Data Protection Checklist

Data protection is a bit of a minefield. What do you need to do? How do know you’re fully compliant? What if you’re breaking the rules and you don’t even know it?

I’ve prepared this Data Protection Checklist to guide you through it and make your life a bit easier.

Initial Steps

  • Register your organisation with Information Commissioner’s Office (ICO) ( and ensure you renew annually.
  • Appoint a Data Protection Officer who is responsible for ensuring compliance with Data Protection Legislation.
  • Ensure you understand what is considered personal data.
  • Ensure you understand who is the Data Controller (in most cases this will be you as you will control the data you collect) and who is the Data Processor (this will be third party you instruct to deal with the personal data on your behalf).

Lawful Basis and Transparency

  • Draft a privacy policy and make it available on your website.
  • Add a cookies consent banner to your website.
  • Carry out an audit to establish what information you collect, whether that information is personal data and who has access to that information.
  • Be sure you understand the lawful basis you have to collect personal data – there are six and the most common are: you have been given consent, to fulfil a contract, it is necessary to comply with your legal obligation).
  • Set out in your privacy policy the types of personal data you collect (i.e. name, email address, phone number) and your lawful basis for collecting this personal data.

Data Security

  • Ensure that data protection is at the forefront of your activities.
  • Ensure that personal data is encrypted and you use password protection where possible.
  • Prepare and distribute a data protection policy to the company.
  • Include an obligation within the contract of employees, third party suppliers and contractors to comply with data protection legislation.
  • Implement training for employees so they are aware of their obligations under data protection legislation.
  • Keep a log of any data breaches and ensure that these are reported to the ICO within 72 hours of the breach.
  • Consider whether you need a data protection impact assessment when using new technologies, a new product or service (i.e. by using this new service, is personal data protected?).

Accountability and Governance

  • Sign a data processing agreement with any third parties that are involved in the processing of personal data (they will be your Data Processor).
  • Ensure you read the privacy policies of any third party companies you deal with, such as for website hosting or payment processors.

Privacy rights

  • Have processes in place whereby you can meet requests of customers or clients: to find out what information you hold, to update incorrect information, to delete their personal data and to stop processing their data.

Contracts Review (post-Brexit)

  • You can use a catch all term, rather than separately defining UK GDPR or GDPR as follows:

- “Data Protection Legislation”: means all applicable legislation in force from time to time in the United Kingdom applicable to data protection and privacy including, but not limited to, the UK GDPR (the retained EU law version of the General Data Protection Regulation ((EU) 2016/679), as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018); the Data Protection Act 2018 (and regulations made thereunder); and the Privacy and Electronic Communications Regulations 2003 as amended”


  • Ensure that your contracts state that data may be transferred outside of the EEA and the United Kingdom and if this is the case, you will need to enter into EC Model Clauses with the Data Processor.

To conclude