The ICO exists to empower you through information.

20 May 2024

Overall rating

Your overall rating was green.

  • 0: Not yet implemented or planned
  • 0: Partially implemented or planned
  • 15: Successfully implemented
  • 3: Not applicable


GREEN: successfully implemented

Your business has conducted an information audit to map data flows.


Your business has documented what personal data you hold, where it came from, who you share it with and what you do with it.


Your business has an appropriate data protection policy.

Decision makers and key people in your business demonstrate support for data protection legislation and promote a positive culture of data protection compliance across the business.

Your business manages information risks in a structured way so that management understands the business impact of personal data related risks and manages them effectively.

Your business has implemented appropriate technical and organisational measures to integrate data protection into your processing activities.

Your business provides data protection awareness training for all staff. 

Your business only processes data on the documented instructions of a controller and there is a written contract setting out the respective responsibilities and liabilities of the controller and your business.

Your business has sought prior written authorisation from the data controller before engaging the services of a sub-processor.

Your business has a process to respond to a controller's request for information (following an individuals' request to access their personal data).

Your business has a process to routinely and securely dispose of personal data that is no longer required, in line with the agreed timescales stated in your contract with the controller.

Your business has procedures to respond to a controller's request to suppress the processing of specific personal data.

Your business can respond to a request from the controller to supply the personal data you process in an electronic format.

Your business has an information security policy supported by appropriate security measures.

Not applicable

Where required, your business has appointed a Data Protection Officer (DPO). In other cases, you have nominated a data protection lead.

If your business operates outside the EU, you have appointed a representative within the EU in writing.

Your business has processes to ensure that the personal data you hold remains accurate and up to date.



You can download this report as a Word document using the button on the top right corner of the page. If you have a problem downloading the report into a Word document please let us know.

Thank you for completing this checklist. Please complete our short feedback survey to help improve our toolkit.

The survey should take around three minutes to complete.