The ICO exists to empower you through information.

This self assessment toolkit has been created with small organisations in mind. It will be most helpful to small to medium sized organisations from the private, public and third sectors. 

Good information handling makes good business sense. You'll enhance your business's reputation, increase customer and employee confidence, and by making sure personal information is accurate, relevant and safe, save both time and money.

Use our checklists to assess your compliance with data protection law and find out what you need to do to make sure you are keeping people’s personal data secure. Once you have completed each self assessment checklist a short report will be created suggesting practical actions you can take and providing links to additional guidance you could read that will help you improve your data protection compliance.

Small business owners and sole traders are advised to complete our Small business owners and sole traders checklist.

Data protection assurance checklists

Before undertaking our Data protection assurance self assessment checklists, you should first determine whether you process personal data as a “controller” or “processor”. The definition of these two terms can be found in our Guide to the UK GDPR.

In some instances, you will process personal information as both a controller and a processor. When this is the case, we would advise you complete both checklists.

Controllers checklist

Designed to help you, as a controller, assess your high level compliance with data protection legislation. Includes the rights of individuals, handling requests for personal data, consent, data breaches, and data protection impact assessments under the General Data Protection Regulations.

Start now

Processors checklist

Designed to help you, as a processor, understand and assess your high level compliance with data protection legislation. Includes the requirements for processors, the rights of individuals and data breaches under the General Data Protection Regulations.

Start now

Information security

Assess your compliance with data protection in the specific areas of information and cyber security policy and risk, mobile and home working, removable media, access controls and malware protection

Start now

Direct marketing

Assess your business in the area of direct marketing in line with the Privacy and Electronic Communications Regulation (PECR) and data protection  legislation. Includes consent and bought-in marketing lists, and telephone, email, text and postal marketing.

Please note, direct marketing is the promotion of aims and ideals as well as the sale of products and services.

Start now

Records management

Assess your records management procedures and risks to people’s personal information. Includes record creation, storage and disposal, access, tracking and off-site storage.

Start now

Data sharing and subject access

Designed to help assess your data sharing policies and agreements, compliance monitoring, maintaining sharing records, registration and your process for how to deal with a request for personal data.

Start now

CCTV

Data protection law covers the use of CCTV. This checklist help you to assess the compliance of your CCTV systems including the installation, management, operation, public awareness and signage.

Start now