Data Protection in a Nutshell – A Quick Reference Guide

Data Protection - Checklist Overview


Always required

  • We understand what ‘personal data’ and ‘processing’ of personal data are.
  • We understand the concepts of ‘data controller’ and ‘data processor’.
  • We know what personal data we process.
  • We only handle people’s data in ways they would reasonably expect.
  • We only collect the personal data we actually need for our specified purposes.
  • We have identified an appropriate lawful basis (or bases) for our processing.
  • We are transparent about what we do and we include details of our purposes in our privacy information for individuals.
  • We keep our personal data accurate.
  • We delete personal data that is no longer required.
  • We respond to an individual’s data protection request, such as requesting a copy of the personal data or stopping direct marketing.
  • We keep our personal data secure and confidential.

Required depending on your organisation

  • We have data processing agreements in place for all the data processors we use.
  • We notify individuals when we take decisions that affect them based solely on automatic means, and we are ready to reconsider such decisions on a different basis.
  • If we plan to use personal data for a new purpose, we check that it is compatible with our original purpose or we get specific consent for the new purpose.
  • As best practice, we have a policy that specifies how long we keep each type of personal data we process.
  • We clearly identify any personal data that we need to keep for public interest archiving, scientific or historical research, or statistical purposes.
  • We are aware whether we need safeguards in place if we or our data processors transfer personal data abroad.


Previous Next