How To Prepare For Data Compliance In 12 Easy Steps


In May 2018, the UK will implement the General Data Protection Regulation (GDPR) which was created to strengthen and unify data protection for individuals in the European Union.

The Information Commissioner’s Office (ICO) is responsible for the Data Protection Act 1998 and Freedom of Information in the UK. The ICO recommends 12 steps businesses should take before May 2018 in order to help businesses prepare for compliance with the GDPR in 2018.

  1. Awareness: Inform all decision makers in your organisation that the law is changing and the GDPR will be effective in May 2018.
  2. Information audit: Document where all personal data is derived from and with whom it is shared with.
  3. Communicate private information: Privacy notices should be reviewed to ensure any necessary changes are made before the GDPR is implemented in May. For example:
    — Provide consumers with your legal basis for processing the data.
    — State data retention periods.
    — State that consumers have a right to complain to the ICO.
  4. Individuals’ rights: All procedures should be checked to ensure that they cover all rights under the GDPR that individuals have, for example how personal data will be handled, disclosed and deleted.
  5. Subject access requests: Policies and procedures should be updated to prepare for handling requests within the new GDPR one month deadline.
  6.  Legal basis for processing personal data: Organisations should understand the types of data processing they’re carrying out and document the legal basis for each.
  7. Consent: Consent must be freely given, specific, informed and unambiguous. It must be given by positive indication with no more inference by silence.
  8. Children: The GDPR will provide special protection for children’s personal data, particularly when used for social networking platforms.
    — ICO indicates that the UK will likely legislate to provide that anyone under 13 is a child.
    — Organisations should prepare systems to verify individuals’ ages or gain parental/guardian consent.
  9. Data Breaches: The GDPR will introduce a duty to notify the ICO of certain types of breaches (usually where individuals are likely to suffer financial consequences).
    — Measures should be enforced to detect, report and investigate personal data breaches.
  10. Data protection by design and Data protection impact assessments: In light of the GDPR changes, organisations should:
    — Adopt a privacy by design and data minimisation approach to all data processing, familiarise themselves with the ICO’s guidance on privacy impact assessments (PIA’s), assess situations which will require a PIA and determine who will conduct it.
  11. Data Protection Officers: Larger organisations should consider appointing a Data Protection officer. This person must ensure that data processing is dealt with regularly and adequately.
  12. International: An organisation operating on an international level should determine which data protection supervisory authority applies to them.


The information in this blog post is provided for general informational purposes only, and may not reflect the current law in your jurisdiction. No information contained in this post should be construed as legal advice from JAG Shaw Baker or the individual author, nor is it intended to be a substitute for legal counsel on any subject matter.

A cookie is a small file of letters and numbers that we store on your browser or computer, phone or tablet hard drive if you agree. more information

INFORMATION ABOUT OUR USE OF COOKIES Our website uses cookies to distinguish you from other users of our website. This helps us to provide you with a good experience and also allows us to improve our website. By continuing to browse the website, you are agreeing to our use of cookies. A cookie is a small file of letters and numbers that we store on your browser or computer, phone or tablet hard drive if you agree. We use the following cookies: • Strictly necessary cookies. These are cookies that are required for the operation of our website. They include, for example, cookies that enable you to return to a previous page. • Analytical/performance cookies. They allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily. The analytical/performance cookies are provided on our behalf by Google Inc. to aid with reporting of user behaviour, market research and improving website functionality. This user behaviour is analysed in order to improve this website. To see how this applies to Google Analytics, visit You can stop tracking by Google Analytics by visiting COOKIE DURATION The strictly necessary session cookies are a temporary cookie which remains in the cookie file of your browser until you close the browser. The other cookies will remain in the cookie file of your browser after the closing of the browser, and will become active again when you reopen this website. The different cookies have different expiration dates. Following expiry of a cookie, a new version of that cookie will be downloaded when you next visit this website, unless you have withdrawn your consent in the meantime. You can block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our website. Contact If you have any queries regarding this cookie policy please contact us at