Identify if you are a Controller or Processor
Document the Data you currently hold.
Document your Policies and Procedures for handling personal data.
Put in place Procedures for Subject Access Requests including how you will verify the identity of the requestor
Document your security procedures in relation to Personal Data
Document your Data Breach Notification Policy and Procedures
Revisit your Privacy Notices to make sure they are compliant
Identify your legal basis for processing personal data
Check your Consent mechanisms (current and historical) and ensure they are in compliance with the GDPR
Check your Third party processing Obligations
Check your contractual agreements to ensure they are in line with the GDPR
Check if your Legitimate Interests for Processing overrides the individuals rights under the GDPR
Carry out a Risk Assessment on the personal data you hold
Prepare to run a Privacy impact Assessment on any future projects – referred to as DIPA (Data Impact Privacy Assessment)
Educate your Staff about the GDPR and how it will impact their roles.
If dealing with Children – check your obligations regarding age verification and parental consent