Knowledgebase Support HMRC Useful links
Knowledgebase home
Tax Return Production
Accounts Production
Client Hub
Practice Management
VAT Filer
CloudConnect
Anti-Money Laundering
Support home
Hot Topics
SimpleStep Guides
Release Notes
Technical
Known Issues

HMRC Status
Useful Links
MTD for Agents MTD for Businesses What is MTD
Preparation
Agent Services Account
MTD for VAT
MTD for Income Tax
MTD for VAT
Digital Record Keeping
Quarterly Updates
Step-by-step Guide
HMRC's MTD Timeline
TaxCalc's MTD Journey

GDPR Checklist - Controllers and Processors

Article ID: 2840
Last updated: 31 Oct, 2019

CONTROLLERS AND PROCESSORS CHECKLIST

Controllers Checklist

Processors Checklist

Step 1 of 4: Lawfulness, fairness and transparency

1.1 Information you hold:

Your business has conducted an information audit to map data flows.

You should organise an information audit across your business or within particular business areas. One person with in-depth knowledge of your working practices may be able to do this.

This will identify the data that you process and how it flows into, through and out of your business.

Remember, an information flow can include a transfer of information from one location to another. For example, the information may stay within your business yet a transfer takes place because the department or other office is located elsewhere (off site).

Having audited your information, you should then be able to identify any risks.

1.2 Your business has documented what personal data you hold, where it came from, who you share it with and what you do with it.

Once you have completed your information audit, you should document your findings, for example in an information asset register.

Doing this will also help you to comply with the GDPR’s accountability principle. This requires your business to be able to show how you comply with the GDPR principles, for example by having effective procedures and guidance for staff.

You must record:

  • The name and details of your business, each controller you are acting on behalf of, and the controllers’ representative (if relevant), your representative and the data protection officer);
  • Categories of the processing carried out on behalf of each controller;
  • Details of transfers to third countries including documentation of the transfer mechanism safeguards in place, if applicable; 
  • Where possible, a general description of technical and organisational security measures.

If you have fewer than 250 employees you only need to keep these records for processing activities that:

  • Are not occasional
  • Could result in a risk to the rights and freedoms of individuals;
  • Involve the processing of special categories of data or criminal conviction and offence data.

You may be required to make these records available to the ICO on request.

1.3 Lawful basis for processing personal data

Your business has identified your lawful bases for processing and documented them.

You need to identify your lawful basis before you can process personal data.

There are six available lawful bases for processing. No single basis is better or more important than the others. The basis that is most appropriate will depend on your purpose for processing and relationship with the individual.

In summary, the six lawful bases are:

  1. Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
  2. Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
  3. Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
  4. Vital interests: the processing is necessary to protect someone’s life.
  5. Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
  6. Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

If you are processing special category data or criminal offence data you need to identify both a lawful basis for general processing and an additional condition (Article 9 condition) for processing this type of data. You need to give individuals information about how you intend to process their personal data and what your lawful basis is for doing so.

1.4 Consent

Your business has reviewed how you ask for and record consent.

The GDPR sets a high standard for consent but remember you often won’t need consent. You should also assess whether another lawful basis is more appropriate.

Consent means offering people genuine choice and control over how you use their data. You can build trust and enhance your reputation by using consent properly.

The GDPR builds on the 1998 Act standard of consent in several areas and contains much more detail:

  • You should keep your consent requests prominent and separate from other terms and conditions.
  • Seek a positive opt-in such as unticked opt-in boxes or similar active opt-in methods.
  • Avoid making consent a precondition of service.
  • Be specific and granular. Allow individuals to consent separately to different purposes and types of processing wherever appropriate.
  • Name your business and any specific third party organisations who will rely on this consent.
  • Keep records of what an individual has consented to, including what you told them, and when and how they consented.
  • Tell individuals they can withdraw consent at any time and how to do this.


1.5 Your business has systems to record and manage ongoing consent

Your obligations don’t end when you first get consent. You should continue to review consent as part of your ongoing relationship with individuals, not a one-off compliance box to tick and file away.

Keep consent under review, and refresh it if anything changes. You should have a system or process to capture these reviews and record any changes.

If your current consent doesn’t meet the GDPR’s high standards or is poorly documented, you need to seek fresh GDPR-compliant consent, identify a different lawful basis for your processing (and ensure continued processing is fair), or stop the processing.

1.6 Consent to process children’s personal data for online services

If your business relies on consent to offer online services directly to children, you have systems in place to manage it.

You need to have a lawful basis for processing a child’s personal data.

If you are relying on consent as your lawful basis for processing and are offering online services to children, only a child aged 13 or over will be able to provide their own consent.

You will therefore need to make reasonable efforts to verify that anyone giving their own consent is old enough to do so.

For children under 13 you need to get consent from whoever holds parental responsibility for the child - unless the online services you offer are for preventive or counselling purposes.

You must make reasonable efforts (using available technology) to verify that the person giving consent does, in fact, hold parental responsibility for the child.

1.7 Vital interests

If you may be required to process data to protect the vital interests of an individual, your business has clearly documented the circumstances where it will be relevant. Your business documents your justification for relying on this basis and informs individuals where necessary.

The lawful basis for vital interests is very similar to the old condition for processing in the 1998 Act. One key difference is that anyone’s vital interests can now provide a basis for processing, not just those of the data subject themselves. This lawful basis is very limited in its scope, and generally only applies to matters of life and death. It is likely to be particularly relevant for emergency medical care, when you need to process personal data for medical purposes but the individual is incapable of giving consent to the processing. It is unlikely to be appropriate for medical care that is planned in advance or for processing on a larger scale.

As health data is one of the special categories of data, you also need to identify a condition for processing special category data under Article 9.

Provide guidance to staff so they know the circumstances when they may apply this lawful basis.

You need to review your existing processing to identify if you have any ongoing processing for this reason, or are likely to need to process for this reason in future. You should then document where you rely on this basis and inform individuals if relevant.

1.8 Legitimate interests

If you are relying on legitimate interests as the lawful basis for processing, your business has applied the three part test and can demonstrate you have fully considered and protected individual’s rights and interests.

Legitimate interests is the most flexible lawful basis for processing, but you cannot assume it will always be the most appropriate. It is likely to be most appropriate if:

  • You use people’s data in ways they would reasonably expect and which have a minimal privacy impact;
  • There is a compelling justification for the processing.

The GDPR specifically mentions use of client or employee data, marketing, fraud prevention, intra-group transfers, or IT security as potential legitimate interests, but this is not an exhaustive list. It also says that you have a legitimate interest in disclosing information about possible criminal acts or security threats to the authorities.

If you want to rely on legitimate interests, you can use the three-part test, or a legitimate interests assessment (LIA), to assess whether it applies. You should do it before you start the processing.

Firstly, identify the legitimate interest(s). Consider:

  • Why do you want to process the data – what are you trying to achieve?
  • Who benefits from the processing? In what way?
  • Are there any wider public benefits to the processing?
  • How important are those benefits?
  • What would the impact be if you couldn’t go ahead?
  • Would your use of the data be unethical or unlawful in any way?

Secondly, apply the necessity test. Consider:

  • Does this processing actually help to further that interest?
  • Is it a reasonable way to go about it?
  • Is there another less intrusive way to achieve the same result?

Thirdly, do a balancing test. Consider the impact of your processing and whether this overrides the interest you have identified. You might find it helpful to think about the following:

  • What is the nature of your relationship with the individual?
  • Is any of the data particularly sensitive or private?
  • Would people expect you to use their data in this way?
  • Are you happy to explain it to them?
  • Are some people likely to object or find it intrusive?
  • What is the possible impact on the individual?
  • How big an impact might it have on them?
  • Are you processing children’s data?
  • Are any of the individuals vulnerable in any other way?
  • Can you adopt any safeguards to minimise the impact?
  • Can you offer an opt-out?

If you choose to rely on legitimate interests, you are taking on extra responsibility for considering and protecting people’s rights and interests.

1.9  Data Protection Fee

Your business is currently registered with the Information Commissioner's Office.

After May 2018 you need to pay the ICO a data protection fee.

If you have already registered with the ICO in the last year prior to May 2018, you only need to pay the fee once your current registration expires.

There are three different tiers of fee. Controllers are expected to pay between £40 and £2,900. The fees are set by Parliament to reflect what it believes is appropriate based on the risks posed by the processing of personal data by controllers. The tier you fall into depends on:

  • How many members of staff you have;
  • Your annual turnover;
  • Whether you are a public authority;
  • Whether you are a charity;
  • Whether you are a small occupational pension scheme.

Not all controllers must pay a fee. Many can rely on an exemption.

Read our Guide to the Data Protection Fee on our website for more information.

Step 2 of 4: Individuals' rights

2.1 Right to be informed including privacy information

Your business has provided privacy information to individuals.

Individuals need to know that you are collecting their data, why you are processing it and who you are sharing it with.

You should publish this privacy information on your website and within any forms or letters you send to individuals. The information must be:

  • Concise, transparent, intelligible and easily accessible;
  • Written in clear and plain language, particularly if addressed to a child;
  • Free of charge.

What information you supply depends on whether you obtained the personal data directly from the individual or a third party.

Guide to the GDPR - Right to be informed

2.2 Communicate the processing of children’s personal data

If your business offers online services directly to children, you communicate privacy information in a way that a child will understand.

You must provide children with the same privacy information as you give adults. It is good practice to also explain the risks involved in the processing and the safeguards you have put in place.

Any information directed at the child should be concise, clear, and written in plain language so that they are able to understand what will happen to their personal data, and what rights they have. It should be age-appropriate and presented in a way that appeals to a young audience. If children younger than your target age range are likely to try and access any online services you provide then try to explain any age limit to them in language they will understand.

2.3 Right of access

Your business has a process to recognise and respond to individuals' requests to access their personal data.

Individuals have the right to obtain:

  • Confirmation that you are processing their data;
  • Access to their personal data; 
  • Other supplementary information – this largely corresponds to the information that you should provide in a privacy notice.

Individuals can request information verbally or in writing. You must provide a copy of the information free of charge. However, you can charge a ‘reasonable fee’ when a request is:

  • Manifestly unfounded or excessive, particularly if it is repetitive, unless you refuse to respond;
  • For further copies of the same information (that’s previously been provided). This does not mean that you can charge for all subsequent access requests.

You must base the fee on the administrative cost of providing the information.

You must provide information without delay and at least within one calendar month of receiving it. You can extend this by a further two months for complex or numerous requests (in which case you must inform the individual and give an explanation).

You should calculate the time limit from the day after you receive the request (whether the day after is a working day or not) until the corresponding calendar date in the next month. A calendar month ends on the corresponding date of the next month (eg 2 January to 2 February), unless that date does not exist in which case it is the last day of the next month (eg 31 January to 28 February).

If the corresponding date falls on a weekend or a public holiday, you have until the next working day to respond (eg you receive a request on 30 March and the time limit starts from the next day (31 March). As there is no equivalent date in April, you have until 30 April to respond. However, if 30 April falls on a weekend, or is a public holiday, you have until the end of the next working day to respond).

This means that the legal deadline will vary from 28 days to 31 days depending on the month. For practical purposes if a consistent number of days is required (eg for a computer system), it may be helpful to adopt a 28-day period to ensure compliance is always within a calendar month.

You must verify the identity of the person making the request, using “reasonable means”.

If the request is made electronically, you should provide the information in a commonly used electronic format.

2.4 Right to rectification and data quality

Your business has processes to ensure that the personal data you hold remains accurate and up to date.

Individuals have the right to have personal data rectified if it is inaccurate or completed if it is incomplete.

An individual can make a request for rectification verbally or in writing.

You should respond to a request without delay and at least within one month of receipt. You should calculate the time limit from the day after you receive the request (whether the day after is a working day or not) until the corresponding calendar date in the next month.

A calendar month ends on the corresponding date of the next month (eg 2 January to 2 February), unless that date does not exist in which case it is the last day of the next month (eg 31 January to 28 February).

If the corresponding date falls on a weekend or a public holiday, you will have until the next working day to respond (eg you receive a request on 30 March and the time limit starts from the next day (31 March). As there is no equivalent date in April, you have until 30 April to respond. However, if 30 April falls on a weekend, or is a public holiday, you will have until the end of the next working day to respond).

This means that the legal deadline will vary from 28 days to 31 days depending on the month. For practical purposes if a consistent number of days is required (eg for a computer system), it may be helpful to adopt a 28-day period to ensure compliance is always within a calendar month.

You can extend this period by a further two months for complex or numerous requests (in which case you must inform the individual and explain the delay). It is good practice to make a note on the record showing that it is under dispute and why.

You must verify the identity of the person making the request, using “reasonable means”. If you have shared the personal data with other organisations (for example other controllers or processors) you must inform them of the rectification where possible.

You should regularly review the information you process or store to identify when you need to take action, eg correct inaccurate records. Records management policies, with rules for creating and keeping records (including emails) can help.

Conducting regular data quality reviews of systems and manual records you hold will help to ensure the information continues to be adequate for the purposes you are processing for.

You should also ensure that you complete regular data quality checks to provide assurances on the accuracy of the data being inputted by your staff.

If you identify any data accuracy issues, you should communicate lessons learned to staff through ongoing awareness campaigns and internal training.

2.5 Right to erasure including retention and disposal

Your business has a process to securely dispose of personal data that is no longer required or where an individual has asked you to erase it.

Individuals have the right to be forgotten and can request the erasure of personal data when:

  • It is no longer necessary for the purpose you originally collected/ processed it for;
  • The individual withdraws consent;
  • You are relying on legitimate interests as your basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing;
  • You are processing the personal data for direct marketing purposes and the individual objects to that processing;
  • It was unlawfully processed (ie otherwise in breach of the GDPR); 
  • It has to be erased in order to comply with a legal obligation;
  • It is processed for information society services to a child.

Individuals can make a request for erasure verbally or in writing.

You must verify the identity of the person making the request, using “reasonable means”.

You should respond to a request without delay and at least within one month of receipt. You should calculate the time limit from the day after you receive the request (whether the day after is a working day or not) until the corresponding calendar date in the next month. A calendar month ends on the corresponding date of the next month (eg 2 January to 2 February), unless that date does not exist in which case it is the last day of the next month (eg 31 January to 28 February).

If the corresponding date falls on a weekend or a public holiday, you have until the next working day to respond (eg you receive a request on 30 March and the time limit starts from the next day (31 March). As there is no equivalent date in April, you have until 30 April to respond. However, if 30 April falls on a weekend, or is a public holiday, you have until the end of the next working day to respond).

This means that the legal deadline will vary from 28 days to 31 days depending on the month. For practical purposes if a consistent number of days is required (eg for a computer system), it may be helpful to adopt a 28-day period to ensure compliance is always within a calendar month.

You can extend this period by a further two months for complex or numerous requests (in which case you must inform the individual and give an explanation).

You can refuse to comply with a request for erasure if you are processing the personal data for the following reasons:

  • To exercise the right of freedom of expression and information;
  • To comply with a legal obligation;
  • To perform a public interest task or exercise official authority; for archiving purposes in the public interest, scientific research historical research or statistical purposes;
  • To exercise or defence of legal claims; for public health purposes in the public interest; or For processing that is necessary for the purposes of preventive or occupational medicine, if you are processing the data by or under the supervision of a health professional.

A written retention policy or schedule will remind you when to dispose of various categories of data, and help you plan for its secure disposal.

You should regularly review your retention schedule to make sure it continues to meet business and statutory requirements and agree any amendments with managers and incorporate them into the new schedule.

You should designate responsibility for retention and disposal to an appropriate person.

2.6 Right to restrict processing

Your business has procedures to respond to an individual’s request to restrict the processing of their personal data.

Individuals have a right to block or restrict the processing of their personal data.

Individuals can make a request verbally or in writing. You must verify the identity of the person making the request, using “reasonable means”.

You should respond to a request without delay and at least within one month of receipt. You should calculate the time limit from the day after you receive the request (whether the day after is a working day or not) until the corresponding calendar date in the next month. A calendar month ends on the corresponding date of the next month (eg 2 January to 2 February), unless that date does not exist in which case it is the last day of the next month (eg 31 January to 28 February).

If the corresponding date falls on a weekend or a public holiday, you have until the next working day to respond (eg you receive a request on 30 March and the time limit starts from the next day (31 March). As there is no equivalent date in April, you have until 30 April to respond. However, if 30 April falls on a weekend, or is a public holiday, you have until the end of the next working day to respond).

This means that the legal deadline will vary from 28 days to 31 days depending on the month. For practical purposes if a consistent number of days is required (eg for a computer system), it may be helpful to adopt a 28-day period to ensure compliance is always within a calendar month. You can extend this period by a further two months for complex or numerous requests (in which case you must inform the individual and give an explanation).

When processing is restricted, you are permitted to store the personal data, but not further process it. You can retain just enough information about the individual to ensure that the restriction is respected in the future. As a matter of good practice, you should consider restricting the processing of personal data if:

  • An individual contests the accuracy of the personal data, you should restrict the processing until you have verified the accuracy of the personal data.
  • An individual has objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and you are considering whether your businesses legitimate grounds override those of the individual.
  • Processing is unlawful and the individual opposes erasure and requests restriction instead.
  • You no longer need the personal data but the individual requires the data to be retained to allow them to establish, exercise or defend a legal claim.

You may need to review procedures to ensure you are able to determine if you need to restrict the processing of personal data.

If you have disclosed the personal data to other organisations (controllers or processors), you must inform them about the restriction, unless it is impossible or involves disproportionate effort to do so.

You must inform individuals when you decide to lift a restriction on processing.

2.7 Right to data portability

Your business has processes to allow individuals to move, copy or transfer their personal data from one IT environment to another in a safe and secure way, without hindrance to usability.

The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.

They can receive personal data or easily move, copy or transfer that data from one business to another in a safe and secure way.

The right to data portability only applies:

  • To personal data an individual has provided to a controller;
  • Where the processing is based on the individual’s consent or for the performance of a contract; and
  • Where the processing is carried out by automated means. Individuals can make a request verbally or in writing. You must verify the identity of the person making the request, using “reasonable means”.

You should respond to a request without delay and at least within one month of receipt. You should calculate the time limit from the day after you receive the request (whether the day after is a working day or not) until the corresponding calendar date in the next month.
A calendar month ends on the corresponding date of the next month (eg 2 January to 2 February), unless that date does not exist in which case it is the last day of the next month (eg 31 January to 28 February).

If the corresponding date falls on a weekend or a public holiday, you have until the next working day to respond (eg you receive a request on 30 March and the time limit starts from the next day (31 March). As there is no equivalent date in April, you have until 30 April to respond. However, if 30 April falls on a weekend, or is a public holiday, you will have until the end of the next working day to respond).

This means that the legal deadline will vary from 28 days to 31 days depending on the month. For practical purposes if a consistent number of days is required (eg for a computer system), it may be helpful to adopt a 28-day period to ensure compliance is always within a calendar month. You can extend this period by a further two months for complex or numerous requests (in which case you must inform the individual and give an explanation).

You must provide the personal data in a structured, commonly used and machine readable format. Examples of appropriate formats include CSV and XML files.

You must provide the information free of charge. If the individual requests it, you may be required to transmit the data directly to another business where this is technically feasible.

2.8 Right to object

Your business has procedures to handle an individual’s objection to the processing of their personal data.

Individuals have a right to object to the processing of their personal data in certain circumstances. Whether it applies depends on your purposes for processing and your lawful basis for processing. You must inform individuals of their right to object “at the point of first communication” and present it separately from other information on rights clearly laid out in your privacy notice. Individuals can object verbally or in writing.

You must verify the identity of the person making the request, using “reasonable means”.

You should respond to a request without delay and at least within one month of receipt. You should calculate the time limit from the day after you receive the request (whether the day after is a working day or not) until the corresponding calendar date in the next month. A calendar month ends on the corresponding date of the next month (eg 2 January to 2 February), unless that date does not exist in which case it is the last day of the next month (eg 31 January to 28 February).

If the corresponding date falls on a weekend or a public holiday, you have until the next working day to respond (e.g. You receive a request on 30 March and the time limit starts from the next day (31 March). As there is no equivalent date in April, you have until 30 April to respond. However, if 30 April falls on a weekend, or is a public holiday, you have until the end of the next working day to respond).

This means that the legal deadline will vary from 28 days to 31 days depending on the month. For practical purposes if a consistent number of days is required (eg for a computer system), it may be helpful to adopt a 28-day period to ensure compliance is always within a calendar month.

You can extend this period by a further two months for complex or numerous requests (in which case you must inform the individual and give an explanation).

If the right to object does apply, it is not always absolute. Whether it is an absolute right depends on your purposes for processing the data.

Individuals have an absolute right to object to any processing (including profiling) undertaken for the purposes of direct marketing.

You must stop processing for direct marketing as soon as you receive an objection. There are no exemptions or grounds to refuse.

Individuals can object, on ‘grounds relating to his or her particular situation’ to processing (including profiling) based on:

  • Your legitimate interests;
  • The performance of a task in the public interest; 
  • Exercise of official authority.

In these circumstances the right to object is not absolute. You must stop processing the personal data unless:

  • You can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual;
  • The processing is for the establishment, exercise or defence of legal claims.

If you are processing personal data for the purposes of scientific/historical research purposes or statistical purposes the right to object is more restricted and does not apply if the processing is necessary for the performance of a task carried out for reasons of public interest.

2.9 Rights related to automated decision making including profiling

Your business has identified whether any of your processing operations constitute automated decision making and have procedures in place to deal with the requirements.

The GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention. These are set out in Article 22.

Individuals have the right not to be subject to a decision when:

  • It is based solely on automated processing, including profiling;
  • It produces a legal effect or similarly significant effect on the individual.

You can only carry out this type of processing if the decision is:

  • Necessary for entering into or performance of a contract between you and the individual;
  • Authorised by law (eg for the purposes of fraud or tax evasion prevention); 
  • Based on the individual’s explicit consent.

If one of these exceptions applies you must put in place suitable measures to safeguard the individual’s rights, freedoms and legitimate interests.

These measures must include at least the right for individuals to:

  • Obtain human intervention;
  • Express their point of view; and
  • Otain an explanation of the decision and challenge it.

Individuals can exercise these rights verbally or in writing.

You must verify the identity of the person making the request, using “reasonable means”.

You should respond to a request without delay and at least within one month of receipt. You should calculate the time limit from the day after you receive the request (whether the day after is a working day or not) until the corresponding calendar date in the next month. A calendar month ends on the corresponding date of the next month (eg 2 January to 2 February), unless that date does not exist in which case it is the last day of the next month (eg 31 January to 28 February).

If the corresponding date falls on a weekend or a public holiday, you have until the next working day to respond (eg You receive a request on 30 March and the time limit starts from the next day (31 March). As there is no equivalent date in April, you have until 30 April to respond. However, if 30 April falls on a weekend, or is a public holiday, you have until the end of the next working day to respond).

This means that the legal deadline will vary from 28 days to 31 days depending on the month. For practical purposes if a consistent number of days is required (e.g. for a computer system), it may be helpful to adopt a 28-day period to ensure compliance is always within a calendar month.

You can extend this period by a further two months for complex or numerous requests (in which case you must inform the individual and give an explanation).

The GDPR defines profiling as any form of automated processing intended to evaluate certain personal aspects of an individual, in particular to analyse or predict their:

  • Performance at work;
  • Economic situation;
  • Health;
  • Personal preferences;
  • Reliability;
  • Behaviour;
  • Location;
  • Movements.

If the decision involves the processing of special categories of personal data then the exceptions available to justify the processing are more limited. Processing can only take place if:

  • You have the individual’s explicit consent;
  • The processing is necessary for reasons of substantial public interest.

You should exercise particular caution if you are making an automated decision about a child.

Step 3 of 4: Accountability and governance

3.1 Accountability

Your business has an appropriate data protection policy.

The GDPR requires you to show how you comply with the principles.

A policy will help you address data protection in a consistent manner and demonstrate accountability under the GDPR. This can be a standalone policy statement or part of a general staff policy.

The policy should clearly set out your approach to data protection together with responsibilities for implementing the policy and monitoring compliance.

Management should approve the policy and you should publish and communicate it to all staff. You should review and update the policy updated at planned intervals or when required to ensure it remains relevant.

3.2 Your business monitors your own compliance with data protection policies and regularly reviews the effectiveness of data handling and security controls.

Documenting policies alone is often not enough to provide assurances that staff are adhering to the processes they outline.

You should ensure that you have a process to monitor compliance to data protection and security policies.

You should regularly test measures that are detailed within the policies to provide assurances about their continued effectiveness.

Responsibility for monitoring compliance with the policy should be independent of the people implementing the policy, to allow the monitoring to be unbiased. Staff should report the results of compliance testing on a regular basis to senior management.

3.3 Your business provides data protection awareness training for all staff.

You should brief all staff handling personal data on their data protection responsibilities. It is good practice to provide awareness training on or shortly after appointment with updates at regular intervals or when required.

You should also consider specialist training for staff with specific duties, such as information security and database management and marketing.

Regularly communicating key messages is equally important to reinforce training and maintain awareness (for example intranet articles, circulars, team briefings and posters).

3.4 Processor contracts

Your business has a written contract with any processors you use.

Whenever you use a processor you need to have a written contract in place, or another legal act must apply.

The contract is important so that both parties understand their responsibilities and liabilities.

The GDPR sets out what you need to be include in the contract.

You are directly liable for overall compliance with the GDPR and for demonstrating that compliance. If you don’t achieve this, then you may be liable to pay damages in legal proceedings or be subject to fines or other penalties or corrective measures.

You must only appoint processors who can provide ‘sufficient guarantees’ that the requirements of the GDPR will be met and the rights of data subjects protected.

Processors must only act on your documented instructions. They do however have some direct obligations and responsibilities under the GDPR. If they fail to comply they may be liable to pay damages in legal proceedings, or be subject to fines or other penalties or corrective measures.

You may be able to use adherence by a processor to an approved code of conduct or certification scheme to help demonstrate that you have chosen a suitable processor. However they are not yet available.

In the future, standard contractual clauses may be provided by the European Commission or the ICO, and may form part of a code or certification scheme. However these are not yet available.

3.5 Information risks

Your business manages information risks in a structured way so that management understands the business impact of personal data related risks and manages them effectively.

You should set out how you (and any of your data processors) manage information risk.

You need to have a senior staff member with responsibility for managing information risks, coordinating procedures put in place to mitigate them and for logging and risk assessing information assets.

Where you have identified information risks, you should have appropriate action plans in place to mitigate any risks that are not tolerated or terminated.

3.6 Data Protection by Design

Your business has implemented appropriate technical and organisational measures to integrate data protection into your processing activities.

Under the GDPR, you have a general obligation to implement appropriate technical and organisational measures to show that you have considered and integrated data protection into your processing activities. This is referred to as data protection by design and by default.

You should adopt internal policies and implement measures which help you comply with the data protection principles – this could include data minimisation, pseudonymisation and transparency measures.

3.7 Data Protection Impact Assessments (DPIA)

Your business understands when you must conduct a DPIA and has processes in place to action this.

DPIAs help you identify the most effective way to comply with your data protection obligations and meet individuals’ expectations of privacy.

An effective DPIA will allow you to identify and fix problems at an early stage, reducing the associated costs and damage to your reputation which might otherwise occur.

You must do a DPIA before you begin any type of processing which is “likely to result in a high risk”. This means that although you have not yet assessed the actual level of risk you need to screen for factors that point to the potential for a widespread or serious impact on individuals.

In particular, the GDPR says you must do a DPIA if you plan to:

  • Use systematic and extensive profiling with significant effects;
  • Process special category or criminal offence data on a large scale;
  • Systematically monitor publicly accessible places on a large scale.

The ICO also requires you to do a DPIA if you plan to:

  • Use new technologies;
  • Use profiling or special category data to decide on access to services;
  • Profile individuals on a large scale;
  • Process biometric data;
  • Process genetic data;
  • Match data or combine datasets from different sources;
  • Collect personal data from a source other than the individual without providing them with a privacy notice (‘invisible processing’);
  • Track individuals’ location or behaviour;
  • Profile children or target marketing or online services at them;
  • Process data that might endanger the individual’s physical health or safety in the event of a security breach.

You should also think carefully about doing a DPIA for any other processing that is large scale, involves profiling or monitoring, decides on access to services or opportunities, or involves sensitive data or vulnerable individuals. European guidance (link to WP248) provides a number of criteria that you can compare your intended processing against so see if a DPIA should be undertaken.

Even if there is no specific indication of likely high risk, it is good practice to do a DPIA for any major new project involving the use of personal data.

The DPIA should contain the following information:

  • A description of the nature, scope, context and purposes of the processing and ,where applicable, the legitimate interests pursued by your business;
  • An assessment of the necessity and proportionality of the processing in relation to the purpose;
  • An objective assessment of the risks to individuals, which considers both the likelihood and severity of the possible harm;
  • What controls you have identified to address any of those risks, and whether those risks are eliminated, reduced or accepted as a result (including security).

If you have carried out a DPIA that identifies a high risk, and you cannot take any measures to reduce this risk, you need to consult the ICO. You cannot go ahead with the processing until you have done so.

The focus is on the ‘residual risk’ after any mitigating measures have been taken. If your DPIA identified a high risk, but you have taken measures to reduce this risk so that it is no longer a high risk, you do not need to consult the ICO.

3.8 Your business has a DPIA framework which links to your existing risk management and project management processes.

A DPIA can address multiple processing operations that are similar in terms of the risks, provided adequate consideration is given to the specific nature, scope, context and purposes of the processing.

You should start to assess the situations where it will be necessary to conduct one:

  • Who will do it?
  • Who else needs to be involved?
  • Will the process be run centrally or locally?

If the processing is wholly or partly performed by a processor, then that processor must assist you in carrying out the DPIA. It may also be appropriate to seek the views of data subjects in certain circumstances.

3.9 Data Protection Officers (DPO)

Your business has nominated a data protection lead or Data Protection Officer (DPO).

It is important to make sure that someone in your business, or an external data protection advisor, takes responsibility for data protection compliance.

You may need to appoint a DPO. Any business can appoint a DPO but you must do so if you:

  • Are a public authority (except for courts acting in the judicial capacity);
  • Carry out large scale regular and systematic monitoring of individuals (eg online behaviour tracking);
  • Carry out large scale processing of special categories of data or data relating to criminal convictions and offences.

You may find it useful to designate a DPO on a voluntary basis even when the GDPR does not require you to.

The DPO should work independently, report to the highest management level and have adequate resources to enable your organisation to meet its GDPR obligations.

The DPO’s minimum tasks are to:

  • Inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws;
  • Monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, awareness raising and training of staff and conducting internal audits;
  • Advise on and monitor data protection impact assessments;
  • Act as the contact point for, and to cooperate with the ICO, and to consult on any data protection matter;
  • Be the contact point for individuals whose data is processed (employees, customers etc).

3.10 Management Responsibility

Decision makers and key people in your business demonstrate support for data protection legislation and promote a positive culture of data protection compliance across the business.

You should make sure that decision makers and key people in your business are aware of the requirements under the GDPR.

Decision makers and key people should lead by example, demonstrating accountability for compliance with the GDPR and promoting a positive culture, within your business, for data protection.

They should take the lead when assessing any impacts to your business and encourage a privacy by design approach.

They should help to drive awareness amongst all staff regarding the importance of exercising good data protection practices.

Step 4 of 4: Data security, international transfers and breaches

4.1 Security policy

Your business has an information security policy supported by appropriate security measures.

You should process personal data in a manner that ensures appropriate security. Before you can decide what level of security is right for you, you need to assess the risks to the personal data you hold and choose security measures that are appropriate to your needs.

Keeping your IT systems safe and secure can be a complex task and does require time, resource and (potentially) specialist expertise.

If you are processing personal data within your IT system(s) you need to recognise the risks involved and take appropriate technical and organisational measures to secure the data.

The measures you put in place should fit your business’s needs. They don’t necessarily have to be expensive or onerous. They may even be free or already available within the IT systems you currently have.

A good starting point is to establish and implement a robust Information Security policy which details your approach to information security, the technical and organisational measures that you will be implementing and the roles and responsibilities staff have in relation to keeping information secure.

4.2 Breach notification

Your business has effective processes to identify, report, manage and resolve any personal data breaches.

The GDPR introduces a duty on all organisations to report certain types of personal data breaches to the ICO and, in some cases, to the individuals affected.

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

You have to notify the ICO of a breach unless it is unlikely to result in a risk to the rights and freedoms of individuals. Where a breach is likely to result in a high risk to the rights and freedoms of individuals, you must notify those concerned directly and without undue delay.

In all cases you must maintain records of personal data breaches, whether or not they are notifiable to the ICO.

You must report a notifiable breach to the ICO without undue delay, but not later than 72 hours after becoming aware of it. The GDPR recognises that it will not always be possible to investigate a breach fully within that time-period and allows you to provide additional information in phases, so long as this is done without undue further delay You should make sure that your staff understand what constitutes a personal data breach, and that this is more than a loss of personal data.

You should ensure that you have an internal breach reporting procedure in place. This will facilitate decision-making about whether you need to notify the ICO or affected individuals.

In light of the tight timescales for reporting a breach - it is important that you have robust breach detection, investigation and internal reporting procedures in place.

4.3 International transfers 

Your business ensures an adequate level of protection for any personal data processed by others on your behalf that is transferred outside the European Economic Area.

The GDPR imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organisations.

These restrictions are in place to ensure that the level of protection of individuals afforded by the GDPR is not undermined.

You may only transfer personal data outside of the EU if you comply with the conditions for transfer set out in Chapter V of the GDPR.

PROCESSORS CHECKLIST 

Step 1 of 4: Documentation  

1.1 Information you hold

Your business has conducted an information audit to map data flows.

You should organise an information audit across your business or within particular areas. One person with in-depth knowledge of your working practices may be able to do this.

This will identify the data that you process and how it flows into, through and out of your business, for example to any agreed sub processors or back to the controller.

Remember, an information flow can include a transfer of information from one location to another. For example, the information may stay within your business yet a transfer takes place because the department or other office is located elsewhere (off site).

Having audited your information, you should then be able to identify any risks.

1.2 Your business has documented what personal data you hold, where it came from, who you share it with and what you do with it.

Once you have completed your information audit, you should document your findings, for example in an information asset register.

Doing this will also help you to comply with the GDPR’s accountability principle, which requires you to show how you comply with the GDPR principles, for example by having effective procedures and guidance for staff.

You must record:

  • The name and details of your business, each controller you are acting on behalf of, and the controllers’ representative (if relevant), your representative and the data protection officer);
  • Categories of the processing carried out on behalf of each controller;
  • Details of transfers to third countries including documentation of the transfer mechanism safeguards in place, if applicable; and
  • Where possible, a general description of technical and organisational security measures.

If you have less than 250 employees you only need to keep these records for processing activities that:

  • Are not occasional;
  • Could result in a risk to the rights and freedoms of individuals;
  • Involve the processing of special categories of data or criminal conviction and offence data

You may be required to make these records available to the ICO on request.

Step 2 of 4: Accountability and governance

2.1 Accountability

Your business has an appropriate data protection policy

The GDPR requires you to show how you comply with the principles.

A policy helps you address data protection in a consistent manner and demonstrate accountability under the GDPR. This can be a standalone policy statement or part of a general staff policy.

The policy should clearly set out your approach to data protection together with responsibilities for implementing the policy and monitoring compliance.

You should make sure that management approved the policy and that you publish and communicate it to all staff. You should also review and update it at planned intervals or when required to ensure it remains relevant.

2.2 Data Protection Officer (DPO)

Your business has nominated a data protection lead or Data Protection Officer (DPO).

It is important to make sure that someone in your business, or an external data protection advisor, takes responsibility for data protection compliance.

You may need to appoint a DPO. Any business can appoint a DPO but you must do so if you:

  • Are a public authority (except for courts acting in the judicial capacity);
  • Carry out large scale, regular and systematic monitoring of individuals (eg online behaviour tracking);
  • Carry out large scale processing of special categories of data or data relating to criminal convictions and offences.

You may find it useful to voluntarily designate a DPO even when the GDPR does not require you to.

The DPO should work independently, report to the highest management level and have adequate resources to enable your organisation to meet its GDPR obligations.

The DPO’s minimum tasks are to:

  • Inform and advise your business and its employees about their obligations to comply with the GDPR and other data protection laws;
  • Monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, awareness-raising and training of staff and conducting internal audits;
  • Advise on and monitor data protection impact assessments;
  • Act as the contact point, and to cooperate with the ICO, and to consult on any data protection matter;
  • Be the first point of contact for individuals whose data is processed (employees, customers etc).

You should document the internal analysis you carried out to determine whether or not to appoint a DPO unless it is obvious that your business is not required to designate one.

2.3 Management Responsibility

Decision makers and key people in your business demonstrate support for data protection legislation and promote a positive culture of data protection compliance across the business.

You should make sure that decision makers and key people in your business are aware of the requirements under the GDPR.

Decision makers and key people should lead by example, demonstrating accountability for compliance with the GDPR and promoting a positive culture within your business for data protection.

They should take the lead when assessing any impacts to your business and encourage a privacy by design approach.

They should help to drive awareness amongst all staff about the importance of exercising good data protection practices.

2.4 Information risks and data protection impact assessments

Your business manages information risks in a structured way so that management understands the business impact of personal data related risks and manages them effectively.

You should set out how you manage information risk.

This task could be driven by the controller you are providing services for and you should ensure you work with them so that all information risks you identify are fed back on a regular basis.

You need to have a senior staff member with responsibility for managing information risks, coordinating procedures that mitigate them and logging and risk assessing information assets.

You should have appropriate action plans in place to mitigate any risks you have identified that are not tolerated or terminated.

Before the start of a new contract with you, the controller should complete a Data Protection Impact Assessment (where the circumstances require one to be completed). As processor you should be ready to provide your input to this assessment and work with the controller to mitigate any risks identified. Having an established information risk management framework in place will assist you to do this effectively.

2.5 Data Protection by Design

Your business has implemented appropriate technical and organisational measures to show you have considered and integrated data protection into your processing activities.

Under the GDPR, processors have a general obligation to implement technical and organisational measures to show that they have considered and integrated data protection into their processing activities. This is referred to as data protection by design and by default.

You should adopt internal policies and implement measures which help your business comply with the data protection principles – this could include data minimisation, pseudonymisation and transparency measures.

2.6 Training and awareness

Your business provides data protection awareness training for all staff.

You should brief all staff handling personal data on their data protection responsibilities. It is good practice to provide awareness training on or shortly after appointment with updates at regular intervals or when required.

Consider specialist training for staff with specific duties, such as information security and database management and marketing.

Regularly communicating your key messages is equally important to help reinforce training and maintain awareness (for example intranet articles, circulars, team briefings and posters).

2.7 Data processing contracts

Your business only processes data on the documented instructions of a controller and there is a written contract setting out the respective responsibilities and liabilities of the controller and your business.

When processing personal data, you must have a written contract in place between you and the controller, or another legal act must apply.

The contract is important so that both parties understand their responsibilities and liabilities.

The GDPR sets out what you need to include in the contract, including the requirement only to act on the written instructions of the controller.

Although the controller is ultimately liable for overall compliance with the GDPR and for demonstrating that compliance, as processor you have some direct responsibilities and liabilities of your own.

If you fail to meet any of these obligations, or act outside or against the instructions of the controller, you may be liable to pay damages in legal proceedings, or be subject to fines or other penalties or corrective measures.

In the future, you may wish to consider looking at approved codes of conduct or certification schemes to help you and the controller to demonstrate your suitability as a data processor. However, they are not yet available.

Standard contractual clauses may be provided by the European Commission or the ICO, and may form part of such a code or scheme. However, they are not yet available.

2.8 The use of sub-processors

Your business has sought prior written authorisation from the controller before engaging the services of a sub-processor, and there is a contract in place.

You may only engage another processor (sub-processor) if you have the prior written authorisation of the data controller.

You must put in place a contract with the sub-processor (or other legal act) that imposes specific obligations on the sub-processor.

As processor you remain liable to the controller for the performance of the sub-processor’s obligations.

The prior authorisation to use a sub-processor may be specific or general. However, if general, then you must tell the controller in advance of any changes you intend to make regarding the addition or replacement of other processors, so that the controller has the opportunity to object.

2.9 Operational base

If your business operates outside the EU, you have appointed a representative within the EU in writing.

Under the GDPR, if your business is located outside the EU, and you offer products and services to citizens in the EU, then there is a requirement for you to appoint (in writing) a representative within the European Union.

You may only transfer personal data outside the EU in compliance with the conditions for transfer set out in Chapter V of the GDPR.

2.10 Breach notification

Your organisation has effective processes to identify and report any personal data breaches to your controller.

The GDPR introduces a duty on all processors to inform controllers of a personal data breach “without undue delay” after becoming aware of it. It is therefore important that you have internal and external breach identification and reporting procedures in place.

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

You should make sure that your staff understand what constitutes a personal data breach, and that this is more than a loss of personal data.

Step 3 of 4: Individual rights

3.1 Right of access

Your business has a process to respond to a controller's request for information (following an individuals' request to access their personal data).

Individuals have the right to obtain:

  • Confirmation that their data is being processed;
  • Access to their personal data;
  • Other supplementary information – this largely corresponds to the information that a controller should be provide in a their privacy information.

You should have robust procedures in place and assign responsibility within your business to recognise and deal with these types of requests in a timely manner, regardless of whether they are sent to you or to the controller.

If you have identified and documented all the data you process it will make it easier to locate and retrieve specific information as requested by the controller. Information must be provided to the requester by the controller without delay and at the latest within one month of receipt of the request, extended by a further two months for complex or numerous requests (in which case the individual must be informed and given an explanation). See our guidance for more information on how to calculate the due date for a response.

If the request is made electronically, you may be required by the controller to send them the information in a commonly used electronic format.

You should set out timescales for your response to a request for an individual’s information within the written contract with the data controller.

3.2 Right to rectification and data quality

Your business has processes to ensure that the personal data you hold remains accurate and up to date.

Individuals have the right to have personal data rectified if it is inaccurate or incomplete.

You should have processes in place to enable you to respond to a request from a controller to rectify inaccurate data within one month of the request.

It is good practice to place a note on any record to indicate that the accuracy of the information is under dispute and why.

If you have disclosed this personal data to others, you must contact each recipient and inform them of the restriction on the processing of the personal data -unless this proves impossible or involves disproportionate effort. If asked to, you must also inform the individuals about these recipients.

You should regularly review the information you process or store on behalf of a controller to identify when you need to do things, eg correct inaccurate records. Records management policies, with rules for creating and keeping records (including emails) can help.

Conducting regular data quality reviews of systems and manual records will help you ensure the information continues to be adequate for the purposes of processing under your written contract with the controller.

You should also ensure that you complete regular data quality checks to provide assurances on the accuracy of the data your staff are inputting.

If you identify any data accuracy issues, you should communicate lessons learned to staff through ongoing awareness campaigns and internal training.

See the guidance on our website for more information on how to respond to these types of requests.

3.3 Right to erasure, including retention and disposal

Your business has a process to routinely and securely dispose of personal data that is no longer required, in line with the agreed timescales as stated in your contract with the controller.

Individuals have the right to be forgotten and can request the controller (and therefore you also as processor) erase their personal data when:

  • It is no longer necessary for the purpose it was originally collected or processed;
  • The individual withdraws consent;
  • The individual objects to the processing and there is no overriding legitimate interest for continuing the processing;
  • It was unlawfully processed (ie otherwise in breach of the GDPR);
  • It has to be erased in order to comply with a legal obligation;
  • It is processed in order to offer information society services to a child.

You should pay special attention if there are existing situations where a child has given consent to processing and they later request erasure of the data (regardless of age at the time of the request) especially on social networking sites and internet forums. This is because a child may not have been fully aware of the risks involved in the processing at the time of consent.

These requests will be received initially by the controller. However, if you also process and store this data, then you need to have appropriate procedures in place to ensure you erase it permanently, and within one month of receipt.

You should have standard contract clauses covering erasure, data retention and disposal. You should ensure that these conditions are met. A written retention policy will remind you when to dispose of various categories of data, and help you plan for its secure disposal.

See the guidance on our website for more information on how to respond to these types of requests.

3.4 Right to restrict processing

Your business has procedures to respond to a data controllers’ request to supress the processing of specific personal data.

Individuals have a right to block or restrict the processing of their personal data.

When processing is restricted, you are permitted to store the personal data, but not process it further.

You can retain just enough information about the individual to ensure that you respect the restriction in the future.

A controller may request that as their processor you restrict the processing of personal data if:

  • An individual contests the accuracy of the personal data;
  • An individual has objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and the controller is considering whether their legitimate grounds override those of the individual;
  • Processing is unlawful and the individual opposes erasure and requests restriction instead;
  • The controller no longer needs the personal data but the individual requires the data to establish, exercise or defend a legal claim.

You should action these requests within one month of receipt. See our guidance for further information relating to responding to these types of requests.

3.5 Right to data portability

Your business can respond to a request from the controller to supply the personal data you process in an electronic format.

The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.

They can receive personal data or move, copy or transfer that data from one business to another in a safe and secure way, without hindrance.

The right to data portability only applies:

  • To personal data an individual has provided to a controller;
  • If the processing is based on the individual’s consent or for the performance of a contract;
  • If the processing is carried out by automated means.

You must provide information without delay and at least within one month of receipt. Your controller may receive such a request and so you should be able to supply them with any applicable data you process on their behalf to enable them to fulfill the request.

You must provide the personal data in a structured, commonly used and machine readable format. Examples of appropriate formats include CSV and XML files.

If the individual (and so the controller) requests it, you may be required to transmit the data directly to another business where this is technically feasible.

See ICO guidance for further information relating to responding to these types of requests.

Step 4 of 4: Data security

4.1 Security policy

Your business has an information security policy supported by appropriate security measures.

You should process personal data in a way that ensures appropriate security.

Before you can decide what level of security is right for you, you need to assess the risks to the personal data you hold and choose security measures that are appropriate to your needs.

Keeping your IT systems safe and secure can be a complex task and does require time, resource and (potentially) specialist expertise.

If you are processing personal data within your IT system(s) you need to recognise the risks involved and take appropriate technical measures to secure the data.

The measures you put in place should fit your business’s needs. They don’t necessarily have to be expensive or onerous. They may even be free or already available within the IT systems you currently have.

A good starting point is to establish and implement a robust Information Security policy which details your approach to information security, the technical and organisational measures you will be implementing and the roles and responsibilities staff have to keeping information secure.

Article ID: 2840
Last updated: 31 Oct, 2019
Revision: 18
Views: 369
This article was:  


Also listed in
folder GDPR Centre