Get an understanding on GDPR, tailored to your industry so that you understand what matters for your organisation. This is particularly important if you are working with children or vulnerable adults
Understand what personal data your organisation uses, where it came from and why it is held.
This includes electronic databases
and hard copy filing
Ensure you have appropriate consent processes that give individuals control of their data. This includes asking for consent, how that consent is recorded and what happens if consent is not given
Consent is not the only legal basis for data processing. Make sure you understand the use of legitimate interests as a basis for lawful processing
Understand the strengthened individual rights and the ability of your organisation to meet them. This includes knowing where data is held, the deletion of data no longer needed and how you might pass data on to third parties when needed
Review your existing data protection regime and determine what needs to improve to meet GDPR; for example the ability to detect, report and investigate a personal data breach. The regime should satisfy both the letter and spirit of the law.