Consent and GDPR

What a GDPR checklist can do for you (and what it can’t)


The internet is full of GDPR checklists – even the regulator has one! Open Google and you’ll be greeted by generous law firms and consultants offering to provide you with free checklists in return for you parting with your contact details.


Some not so generous law firms and consultants might even charge you for their checklists – which is effectively charging you to tell you what you haven’t done! If you are not being offered a checklist, you are being bombarded with GDPR audits, summaries and seven step guides to compliance.


Let’s be clear, having a checklist is not enough to establish compliance with the GDPR. Completing a checklist will tell you what pieces of your compliance jigsaw you are missing. It will not tell you where to find the missing pieces and how to use them to complete your compliance jigsaw.


Depending on which way you see it, knowing what you haven’t done might be a relief, but it is more likely to lead to panic. And panic is never good.

Why is the internet full of GDPR checklists?


Many companies are exploiting the fact that there is an impending deadline to persuade organisations into getting something that they think they might need.


A lot of these checklists simply repeat what is available for free from the ICO website and they are certainly not tailored to specific organisations. Don’t be surprised if a number of the questions appear tricky to answer – this is what they are designed for. If you can’t answer it then a provider of the checklist steps in to help and offers to answer the questions for a fee, which probably increases the closer we get to the GDPR deadline of 25 May 2018.


In other words, checklists are a means by which companies offering consultancy can generate work for themselves. They are a marketing tool.

If a checklist isn’t the answer, what is?


A checklist sounds easy, right? Unfortunately, data protection compliance is not. It requires the implementation of a data protection compliance programme which is embedded within a company and its culture. Data protection compliance needs to come from inside an organisation, not be imposed upon it by outside consultants or lawyers. A data compliance programme needs to be tailored to an organisation.


The only people who can do this are those people working within that organisation. All those people need is guidance and some tools to make their job easier.

How do we make establishing a data protection compliance programme easier?


That is where The Privacy Compliance Hub comes in. It allows organisations to build their own tailored data protection and GDPR compliance programme. The Hub provides a methodology for you to follow, together with a project management tool and over thirty templates for you to use. It then incorporates this in an simple to use web based platform from which you can demonstrate your compliance – whether that is to a regular or a data subject.


With The Hub you have direction. You’ll be told what, how and when to do it, and who responsibility it is by a source you can trust. Our highly experienced founders have worked with data protection compliance for a very long time and have devoted their time to creating a Hub that works.


Our founders love talking about data protection, privacy and the GDPR, so feel free to drop us an email by using the contact form on our website, or using the comments section below. For more practical articles, please feel free to explore our blog where there is lots more useful information.