PruAdviser on-line services will be unavailable from 16:00 on Saturday 11 December until 12:30 on Sunday 12 December for website maintenance.
Currently we are not able to show some detailed information for Retirement Account performance for clients. This will be restored on 13 December 2021. We're sorry for any inconvenience this causes.

GDPR Checklist

Author Image Nick Hunt Technical Manager, Specialist Business Support
4 minutes read
Last updated on 23rd May 2018


Use our checklist to ensure your business is GDPR compliant.

How to demonstrate that you are GDPR compliant?

Have you introduced measures to demonstrate that you are compliant. This may include internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies

  • Document your processing activities
  • If appropriate, appoint a Data Protection Officer
  • Introduce measures that meet the principles of data protection, including:
    • data minimisation;
    • pseudonymisation;
    • transparency;
    • allowing individuals to monitor processing; and
    • creating and improving security features on an ongoing basis.

The ICO also suggests that you have carried out a Data Protection Impact Assessment if appropriate to check how you’re doing, and whether you need to take action. 

Data Protection Impact Assessment (DPIA)

A DPIA will help you to minimise the risks. To assess the level of risk, consideration would have been given to both the likelihood and the severity of any impact on individuals. If you have identified a high risk and the risk cannot be mitigated, you must consult the ICO before starting the processing.

A DPIA is also required for certain types of processing, or any other processing that is likely to result in a high risk to individuals’ interests.  It is good practice to do a DPIA as part of compliance checking.

The ICO say that a DPIA must:

  • ''describe the nature, scope, context and purposes of the processing;
  • assess necessity, proportionality and compliance measures;
  • identify and assess risks to individuals; and
  • identify any additional measures to mitigate those risks''.

Consult your DPO (if you have one) and, where appropriate, individuals and relevant Data Protection professionals and possibly consult with third party processors.

GDPR checklist

Here are some key subjects and considerations. Depending upon the nature of your business and how you use personal data, you may have already explored these areas in greater depth and you may also have sought guidance and advice from DP professionals.



Ongoing Actions


Your staff may be aware of the Data Protection Act (DPA), but to what extent do they understand the GDPR and their new responsibilities?

In particular are your staff aware of your Data Privacy Policy and Privacy Notices, and the new rights of your customers?



Consult your DPO (if you have one) and, where appropriate, individuals and relevant data protection professionals and possibly consult with third party processors.

Keep a record of those who have undergone training and ensure this is part of your firm’s ‘induction programme’.

Continue to ensure all third parties you share customer information with, understand their obligations under GDPR and any implications. 

Data Protection Officer (DPO)

Have you decided to appoint a DPO, if so they will need training and full and impartial support of directors/partners.

Formalise the role of the DPO and ensure the business owners understand their responsibility to support the DPO in their duties.

Continue to review what data you hold and how it’s used

Understand all the types of personal data you hold and what it’s used for.

Also consider :

  • How will you ensure customers’ rights are upheld?
  • Will the way you hold and process personal data change in future?
  • Are you confident in the third party processors you work with and the way they hold and process data? Ensure your contractual agreements include GDPR compliance. 

Continue to map out all the personal data you hold, where it’s held and what it’s used for. Record this as either personal data or sensitive personal data.

Document how you are upholding your clients’ new rights.

Ensure receipt of all contracts with third party data processors.

Where you continue to deliver marketing communications electronically, consider how you are also meeting the requirements under Privacy and Electronic Communications Regulations (PECR). 

Legal grounds

What legal grounds will you access, hold, process and transfer personal data?

Where ‘consent’ is relevant, did you gain this before the GDPR deadline? 

Reflect your legal grounds in your Privacy Policy. 

Data Privacy Policy and Privacy Notices

You should now have a formal Data Privacy Policy and have notified your clients about how you use their data. Explicitly explaining how your firm has met GDPR.

Check that your staff understand and refer to your Data Privacy Policy where appropriate.

Consider inclusion in your ‘code of conduct’ (it’s not obligatory) but you may wish to work towards it as a way of demonstrating that you comply. 

Data security

Take a risk based approach to consider whether your arrangements for data security are sufficiently robust.

Have you received guidance from data security experts? Ensure that any arrangements are regularly reviewed. Ensure your staff are aware of the risks and causes of data loss. 

Labelled Under:
Government Regulation GDPR

"Prudential" is a trading name of Prudential Distribution Limited. Prudential Distribution Limited is registered in Scotland. Registered Office at Craigforth, Stirling FK9 4UE. Registered number SC212640. Authorised and regulated by the Financial Conduct Authority. Prudential Distribution Limited is part of the same corporate group as the Prudential Assurance Company. The Prudential Assurance Company and Prudential Distribution Limited are direct/indirect subsidiaries of M&G plc, a company incorporated in the United Kingdom. These companies are not affiliated in any manner with Prudential Financial, Inc, a company whose principal place of business is in the United States of America or Prudential plc, an international group incorporated in the United Kingdom.