Set out your business’s approach for data protection and assigning management responsibilities

Build a data protection policy that is approved by the management, published and communicated to all stakeholders including staff, suppliers, and customers.

Build an asset register to record data processing activities with details about the personal data you hold, where it came from, who you share it with and what you do with it.

Document the various types of data processing you carry out and identify the legal basis for carrying it out

Request for consent should be prominent and separate from your terms and conditions. If current consent doesn’t meet the GDPR’s high standards, you will have to seek fresh GDPR-compliant consent.

Implement processes to recognize and respond to any individuals request. The individual should be able to verify the accuracy of the information you hold about them and modify/delete it

Establish a set of security policies and procedures, and assign responsibilities to support good information risk management. Establish a policy which sets out when you should conduct a Data Protection Impact Assessment, who will authorise it and how it will be incorporated into the overall project plan

Establish a process to monitor compliance of the security policies and regularly test the measures to provide assurance that they continue to be effective

Ensure that any data you transfer outside the EU is handled in compliance with the conditions for transfer set out in Chapter V of the GDPR. Ensure that data security is in place, that is documented in a written contract using standard data protection contract clauses

Ensure that whenever your business uses a third party who processes personal data on your behalf, there is a contract in place. Make certain that you consider approved code of conduct or certification schemes to help you demonstrate that you have chosen a reliable processor.

Evaluate need for Data Protection Officer on the basis of the nature of your business and data processing. Assign responsibility for data protection compliance to a suitable individual and provide appropriate training.

Train staff on how to recognize and report incidents as soon as they become aware of them. Set a process to investigate and implement recovery plans.

Register with ICO and maintain auditable records of all communications to/from ICO

Provide data protection awareness training at regular intervals or as and when required. Test awareness levels of your staff.

Get your program audited by internal, independent client auditors. Subscribe to certification schemes to demonstrate a level of readiness.