Data Protection Officers and security professionals at large corporates may be lucky enough to have a well-resourced team that has had plenty of time to meet all the requirements of the General Data Protection Regulation (GDPR). They will have been able to get the training department to develop and run training courses, work up policies and procedures (probably with the help of the legal department) and they’ll have a ton of documentation to demonstrate their compliance.

However SMEs – especially those without a full time data protection resource – might struggle to know if they have addressed all the requirements of GDPR.

One quick way for senior executives and those responsible for data privacy in an organisation can check for gaps in their GDPR compliance is simply to consider how you would respond to questions that a regulator might ask if you found yourself in the unfortunate position of being under investigation for a data breach or other non-compliance issue.

We already know from the Information Commissioner’ Office Draft Regulatory Action Policy how the ICO is likely to enforce the regulations and the processes involved in investigating breaches.

Here’s a sample of some questions you might get asked:

Can we see your GDPR awareness training materials and the log of who has attended/completed each module?

– Can you show me your internal Privacy and Data Security policies and any other guidance or codes of practice you adhere to?

– Can we see contracts you have with third party processors?

– Can you show us your personal data audit and how you arrived at the lawful grounds for processing personal data?

– Can you demonstrate the security measures you have in place to protect personal data?

– Can you show us how data subject access requests are recorded and processed?

– Can we see your procedures for reporting breaches of the GDPR to the ICO?

– Can you give me a copy of the job description of the person(s) responsible for GDPR?

– Can we see the risk assessments and where appropriate Data Protection Impact Assessments (DPIA) for projects you are currently working on?

If you are comfortable that you could quickly answer questions like these and present any required documentation, chances are your organisation is in pretty good shape in terms of protecting personal data and compliance with the GDPR.

However, if you can see areas where you would struggle – or it would take an inordinate amount of time and resource – to respond, best address the situation now.

As with many things in business and in life, an ounce of prevention is much cheaper than a pound of cure!

If you need to speak to an expert about your GDPR compliance journey, just fill in the form to the right or email to see if we can help smooth the path.

To keep up with the latest GDPR news and get more practical, actionable advice on data privacy and protection sign up for our newsletter.


ICO Draft Regulatory Guidance

ICO Guide to the General Data Protection Regulation 




Need to speak to an expert about data privacy and protection?


Need help with your compliance strategy for GDPR and other data protection legislation?


Complete the enquiry form to arrange a no-obligation call to see if we can help.