The GDPR takes force from 25 May 2018. You should start planning so that on that date you can demonstrate compliance with the GDPR. Businesses are expected to put into place comprehensive but proportionate governance measures. The following checklist will allow you to prepare for the GDPR by documenting existing procedures, looking for areas to strengthen. You will need to use your judgement to confirm you have proportionate governance measures if you complete the planning yourself or you may choose to use an external consultant. Document the actions you are planning to take and note the changes. \tReview all data held and ask \u201cwhy is it held?\u201d and \u201cdo you still need it?\u201d and \u201cis it safe?\u201d Make sure you note the different sorts of data you hold e.g. employees, customers, suppliers, third parties; \tLook at your consent procedures as well as privacy notices on your web site and terms of business. Do you get customers to positively agree to you holding their data; \tDocument the reasons you hold data e.g. consent, legitimate interests or a legal obligations to collect and process data; \tPlan how you will handle data requests and the right to be forgotten from individuals within the new timescales; \tLook at your processes to keep data safe, identify any problem areas (e.g. data held on mobile devices) and decide how you can reduce the risk of data breaches (e.g. encryption). This will mean looking also at your back-up security of data, computer and passwords and identifying new technology to help you comply with the GDPR; \tDocument the procedures you have in place to detect, report and investigate data breaches and let everyone in your business know about your new data protection policy; \tConsider who in your business will be the person responsible for the GDPR and making sure all employees are aware of the new regulations and ensuring compliance.