The PDF server is offline. Please try after sometime.


  • 1. Key stakeholders should be made aware of the GDPR

    Steps should be taken to familiarise decision makers with the GDPR in order to prepare for compliance. If the organisation has a risk register, this should be reviewed in light of the new provisions.

  • 2. Get organised – map personal data held by the organisation

    Organisations should log details of the type of information they hold, where it came from and how they use it, as this will assist in compliance with an information audit and facilitate other duties the organisation faces under the GDPR.

  • 3. Re-examine privacy notices

    The GDPR adds new obligations on organisations to explain how they use individuals' personal data, such as the requirement to explain the legal basis for processing the data, data retention periods, and that individuals are entitled to complain to the ICO.

  • 4. Procedure should include individuals' rights

    The GDPR sets out a number of individual rights, including the right to make subject access requests, the "right to be forgotten" and the right to prevent direct marketing. These should be reflected in organisational procedures.

  • 5. Prepare to handle subject access requests

    While individuals are already entitled to request to see what personal data an organisation holds on them, the rules are changing under the GDPR. In particular, it will not generally be possible to charge individuals who submit such requests, and organisations will normally have less time to comply – usually only a month instead of the current 40 days.

  • 6. Clarify the legal basis of processing

    Under the GDPR, organisations will need to identify the legal basis for their processing as this may affect the data subject's rights. The legitimate interest basis will be narrowed.

  • 7. How are you obtaining consent?

    Consent must be "freely given, specific, informed and unambiguous". Controllers must be able to demonstrate that consent has been provided and sufficient information should be given to ensure that this is unambiguous. As a result, an audit trail is vital.

  • 8. Protection of children

    The GDPR introduces special protection for children's personal data. In the UK, it is likely that organisations – and social networks in particular – will need to obtain parental/guardian consent to process the data of anyone younger than 13. As with adults, it is important to have a system in place to log consent.

  • 9. Duty to notify data breaches

    The GDPR introduces the requirement for all organisations to notify data breaches to the ICO where the individuals concerned are likely to suffer harm. It is therefore important to have procedures in place to identify, report and investigate breaches

  • 10. Privacy by design and privacy impact assessments (PIAs)

    The new legislation requires organisations to take a "privacy by design" approach to data protection, building privacy into any new system from the outset. PIAs are an integral component of privacy by design. They help organisations identify how best to comply with their data protection obligations. PIAs are required in situations of high-risk data processing, e.g. where new technology is being used but may be suitable for use more widely.

  • 11. Data protection officers

    The GDPR makes it mandatory for certain organisations, such as public authorities or bodies that regularly and systematically monitor data subjects on a large scale, to designate a data protection officer. For other organisations, it may still be prudent to appoint a specific individual charged with overseeing data protection compliance.

  • 12. International

    Multinational organisations should identify their main place of establishment in order to determine which data protection authority they come under. This will have a bearing on where cross-jurisdictional complaints are investigated. Where a main establishment is hard to identify, assess where your organisation makes most of its data processing decisions.

Load More

Key Contacts

We bring together lawyers of the highest calibre with the technical knowledge, industry experience and regional know-how to provide the incisive advice our clients need.

Keep up to date

Sign up to receive the latest legal developments, insights and news from Ashurst.  By signing up, you agree to receive commercial messages from us.  You may unsubscribe at any time.

Sign up

The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
Readers should take legal advice before applying it to specific issues or transactions.

Get Started

        Forgot Password - Ashurst Account

        If you have forgotten your password, you can request a new one here.


        Forgot password? Please contact your relationship manager to find out more about our client portal.
        Ashurst Loader