We have been working through the guidance provided by the Information Commissioners Office to ensure that our practices comply with the EU General Data Protection Regulations coming into force on 25th May 2018.

The assessment tool to ensure readiness is linked here https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/data-controllers/ from which we have gained the below recorded assessment of readiness.

Your overall rating was red on 4/12/2017

  • 25: Not yet implemented or planned
  • 0: Partially implemented or planned
  • 0: Successfully implemented
  • 4: Not applicable

Your overall rating was amber on 4/2/2018

  • 2: Not yet implemented or planned
  • 17: Partially implemented or planned
  • 3: Successfully implemented
  • 7: Not applicable

Your overall rating was green on 7/2/2018

  • 0: Not yet implemented or planned
  • 3: Partially implemented or planned
  • 18: Successfully implemented
  • 8: Not applicable

AMBER: partially implemented or planned

Your business provides data protection awareness training for all staff. 


Where you have only partially implemented measures, please select the appropriate actions from the detail below:

Suggested actions

You should:

  • provide induction training on or shortly after appointment;
  • update all staff at regular intervals or when required (for example, intranet articles, circulars, team briefings and posters); and
  • provide specialist training for staff with specific duties, such as marketing, information security and database management.


Think privacy toolkit, ICO website

Training checklist for small to medium sized organisations, ICO website


Your business has nominated a data protection lead or Data Protection Officer (DPO).


Where you have only partially implemented measures, please select the appropriate actions from the detail below:

Suggested actions

You should:

  • designate responsibility for data protection compliance to a suitable individual;
  • support the appointed individual through provision of appropriate training;
  • ensure there are appropriate reporting mechanisms in place between the individual responsible for data protection compliance and senior management;
  • register the details of your DPO with the ICO; and
  • document the internal analysis carried out to determine whether or not a DPO is to be appointed, unless it is obvious that your organisation is not required to designate a DPO.


Guide to the GDPR - Data protection officers, ICO website


Decision makers and key people in your business demonstrate support for data protection legislation and promote a positive culture of data protection compliance across the business.


Where you have only partially implemented measures, please select the appropriate actions from the detail below:

Suggested actions

You should:

  • clearly set out your business’s approach to data protection and assign management responsibilities;
  • ensure you have a policy framework and information governance strategy in place to support a positive data protection and security culture which has been endorsed by management;
  • assess and identify areas that could cause data protection or security compliance problems and record these on your business's risk register;
  • deliver training which encourages personal responsibility and good security behaviours; and
  • run regular general awareness campaigns across your business to educate staff on their data protection and security responsibilities and promote data protection and security awareness and compliance.


Think Privacy training, ICO website



GREEN: successfully implemented

Your business has conducted an information audit to map data flows.

Your business has documented what personal data you hold, where it came from, who you share it with and what you do with it.

Your business has identified your lawful bases for processing and documented them.

Your business has reviewed how you ask for and record consent.

Your business has systems to record and manage ongoing consent.

If your business relies on consent to offer online services directly to children, you have systems in place to manage it.

Your business has made privacy notices readily available to individuals.

Your business has established a process to recognise and respond to individuals' requests to access their personal data.

Your business has processes in place to ensure that the personal data it holds remains accurate and up to date

Your business has a process to securely dispose of personal data that is no longer required or where an individual has asked for it to be erased.

Your business has procedures to respond to an individual’s request to restrict the processing of their personal data.

Your business has procedures to handle an individual’s objection to the processing of their personal data.

Your business has an appropriate data protection policy.

Your business monitors its own compliance with data protection policies and regularly reviews the effectiveness of data handling and security controls.

Your business manages information risks in a structured way so that management understands the business impact of personal data related risks and manages them effectively.

Your business has implemented appropriate technical and organisational measures to integrate data protection into your processing activities.

Your business has an information security policy supported by appropriate security measures.

Your business has effective processes to identify, report, manage and resolve any personal data breaches.


Not applicable

Your business is currently registered with the Information Commissioner's Office.

If your business offers online services directly to children, you communicate privacy information in a way that a child will understand.

Your business has processes to allow individuals to move, copy or transfer their personal data from one IT environment to another in a safe and secure way, without hindrance to usability.

Your business has identified whether any of its processing operations constitute automated decision making and have procedures in place to deal with the requirements.

Your business has a written contract with any data processors you use.

Your business understands when you must conduct a DPIA and has processes in place to action this.

Your business has a DPIA framework which links to your existing risk management and project management processes.

Your business ensures an adequate level of protection for any personal data processed by others on your behalf that is transferred outside the European Economic Area