This checklist is based on UK law. It was last updated in February 2008.
This checklist is intended as an aide memoire for those who already understand the basics of data protection. It is not an exhaustive list.
Appoint a data protection officer or someone with compliance responsibility.
Ensure that the company is registered with the Information Commissioner if required and maintain those registration. Remember that separate members of your group will need separate registrations if they are also data controllers.
Identify all collection points of data, e.g. websites, application forms, in-bound and out-bound telephone calls, emails, SMS, faxes, CCTV, employment application forms, attendance at events or functions or exchanges of business cards.
Identify what data are collected and whether directly from the data subject or via a third party.
Identify all purposes for processing, all internal and external access and all disclosures of data.
Identify all marketing activities and make sure the Privacy and Electronic Communications Regulations are complied with.
Draft and put in place an appropriate Data Protection Notice in each collection process setting out all purposes for processing and all disclosures.
Consider how you will provide a Data Protection Notice to individuals where you obtain their information via a third party.
Train all staff who come into contact with personal data. Employees attract personal criminal liability for an unauthorised disclosure of personal data or unauthorised obtaining.
Train staff to recognise subject access requests from data subjects.
Train managers who make decisions about databases.
Ensure that Data Protection Notices are provided to all employees containing an explicit consent statement to the processing of their sensitive personal data. Consider what else employees need to be told.
Identify any automated decision making processing and put a review or appeal procedure in place for any customer or employee who is turned down by any automated decision software, for example, psychometric testing or credit scoring.
Identify the grounds under Schedule 2 (and the grounds under Schedule 3 for sensitive personal data) which give legitimacy to processing, e.g. consent, explicit consent, contract or legitimate interest.
If the ground is consent, ensure that your Data Protection Notices include Consent Statements and provoke a positive response from customers and business contacts.
Identify all third party data processors used by the company. Ensure that data processor contracts are in place.
Identify all transfers of personal data to EU countries and to third countries. Put appropriate contracts or other compliance methods in place.
Ensure that IT systems provide adequate security.
Identify all manual files and decide whether they fall within the definition in the Act.
Review security of processing in the light of ISO17799 – physical, logical, technical and operational measures to ensure the security of processing.
Review procedures for ensuring quality of data – how often are data reviewed for accuracy?
Put in place processes and procedures to identify and satisfy subject access requests.
Review internet and e-mail policies and CCTV policies to make sure they comply with the Data Protection Act 1998, the Regulation of Investigatory Powers Act 2000 and the Information Commissioner's Guidance.
Put in place processes to deal with requests for disclosure by the Police, Inland Revenue or other Government departments.
Review employment contracts, disciplinary procedures and guidance issued to employees.
Put a data protection help site and help line on the intranet.