GDPR (UK GDPR post-Brexit) applies to any organisation processing personal data of individuals in the UK or EU. Non-compliance can result in fines up to £17.5 million or 4% of global annual turnover under UK GDPR. This checklist covers the key obligations every organisation must address.
On this page
Lawful Basis for Processing
You must have a lawful basis before processing
GDPR Article 6 requires a lawful basis for every processing activity. Document your basis in a Record of Processing Activities (RoPA). You cannot retroactively choose a different basis if challenged.
| Lawful Basis | When It Applies | Example | Key Restriction |
|---|---|---|---|
| Consent | Data subject has given clear, unambiguous, freely given consent | Newsletter subscriptions, marketing cookies | Must be withdrawable at any time; no pre-ticked boxes |
| Contract | Processing necessary to fulfil a contract with the individual | Processing customer address to deliver an order | Only use what's necessary for the contract |
| Legal Obligation | Processing required by UK law | PAYE payroll, right-to-work checks | No opt-out; document the specific legal requirement |
| Vital Interests | Necessary to protect someone's life | Emergency medical situations | Rarely applicable outside healthcare |
| Public Task | Exercise of official authority or public interest task | Local government, public health bodies | Must have clear lawful power/duty |
| Legitimate Interests | Balanced against individual's rights and interests | Fraud prevention, network security, direct marketing | Must document LIA (Legitimate Interests Assessment) |
Consent
- When It Applies
- Data subject has given clear, unambiguous, freely given consent
- Example
- Newsletter subscriptions, marketing cookies
- Key Restriction
- Must be withdrawable at any time; no pre-ticked boxes
Contract
- When It Applies
- Processing necessary to fulfil a contract with the individual
- Example
- Processing customer address to deliver an order
- Key Restriction
- Only use what's necessary for the contract
Legal Obligation
- When It Applies
- Processing required by UK law
- Example
- PAYE payroll, right-to-work checks
- Key Restriction
- No opt-out; document the specific legal requirement
Vital Interests
- When It Applies
- Necessary to protect someone's life
- Example
- Emergency medical situations
- Key Restriction
- Rarely applicable outside healthcare
Public Task
- When It Applies
- Exercise of official authority or public interest task
- Example
- Local government, public health bodies
- Key Restriction
- Must have clear lawful power/duty
Legitimate Interests
- When It Applies
- Balanced against individual's rights and interests
- Example
- Fraud prevention, network security, direct marketing
- Key Restriction
- Must document LIA (Legitimate Interests Assessment)
Data Mapping & Records of Processing (RoPA)
Data Subject Rights Compliance
Personal Data Breach Response Checklist
72-hour ICO notification deadline
Under UK GDPR Article 33, if a breach is likely to result in risk to individuals' rights and freedoms, you must notify the ICO within 72 hours of becoming aware. Many organisations miss this deadline. Have a response plan ready.