 – Data protection officers

  • GDPR change: Public authorities and large businesses will be required to appoint a Data Protection Officer to oversee compliance.
  • Action to be taken: Where required, identify and designate a Data Protection Officer – this can be someone within or outside the organisation. This will be an important role for the organisation in terms of ensuring compliance with the GDPR. Select someone who has suitable experience.

Step 12 – International

  • GDPR change: The GDPR creates a system for determining which data protection supervisory authority takes the lead when investigating a complaint which is international in nature.
  • Action to be taken: If operating internationally, determine which data protection supervisory authority will be the lead supervisory authority for the business. If the organisation is complex with decisions regarding data processing activities being made in different places, the ICO recommends that businesses map out where the most significant decisions are made to determine the main establishments and then the lead supervisory authority.

Steve Wood, the Head of Policy Delivery at the ICO, noted that the ICO will be making detailed plans for further GDPR guidance in the upcoming months, but also noted that they would not be rushing to produce such guidance.

MacRoberts’ team of data protection specialists can provide expertise and advice to businesses wishing to adopt this proactive approach to compliance preparation.

Morton Fraser MacRoberts LLP

MacRoberts LLP, one of the largest independently owned law firms in Scotland, was founded over 150 years ago by the MacRobert family. We are a leading Scottish commercial law firm with full-service offices in Dundee, Edinburgh and Glasgow with a client base that reaches across Scotland and beyond.

Back to news