The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

Step 1 of 4: Lawfulness, fairness and transparency

1.1 Information you hold

Your business has conducted an information audit to map data flows.



Your business has documented what personal data you hold, where it came from, who you share it with and what you do with it.



1.2 Lawful basis for processing personal data

Your business has identified your lawful bases for processing and documented them.



1.3 Consent

Your business has reviewed how you ask for and record consent.



Your business has systems to record and manage ongoing consent.



1.4 Consent to process children’s personal data for online services

If your business relies on consent to offer online services directly to children, you have systems in place to manage it.



1.5 Vital interests

If you may be required to process data to protect the vital interests of an individual, your business has clearly documented the circumstances where it will be relevant. Your business documents your justification for relying on this basis and informs individuals where necessary.



1.6 Legitimate interests

If you are relying on legitimate interests as the lawful basis for processing, your business has applied the three part test and can demonstrate you have fully considered and protected individual’s rights and interests.



1.7 Data Protection Fee

Your business is currently registered with the Information Commissioner's Office.