1.Awareness – who are the decision makers in our organisation and who do you need to tell about the GDPR and when?
2.Information audit – how do you presently document what information you hold, where it is held and in what form?
3.Data Security – what arrangements do you have in place?
4.Subject access requests – these become free and may become more frequent. Do you have a system for this?
5.How do you lawfully process your data i.e. what is the present system, do you bother with consents or rely upon implied consent and do you need to change that?
6.Children – are you only dealing with adults or does your business have any children for whom you process data? There are significantly higher level restrictions for processing the data of children.
7.Data breaches – You must have a system in place for dealing with this. Do you need to undertake a review of that system and have some templates in place, bearing in mind the short 72 hour period that you will now have for reporting these to the ICO and then, without delay, to data subjects.
8.Geography – do you need to speak to any foreign partners or offices and work out what they are doing?
9.Who is your Data Protection Officer? Do you need one, and if so how do you go about deciding who to appoint?
10.Keep up to date – the detail may change in coming months.