Helping to speed
up your GDPR

A comprehensive checklist created from the Information Commissioner's Office regulatory guidance and combined with best practice material to deliver over 500 GDPR compliance safeguards.


The GDPR requires organisations
to maintain records of
processing activities in an
effort to update rights for a
networked world.

Lawful basis

For processing to be lawful under the GDPR, an organisation needs to identify a lawful basis before it can process personal data which in turn has an effect on individuals’ rights. The regulation defines the lawful bases available for processing personal data along with special categories of data and organisations must document this.


Consent under the GDPR must be a freely given, specific, informed and unambiguous indication of the individual’s wishes. There must be some form of clear affirmative action and consent cannot be inferred from silence, pre-ticked boxes or inactivity. Consent must also be separate from other terms and conditions and there must be simple ways for people to withdraw it.


This is a lawful basis if personal data needs to be processed to fulfil contractual obligations to them; or because they have asked the organisation to do something before entering into a contract (eg provide a quote). If it could reasonably achieve what they want without processing their personal data, this basis will not apply. The decision to rely on this lawful basis should be documented with justified reasoning.

Records of processing

If an organisation has more than 250 employees, it must maintain internal records of its processing activities. With less than 250 employees, it is required to maintain records of activities related to higher risk processing.

Privacy notices

The regulation includes rules on giving privacy information to data subjects which place an emphasis on making privacy notices understandable and accessible. Whilst data controllers are expected to take appropriate measures to make this happen there is still discretion to consider where the information required by GDPR should be displayed in different layers of a notice.


There are new provisions intended to enhance the protection of children’s personal data. Where services are offered directly to a child, an organisation must ensure that its privacy notice is written in a clear, plain way that a child will understand. If an online service is offered to children, consent may be needed from a parent or guardian to process the child’s data.

Solvassure. Compliance Technology.