Guide to GDPR

The 25th of May is the date that GDPR will become applicable across Europe. We have put together a checklist to make sure your business is prepared:


  • Have you educated yourself as to what changes GDPR is bringing about (e.g. by attending a GDPR training/information session)?
  • Are you aware of exactly what data you collect and process?
  • Have you educated your staff in relation to how GDPR will impact on their role?
  • Have you an internal procedure in place to deal with Data Access Requests?

Lawful, fair and transparent processing

  • Do you have a legal basis for collecting all data?
  • Where consent is relied upon is the consent adequate under GDPR?
  • Was the consent freely given?
  • Was the consent informed (i.e. was the data subject aware of the purpose for which it was required)?
  • Can you prove consent if required to do so?
  • If the consent you currently hold is not adequate under GDPR, have you re-sought consent?
  • Is a process in place to allow for the withdrawing of consent?

Purpose Limitation

  • Is data only used for the purpose for which it was originally collected?

Data Minimisation

  • Do you only hold data that you genuinely require and is relevant?
  • Where irrelevant data has been identified, has a process been put in place to erase?

Data Accuracy

  • Can you be sure data that you have collected is accurate and up to date?
  • If not, is a process in place to ensure that this data is updated?
  • Is a process in place to ensure personal data is kept up to date going forward?
  • Is there a process in place for ensuring necessary changes can be made without delay?

Storage Limitation

  • Is data only being retained for as long as is necessary?
  • Do you know what types of data have legislative retention periods?
  • For data that is not subject to a legislative retention period, have you given careful consideration to how long it will be retained for?
  • Are data subject aware how long their data will be retained for?
  • Is a process in place to ensure there is no unnecessary duplication of data?

Integrity and Confidentiality

  • Is a process in place to prevent loss of data?
  • Is a process in place to prevent unintended/unauthorised destruction of data?
  • Is a process in place to prevent unauthorised access/disclosure of data?
  • Is a process in place to prevent unintended/unauthorised alteration of data?
  • Is data only accessible by those who require access to it?
  • Have you accessed the risks involved with the data that you collect and put a process in place to mitigate these risks?
  • Do you have a Data Security Policy in place?
  • Do you have an incident response policy in place?


  • Have you collated a Data Inventory outlining a complete list of all data you collect?
  • Do you have a Data Protection Policy in place?

For more information please read ISME's guide to GDPR:

Download (PDF, 569KB)

join isme

Become part of Ireland’s biggest business network