At last, here are the checklists – what you got to do to ensure you are GDPR compliant. Part 3 now explores GDPR Tactics (the details of Strategy Part 2) and the Actions (including checklists you can use) and finally, Control – what you need to check to ensure your data is safe and fully under control.  Part 1 introduced GDPR Situation which is a shock for many businesses, as it could put some out of business!

TACTICS (the details of strategy)


Appoint a Data Officer

Medium to large businesses will need a data protection officer.

Audit High-Risk Aspects Of The Business

Businesses must identify very high risks and how they would mitigate it. If your data is encrypted, then it is not ‘high risk’.

Commence Data Protection Impact Assessments (DPIAs)

issued in 2017 as part of the implementation package for the General Data Protection Regulation (GDPR)

Run An Attack Simulation

with senior management to ensure that all of your data processes are robust in the case of an attack or a personal data breach and are GDPR complaint.

Businessman leaning over a lap top

Run an attack simulation

Document Your Risk Management

Organisations and accountable individuals must document their approach to managing risk inherent with collecting & keeping personal data that your firm, your partners and your suppliers process.


To BUILD A DATA PROTECTION CULTURE – employ these Tactics:


Train Staff 

Ensure all your staff (from Board Level down) have regular data protection awareness training (see  ‘internal marketing’ in the Action section). Training is the first line of defence. Did you train your staff and your board? Board members need to be aware of the business risks of cyber security and understand the legal significance of an accountable individual at Board level.

Laurette Batstone SOSTAC(r) Certified Planner 2016 - holding the certificate

Laurette Batstone SOSTAC® Certified Planner



Encrypt Data

Data encryption translates data into another form, or code. Only people with access to a password or secret key (formally called a decryption key) can actually read it. Encrypted data is commonly referred to as ciphertext, while unencrypted data is called plaintext.


Improve Response Times When Reporting Hacks 

Under GDPR you have 72 hours to report a breach of security to the ICO (compared to the old 138 day response time) .  GDPR will become part of the value chain.  Businesses will have to integrate GDPR into almost everything as everything becomes connected via the IoT (Internet of things).   

Tired worker making a call

Improve Response Times When Reporting a Hack


Improve Response Times SARs

Subject Access Request ( a request from a customer to see what data is being kept about them) is free of charge and organisations must complete this within one month, except in exceptional circumstances, where multiple requests are made, a ‘reasonable’ administration fee can be charged.


Regularly Scrutinise Your Cloud And Server Suppliers

You have a responsibility to check up on your suppliers and any partners that they too are compliant with GDPR.


Induction & Data Protection

Include data protection into induction processes.

Two Hands Shaking with electricity sparking

Digital Data is a new asset which needs to be managed carefully


ACTIONS (how to ensure excellent execution of the new GDPR)

Internal Marketing

Internal Marketing means Motivating, Communicating and Training your team to ensure they execute GDPR with excellence and with passion.

This can come down to specifying detailed actions (checklists of things individuals have to do).

Once all stuff fully understand why GDPR is important (find out how to motivate them), then communicate with them about the importance and ultimately train them to point where you even issue fool-proof checklists for procedures or processes. Remember, training is mandatory. So, schedule a series of motivation & communication & training events across the organisation. In marketing parlance, we call all of this Internal marketing (motivating staff, communicating with staff and training staff). It’s often forgotten (& requires a budget) & is often the hidden reason why so many plans fail.


Motivate, Communicate & Train your staff




Ensure staff and board members understand how important GDPR is. Ensure they understand the ethics and the reasons why we need to protect our children, our families and our firends from data abuse as well as the scale of fines (and prison sentences). Ensure they understand the benefit of keeping clean and secure data. Incentivise employees to spot and fix or report any errors made in data processing.



Communicate to all staff – from Board Level down to operators, the importance of GDPR.  Make it part of all regular reporting so that meetings at every level have GDPR on the agenda. Create and refer to Data KPIs.



Anyone handling personal data is now legally obliged to be trained (under the GDPR). Staff must be trained so they understand the 6 basic data protection principles (article 5):

  1. Consent – did you get consent? Processed lawfully, fairly and in a transparent manner in relation to individuals
  2. Purpose – was the data collected for specified, explicit and legitimate purposes
  3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
  4. Accurate and, where necessary, kept up to date
  5. Kept in a form which permits identification of data subjects for no longer than is necessary
  6. Processed in a manner that ensures appropriate security of the personal data

Source ICO (Information Commissioners Office)


Can you prove that you are compliant with GDPR?

Remember: The Burden of Proof Is On The DC

Under the GDPR the burden of proof is on the DC (Data Controller) to verify that it received lawful consent.

  • It must be clearly distinguishable from other matters.
  • Data Privacy Notice needs to be intelligible, easily accessible and in clear and plain language.
  • It must be as easy to withdraw consent as it is to give it.
  • If a service to be delivered is conditional on providing consent to personal data processing, then that consent isn’t deemed to be ‘freely given’ and isn’t valid.

Ardi Kolah, Henley Business School


12 Steps/Actions Preparing for GDPR (ICO )


 / No

  General Data Protection Regulations 12 Steps To Take Now


  1. Awareness
You should make sure that decision-makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.
  2. Information you hold
You should document was personal data you hold, where it came from and who you share it with. You may need to organise an information audit.
  3. Communicating privacy information
You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
  4. Individuals rights
You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
  5. Subject Access Requests
You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.
  6. Legal basis for processing personal data
You should look at the various types of data processing you carry out, identify your legal basis for carrying it out and document it.
  7. Consent
You should review how are you are seeking, obtaining and recording consent and whether you need to make any changes.
  8. Children
You should start thinking now about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity.
  9. Data Breaches
You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
  10. Data Protection By Design And Data Protection Impact Assessments
You should familiarise yourself now with the guidance the ICO has produced on Privacy Impact Assessments and work out how and when to implement them in your organisation.
  11. Data Protection Officers
You should designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements.
  12. International
If your organisation operates internationally, you should determine which data protection supervisory authority you come under.

An old Irish Castle

Security of data is a critical factor


Yes/ No 10 More Actions Checklist


1. Any breaches of security must be reported in the EU to the ICO (Information Commissioner’s Office) within 72 hours.


2. Have a data breach response plan ready. Organisations must have contingency plans. Just like fire drills.


3. Review your vendors’ DP. Use vendors that understand and apply GDPR.


4. Prepare a DPIA (Data Protection Impact Assessment).


5. Get your documents & records & processes ready for inspection (including employee consent, the right to be forgotten & not profiled).


6. Have a news release ready. Brief the board (including annual reporting requirements).


7. Train staff.


8. Carry out regular compliance audits.


9. Larger companies will need to appoint Data Protection Officers.


10. Subject Access Requests (SAR) must be honoured, for example ‘if an employee wants to get his/her my previous pay-slips’



Source: unknown

How To Create GDPR-Compliant Consent Forms

  • Request as little data as possible
  • Make the terms and conditions clear
  • Make it easy to withdraw consent
  • Use a double opt-in mechanism‘

Source: IT Governance

A double opt-in mechanism stops individuals from giving their consent by mistake. The first step involves a regular opt-in tick-box (consent form).  This is followed by an automated email with a link that they need to click on to verify, or confirm, their consent.




Are you in control of your data?


Here’s 7 Data Protection Questions To Answer Before Some Banks Will Do Business With You

Data assets can become toxic if not adhering to GDPR. Gilbert Hill founder, One Trust, revealed that one bank told him that they won’t ‘do business with you unless you can tell me:

  1. How you collect data?
    2. How you use it?
    3. How you protect it?
    4. How you secure it?
    5. How you clean it?
    6. How you give it back to users?
    7. How you check it every six months?

It is recommended that you clean up your data regularly (Gilbert Hill recommends every 6 months & suggests ‘It can be less risky to bin data and start again’ (rather than keeping unclean data).   All of this is simply good customer service and excellent marketing practice. GDPR ultimately protects and improves the CX (customer experience).  So if you really care about your customers, you should embrace GDPR with open arms.


Finger Pointing at you with caption 'Everyone who processes personal data

GDPR Responsibility starts with the board of directors and works across the organisation everyone’s responsibility [image reproduced with kind permission of Henley Business School]


Another 6 Questions to check you are in control of your customers’ personal data

John Culkin, Director of Information Management, Crown Records Management highlights these 6 ‘must-have’ answers regarding customer data:

  1. What you have?
  2. Where is it?
  3. Where are you sending it?
  4. Why do you have it (what do you do with it)?
  5. What form is it in?
  6. How long do you need to keep it?



2 Crunch Questions

Can you prove that you have collected data legally and morally?

Can you prove that it is secure?



Other Regulators (beyond the ICO)

The ICO won’t be the only regulator involved. FCA, the Environment Agency, General Pharamaceutical Council, Ofcom, CMA, Care Quality Commission and many more.


So there you have – SOME of the details of GDPR. We have looked at some  GDPR Tactics you must employ, followed by SOME more detailed action checklists and finally to ensure you are in control of your GDPR destiny, we looked at some of what you need to monitor and control. Part 1 introduced GDPR Situation which is a shock for many businesses and Part 2 explored Strategy. Embracing GDPR means protecting and caring for your customers’ personal data and this is a good thing. This will help to build a powerful data asset that help your organisation to fulfil its goals. The future looks bright when you embrace GDPR.

Sunrise in Greystones

The future looks bright when you embrace GDPR


Thanks to

Many thanks to Ardi Kolah, Henley Business School for the inspiration.

Please note this blog post is not a comprehensive set of legal guidelines. To complete your GDPR preparation, we advise you to check your local Information Commissioner Office or your Data Protection Commissioner.


Further Information

Information Commissioner’s Office (UK)

Data Protection Commissioner (Irl)


If you enjoyed this you might also enjoy:

Part 1 GDPR:  Opportunity to Boost CX or a Threat of Closure?

Part 2 GDPR: Objectives and Strategy

How Trump Won by analysing data to deliver extremely relevant and highly targeted messages that worked.

How To Write The Perfect Plan in 4 minutes using the SOSTAC ® Planning Framework (4 min. video)



Armstrong, Jonathan (2017) Cordery: ‘All you need to know about GDPR but were too afraid to ask’, GDPR Conference Europe, 27 Apr

Cameron, Gareth (2017) ICO: ‘The pathway to implementation’, GDPR Conference Europe, 27 Apr

Kolah, Ardi (2017) Henley Business School: Sizing the risk – carrying out a data protection impact assessment Lite

Miller, Nigel (2017) Fox Williams:  Individuals’ Rights Under The GDPR, GDPR Conference Europe, 27 Apr

Smith, PR (2018) SOSTAC® Guide to your perfect digital marketing plan

SOSTAC® Portal for SOSTAC® Certified Planners

Thanks to 

Ardi Kolah, Executive Fellow & Programme Co-Director, GDPR Transition Programme, Henley Business school, University of Reading.

Nick James, CEO of Amplified Business Content, hosts of GDPR Europe Conference

Ruairi Thomas, MD, DST Systems for the gold-fish observation!