Annual Compliance Review Checklist
Run this once a year, and whenever you adopt a new tool, partner, or data use.
Know your data
- [ ] Your record of what personal data you hold and why is up to date.
- [ ] You have removed or securely disposed of data you no longer need.
Transparency
- [ ] Your privacy notice still matches what you actually do.
- [ ] Any new data uses this year are reflected in the notice.
Lawful basis and consent
- [ ] Each processing activity still has a clear lawful basis.
- [ ] Marketing consents and opt-outs are being honoured.
Rights and requests
- [ ] You can handle access and correction requests on time.
- [ ] Any requests this year were logged and answered properly.
Security
- [ ] Access rights are still correct, and leavers have been removed.
- [ ] Backups exist and have been tested.
- [ ] Software and devices are up to date.
Processors and sharing
- [ ] Your list of processors is current, with written contracts in place.
- [ ] Data sharing arrangements still have a basis and disclosure.
Incidents
- [ ] Any breaches this year were recorded and learned from.
- [ ] Your breach response plan is current and known to staff.
Action
- [ ] Gaps found this year are written up as dated, owned tasks.
Legal note. This is a general checklist, not legal advice. Adapt it to your business and confirm specifics against the Act.
