ICO publishes guidance on GDPR preparation

The Information Commissioner’s Office (ICO) has published guidance in respect of the General Data Protection Regulation (GDPR) expected to come into force in 2018. The 12 step checklist deals with a number of issues including changes to current requirements and new obligations. This will replace the EU Data Protection Directive (95/46/EC) on which the UK Data Protection Act 1998 is based.

The 12 step approach recommended by the ICO is as follows;


Ensure key decision-makers are aware of the law changing, the impact this will have including areas that may cause compliance problems and resource implications for achieving compliance in time.

Information audit

It is advisable for organisations to document personal data held within the organisation and individual departments, where the original data originated from and with whom the data is shared.

Communicate private information

Current privacy should be reviewed by organisations in light of expected changes. These include explaining the legal basis for processing data, data retention periods and the right to complain to the ICO in a clear and concise manner.

Individuals’ rights

The correct procedures for managing a request from a data subject should be reviewed. The rights are closely similar to those under the DPA, although these are some enhancements such as preventing profiling and a new right to data portability.

Subject access requests

Organisations should review their policies in relation to subject access requests. This is important since the deadline to respond is to change from 40 calendar days to 1 month, there are different grounds for refusing a request and you may be required to provide some additional information to data subjects. It is recommended that such changes are reflected in internal policies to be applied once the GDPR is in force.

Legal basis for processing personal data

Examining the types of data processing being carried out, documenting the legal basis for carrying out each type of processing, and setting out the legal basis for processing in privacy notices, are suggested steps that organisations should follow.


Emphasis is placed on the requirement to review how consent is sought, obtained and recorded.


Special protection is provided for children’s personal data, especially within social networking, and organisations should incorporate better systems to use when verifying ages and obtaining parental/guardian consent.

Data breaches

Organisations should ensure that they have the right policies in place to detect, report and investigate personal data breaches.

Data protection by design

Organisations are required to familiarize themselves with the ICO’s guidance on Privacy Impact Assessments and to identify situations where conducting one may be necessary.

Data Protection Officers

The GDPR has specified the obligation to appoint a Data Protection Officer in certain cases (for public authorities or organisations whose activities involve regular and large scale data subject screening). Each organisation should consider whether it is required to appoint an officer or designate an individual to take responsibility for this.


If operating internally, the GDPR will change how complaints across multiple member states are designated to the different data protection supervisory authorities, and also to determine which location the most important decisions of data processing take place in.

The guidance by the ICO is to be welcomed by organisations and businesses as it provides a good overview of some of the key changes to come. The Information Commissioner has highlighted that compliance with the current DPA is “a strong starting point to build from”. However, he also points out that there are 20 million reasons to improve as with potential fines up to a maximum 20 million euros organisations cannot afford to get data protection wrong.

The ICO’s 12 steps guidance is available here.

Forbes Solicitors regularly advises on data protection law and practice. If you have any questions or concerns in relation to the impact of the GDPR on your business or organisations, please contact Daniel Milnes.

Nat Avdiu

About Nat Avdiu

Nat Avdiu is a Paralegal in the Contracts and Projects team at Forbes Solicitors. Nat provides updates for clients on a range of issues including: governance, data protection and freedom of information, procurement and charity law.
This entry was posted in Commercial Property, Corporate & Restructuring, Dispute Resolution, Employment Law, GDPR, Housing Litigation, Property Law and tagged , , , , , , , , , , .