1. Notify the ICO
You are required to notify the ICO if your organisation processes personal data regardless of size – but you don’t necessarily need to do this before the deadline of 25 May 2018. Notification currently involves the completion of a lengthy form – but this won’t be the case after the deadline. If you’re a small organisation, save yourself the bother and register after the deadline. However, if you are part of a large organisation (more than 250 employees) then make sure you do this before the deadline – otherwise you will face a fine that will significantly go up on 26 May 2018. Click here to view our note which gives more information on the fee and registering with the ICO.
2. Issue your privacy notice
This doesn’t have to be hugely complex – a prominent message on your website and in the body of your emails are good examples of how to do this. Just make sure your notice is compliant with the ICO requirements.
3. Consider whether you really need to reconfirm marketing consent
It is quite possible that you actually don’t need to ask for opt-in consent. This is one of the biggest misconceptions around GDPR right now. In fact, you could actually be breaking the law by contacting your customers via email to confirm consent under The Privacy and Electronic Communications Regulations (PECR). So, if your hand is hovering over the send button, stop and find out if you really need to do this, or whether you could rely on any other grounds to contact your customers under GDPR, such as legitimate interest. Toni Vitale has recently been quoted in the Guardian on this topic. Click here to view the article.
4. Check your key supplier contracts
If your suppliers send through an updated version of a contract to comply with GDPR, check it carefully to make sure it covers only the clauses it needs to, and that nothing else has crept in. If you haven’t received updated contracts, find out why – because all contracts do need to be updated.
5. Have a plan
Even if you haven’t taken all the necessary steps to get GDPR ready, put together a (realistic) plan of what you intend to do to ensure full compliance over the next 12 months. It will help to demonstrate your intentions to the ICO.

If you have any queries about any of these five points, or anything else related to GDPR please don’t hesitate to get in touch with Toni Vitale, our head of Data Protection and Regulation.
Related publications
Paying the ICO registration fee – can you afford the fee hike?