1. Put together your GDPR implementation task force

2. Start the process, where applicable, of appointing your data protection officer

3. Review IT systems and internal processes to ensure that an individual’s data can be captured both for the purpose of data portability (ie passing a copy to the data subject or another controller)  but also to enable such data to be deleted easily

4. Conduct an audit of what personal data your organisation holds, how it is being used, to whom it is being disclosed, and to where it is being transferred

5. Review and update customer privacy notices to reflect the new transparency requirements of the GDPR

6. Start reviewing data protection clauses used (both for templates and live negotiations) in supplier agreements to include the mandatory provisions and an appropriate change of law clause

7. Develop a template ‘data protection impact assessment’ to be used in any upcoming high risk projects

8. Suppliers performing the processor role will need to review the scope of their obligations and their liability/ indemnity provisions, given their new exposure under the GDPR

9. Review existing processes and procedures for subject access requests, including the development of template response forms and assessing whether the one-month response deadline could be met

10.Review breach notification and management systems and procedures, including draft notification forms for both notifications to the supervisory authority and affected individuals (or controllers as applicable)

11. Start putting together training materials to raise staff awareness of the new rules under the GDPR