Document: WHAT personal data is held; WHERE that data came from and WHO it is shared with


  • Conduct an information audit across the organisation to map data flows.
  • Working with Senior Management, design and implement appropriate technical and organisational measures to ensure Data Protection is designed into all processes
  • Working with Senior Management, design a Data Privacy Impact Analysis (DPIA) framework which links to existing risk management and project management processes.
  • Working with Senior Management, identify a suitable individual within the organisation to designate responsibility for data protection compliance.
  • If the business is a public authority or it carries out large scale monitoring of individuals or it carries out large scale processing of special categories of data or data relating to criminal convictions and offences then, working with Senior Management identify a suitable individual to be appointed as a Data Protection Officer (DPO)
  • Working with Senior Management, ensure the data protection lead is supported through provision of appropriate training and reporting mechanisms.
  • If the organisation has fewer than 250 employees define and maintain the required records of all activities related to higher risk processing.
  • If the organisation has more than 250 employees, define and maintain the required additional internal records of all processing activities
  • Review the processing of data and identify and document the lawful basis for the processing activities


  • Data and data processing map
  • A plan for Data Protection by Design
  • A documented DPIA framework
  • An appointed Data Protection Lead or DPO with an agreed training and support plan that reports directly to Senior Management
  • An appropriate internal record keeping mechanism