The ICO's 12 steps to compliance

Become Compliant Subscribe for the latest news

The ICO’s 12 steps to compliance

(translated into actions)  

Step 1: Awareness
You’re here on this site, reading this article, so no doubt YOU are already aware that GDPR is a big deal and it will affect your business. Which is great, because the ICO’s campaign to raise awareness of GDPR has been significant.  Ignorance is no excuse for non-compliance and alas, won’t stand up in court.

Action: The importance here is to tackle awareness in all stakeholders. Every employee needs to be aware of GDPR, from front of house staff to back office staff to operations, finance and HR. And if your employees handle data, they need awareness of what to do and how to do it, not just awareness of GDPR itself.

Step 2: Information you hold
You are required to keep records of all data processing activities and the legal remits of processing such data.


You should:

  1. Review the data you have (all of it – from customer details to employee records to suppliers)
  2. Review where this data came from
  3. Review how long you have had the data for
  4. Review sign up processes
  5. Document the Legal basis for storing the data (i.e. opted in)
Step 3: Communicating Privacy Information
Additional information must be given to individuals when their personal data is obtained.


Review your privacy notices – are they GDPR compliant? If not, make a start now on rewriting them and repositioning them. Use the GDPR’s code of practice for privacy notices to help with GDPR compliance.

STEP 4 Individuals rights
Individuals will have the following rights, under the GDPR:

  • right to be informed;
  • right of access;
  • right to rectification;
  • right to erasure;
  • right to restrict processing;
  • right to data portability;
  • right to object; and
  • right not to be subject to automated decision making and profiling.


Ensure you have the processes in place to comply with all of the above, within the required timescale. Who in the organisation is responsible for accessing/providing this information to individuals?  Are you open and transparent about how individuals contact you to exercise their rights? Do you have a policy in place for indiviuals on a) accessing data b) timescale c) complaints procedure?

The newest point here is data portability – the right to request that data be transferred to another organisation (think banks, energy suppliers etc). You need to ensure that you can export such data in a commonly used machine readable form, free of charge.

STEP 5 Subject access requests
The new deadline for processing requests is one month instead of the current 40 days.

Action: Policies, procedures and staff need to be updated to comply with this.  If you forsee a large number of requests, is it more feasible to develop a system whereby individuals can access their data themselves?

NB You can refuse requests, or charge for them, if they are unfounded or exessive. But you must tell the individual why you refuse the request and that they can take the refusal on to the supervisory body and the court. 

STEP 6 Lawful basis for processing personal data
This comes under ‘accountability’ in the GDPR.  The lawful bases in the GDPR are broadly the same as the conditions for processing in the current DPA: It should be possible to review the types of processing activities you carry out and to identify your lawful basis for doing so.

Under GDPR, some individuals’ rights will be modified depending on your lawful basis for processing their personal data. The most obvious example is that people will have a stronger right to have their data deleted where you use consent as your lawful basis for processing.


Review the legal bases you use for processing personal data to ensure these are still relevant and will be GDPR compliant. Ensure these are accessible under your privacy terms.

STEP 7 Consent
This is a huge area for GDPR, and one well worth researching thoroughly, especially if you carry out marketing activities of any form.


Consent will need to be renewed from each individual in your existing databases. And the way you seek and process consent will also be tightened up.

In the words of the ICO, Consent must be freely given, specific, informed and unambiguous. There must be a positive opt-in – consent cannot be inferred from silence, preticked boxes or inactivity. It must also be separate from other terms and conditions, and you will need to have simple ways for people to withdraw consent

Individuals’ consent must be specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn. Consent must be freely given, specific, informed and unambiguous. There must be a positive opt-in – consent cannot be inferred from silence, preticked
boxes or inactivity. It must also be separate from other terms and conditions, and you will need to have simple ways for people to withdraw

Seriously, this is huge. Our advice? Read this advice from the ICO thoroughly.

STEP 8 Children
GDPR places special emphasis on protecting children’s personal data.


If you collect data, you must ensure you have mechanisms in place to a) verify age and b) seek parental consent for children under 13. If your business works in the context of commercial internet services such as social networking, your data collection notices must be written in a language that children will understand.

STEP 9 Data breaches
This step is all about fessing up. Data breaches do happen and for GDPR, notification is key.


You may only have 72 hours from discovery of a breach to notify the relevant data protection authority of the breach. You must also tell individuals directly if their personal data has been compromised.  For now, make sure you have the right procedures in place to detect,
report and investigate a personal data breach.

STEP 10 Data protection by design and data protection impact assessments (PIA)
Data protection should be integral to the planning of large scale processing/transfer (i.e. a new IT system/backup location). For the PIA code of practice check the ICO guidance.
STEP 11 Data Protection Officers (DPOs)
 Somebody within your business needs to be responsible for GDPR compliance. The ICO requires that you appoint a formal DPO under certain circumstances. recommends hiring a DPO


Decide who will be responsible for GDPR within your organisation. Where does this person sit – internal or external? Where are they within the structure of your organisation? Who do they report to and who governs this person/their processes? Do they have the right experience training and support?

STEP 12 International

where your organisation operates in more than one member state, you should identify the lead supervisory authority.

We take GDPR seriously

I’m Ragnar, Director of Hero IT Support. I’m a  GDPR practitioner and an expert in data compliance:

  • 10+ years experience as a company Director
  • Software developer
  • BSc, Computer Science and Artificial Intelligence
  • Directly responsible for data security/transfer/encryption for our  clients
  • Business technology advisor and public speaker
  • GDPR Practitioner

Expert knowledge of data processing, transfer, storage and collection is essential for the modern day IT Support company.

If you need help in making sense of exactly how GDPR will affect you, take a look at the resources below. I will continue to blog about GDPR as the waters become less murky and the ICO releases more information. 

Contact us

5 + 1 =