Introduction
This checklist will assist in-house counsel and risk and compliance teams auditing their organisation’s compliance with the GDPR, or private practitioners assisting their clients with this process.
The checklist is UK-focused but covers:
- general requirements under the EU GDPR, as these may still be relevant to some UK organisations to which the EU GDPR applies due to the application of the extra-territorial scope provisions in Article 3(2), EU GDPR; and
- the ICO’s interpretation of such EU GDPR requirements.
However, it does not cover any local EEA data protection law requirements or interpretation of the EU GDPR by EEA data protection regulators.
The checklist follows the structure of the GDPR and addresses the following areas:
- Principles and lawful processing
- Data subject rights
- Controller and processor
- Security and personal data breaches
- Data protection impact assessments and prior consultation
- Data protection officer
- Codes of conduct and certifications
- International data transfers
It aligns with How-to guide: How to ensure compliance with the GDPR and covers the organisation’s processing activities in respect of customer and user data, and internal employee data. At the end of the document there are explanatory notes corresponding to the relevant step in the checklist.
The checklist focuses on mandatory / key issues and there may be additional measures that an organisation would take as a matter of good practice.
Key definitions, such as ‘controller’, ‘processor’, ‘data subject’, ‘personal data’ and ‘processing’, are further explained in How to Guide: Understanding key data protection definitions.
This checklist can be used in conjunction with How-to guides: How to ensure compliance with the GDPR and How to deal with a GDPR data breach and Checklists: Lawful processing of personal data under the GDPR, Data subject access rights under the GDPR and When and how to appoint a data protection officer.
The checklist provides a methodology for auditing an organisation’s compliance with the key requirements under the GDPR. It:
- suggests documents and other aspects to check when making your assessment; and
- indicates whether the requirement applies to controllers or processors, or both.
The print version allows you to indicate whether the organisation complies with the relevant requirement; and includes space to note any follow-up actions that may be required. To download the print version of this document, click on the 'Download' icon on the top right-hand side of this window.
Step 1 – Principles and lawful processing
| No. | Requirement | What to check | Controller / Processor responsible? |
| 1.1 | The data protection principles are met when processing personal data |
| Controller |
| 1.2 | Accountability and data protection governance measures are in place. In particular, the organisation has: appropriate policies and procedures required records (eg, records of processing and of data breaches) appointed a DPO if required DPIAs for all high-risk processing contracts with all processors and joint controllers determined which data protection regulators have jurisdiction maintained all registrations with and paid all fees to data protection regulators appointed a representative where required (see 3.4) trained staff on data protection with regular refreshers |
| Controller |
| 1.3 | Each processing activity has a valid lawful basis (eg, valid consents) |
| Controller |
| 1.4 | All special category data processing meets a relevant exemption |
| Controller |
| 1.5 | All criminal data processing meets the relevant conditions |
| Controller |
| 1.6 | De-identified / anonymous data is used wherever possible |
| Controller |
Step 2 – Data subject rights (DSRs)
| No. | Requirement | What to check | Controller / Processor responsible? |
| 2.1 | Required privacy information is given to individuals whose data is processed (transparency) |
| Controller |
| 2.2 | The right of access to data is provided |
| Controller |
| 2.3 | The right of rectification / correction is provided |
| Controller |
| 2.4 | The right to erasure / to be forgotten is provided (where applicable) |
| Controller |
| 2.5 | The right to restriction of processing is provided (where applicable) |
| Controller |
| 2.6 | There is a process for communicating rectification, erasure and restriction requests to third parties that hold relevant data |
| Controller |
| 2.7 | The right to data portability is provided (where applicable) |
| Controller |
| 2.8 | The right to object (including to direct marketing) is provided (where applicable) |
| Controller |
| 2.9 | Rights are provided in relation to solely automated decision-making, including profiling (where applicable) |
| Controller |
| 2.10 | When acting as a processor for another organisation, technical and organisational measures are in place to support DSRs |
| Processor |
Step 3 – Controller and processor
| No. | Requirement | What to check | Controller / Processor responsible? |
| 3.1 | Appropriate technical and organisational measures are in place for ensuring GDPR-compliant processing | Organisational measures:
Technical measures:
| Controller |
| 3.2 | Data protection by design and default principles are implemented |
| Controller |
| 3.3 | Joint controller arrangements are properly documented |
| Controller |
| 3.4 | Representatives are appointed where necessary |
| Controller Processor |
| 3.5 | Pre-contract due diligence is done on all processors (sufficient guarantees) |
| Controller |
| 3.6 | Mandatory contract terms are in place for all controller / processor arrangements |
| Controller Processor |
| 3.7 | When acting as a processor for another organisation, personal data is processed only on the controller’s instructions |
| Processor |
| 3.8 | Records of processing are maintained (unless exempt) |
| Controller Processor |
| 3.9 | The organisation cooperates with the ICO and other data protection regulators when required |
| Controller Processor |
Step 4 – Security and personal data breaches
| No. | Requirement | What to check | Controller / Processor responsible? |
| 4.1 | Appropriate technical and organisational security measures are in place |
| Controller Processor |
| 4.2 | There are no unresolved personal data breaches, and preventative measures are in place against recurrent breaches |
| Controller Processor |
| 4.3 | There is a process for notifying personal data breaches to the ICO and other relevant data protection regulators |
| Controller |
| 4.4 | There is a process for notifying personal data breaches to the controller when acting as a processor for another organisation |
| Processor |
| 4.5 | There is a process for communicating personal data breaches to affected individuals |
| Controller |
| 4.6 | There is a process for assisting the controller with notifying breaches to regulators and affected individuals when acting as a processor for another organisation |
| Processor |
Step 5 – Data protection impact assessments and prior consultation
| No. | Requirement | What to check | Controller / Processor responsible? |
| 5.1 | Data protection impact assessments (DPIAs) are conducted for all high-risk processing activities |
| Controller |
| 5.2 | When acting as a processor for another organisation, support is given with DPIAs |
| Processor |
| 5.3 | The ICO and other relevant data protection regulators are consulted before data processing commences (where required) |
| Controller |
| 5.4 | When acting as a processor for another organisation, support is given with prior consultations |
| Processor |
Step 6 – Data protection officer
| No. | Requirement | What to check | Controller / Processor responsible? |
| 6.1 | A data protection officer (DPO) is duly appointed (where required) |
| Controller and processor |
Step 7 – Codes of conduct and certifications
| No. | Requirement | What to check | Controller / Processor responsible? |
| 7.1 | All codes of conduct applicable to or signed up to by the organisation are adhered to |
| Controller and processor |
| 7.2 | All certifications signed up to by the organisation are adhered to |
| Controller and processor |
Step 8 – International data transfers
| No. | Requirement | What to check | Controller / Processor responsible? |
| 8.1 | Approved transfer mechanisms are used for all international data transfers (unless there is an adequacy decision) |
| Controller and processor |
Explanatory notes
Legal framework
The checklist covers the requirements under:
- Regulation 2016/679 – General Data Protection Regulation (EU GDPR);
- the EU GDPR as it forms part of the domestic law in the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018 and the Data Protection Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (UK GDPR);
- the Data Protection Act 2018 (UK DPA 2018);
- various UK Information Commissioner’s Office (ICO) guidance;
- various European Data Protection Board (EDPB) (formerly the Article 29 Working Party) guidelines.
References to the ‘GDPR’ mean either the EU GDPR or the UK GDPR, unless specified otherwise.
Notes on specific requirements
Step 1 – Principles and lawful processing
1.1 Data protection principles
The data protection principles for controllers processing personal data are outlined in article 5, GDPR. These are:
- lawfulness, fairness and transparency;
- purpose limitation;
- data minimisation;
- accuracy;
- storage limitation; and
- integrity and confidentiality.
The controller must also be able to demonstrate ‘accountability’ – see explanatory note 1.2.
1.2 Accountability and data protection governance
The controller shall be responsible for, and be able to demonstrate compliance with, the data protection principles (see explanatory note 1.1). This is known as ‘accountability’. The best way to do this is to be able to point to an established data protection governance framework, underpinned by effective policies, procedures and management structures.
Following Brexit, the ICO can no longer be the lead data protection ‘supervisory authority’ under the EU GDPR for organisations with multiple establishments across both the EEA and the UK. If you continue to have multiple establishments in the EEA, you will need to appoint the regulator in one of those jurisdictions as the lead data protection supervisory authority under the EU GDPR.
1.3 Lawful bases
The controller must ensure that each processing activity has a valid lawful basis under article 6, GDPR.
Article 7, GDPR sets out further conditions applicable to consent. Article 8, GDPR and section 9, DPA 2018 set out conditions concerning children’s consent for online services.
For further guidance, see Checklist: Lawful processing of personal data under the GDPR.
1.4 Special category data
‘Special categories of personal data’, under article 9, GDPR, means processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
This type of more sensitive data is given special protection under the GDPR and cannot be processed unless a relevant exemption under article 9, GDPR is met. Schedule 1 of the UK DPA 2018 sets out additional provisions regarding processing of special category data, including in some instances the requirement for an ‘appropriate policy document’.
1.5 Criminal data processing
‘Criminal data’ describes ‘criminal convictions and offences or related security measures based on article 6(1)’ (article 10, GDPR). Processing of criminal data must only be carried out under the control of an official authority or where authorised under laws that provide for appropriate safeguards for individuals’ rights and freedoms. A comprehensive register of criminal convictions can only be kept under the control of an official authority. Schedule 1 of the DPA 2018 sets out additional provisions regarding processing of criminal data, including in some instances the requirement for an ‘appropriate policy document’.
1.6 De-identified / anonymous data
Under article 11, GDPR, if the purposes for which a controller is processing personal data no longer require them to identify an individual, the controller need no longer process that information in an identifiable format if their only reason for doing so is to comply with the GDPR. In those circumstances, the controller need not give effect to certain data subject rights (under articles 15 to 20, GDPR) unless the data subjects provide additional information allowing themselves to be identified.
Step 2 – Data subject rights (DSRs)
2.1 Privacy information / transparency
To fulfil the controller’s ‘transparency’ obligations, the information outlined in articles 13 and 14, GDPR must be provided to individuals whose data is processed.
2.2 Right of access
Under article 15, GDPR, if an individual requests access to their data being processed by the controller, the controller must confirm whether it is processing their personal data and, if so, provide access to a copy of the data and certain information about the data and how this is used. The request must be responded to within tight time frames (usually one month).
2.3 Right of rectification / correction
Under article 16, GDPR, if an individual requests rectification (correction) of their personal data, the controller must action this request without undue delay. The request must be responded to within tight time frames (usually one month).
2.4 Right to erasure / to be forgotten
Under article 17, GDPR, if an individual requests erasure of their personal data, the controller must do so without undue delay if one of certain specified grounds (eg, the data has been unlawfully processed) has been met. The request must be responded to within tight time frames (usually one month).
2.5 Right to restriction of processing
Under article 18, GDPR, if an individual requests restriction of processing of their personal data, the controller must action this request if one of certain specified grounds applies. The request must be responded to within tight time frames (usually one month).
2.6 Communication of requests to third parties
Article 19 requires the controller to implement a process for communicating rectification, erasure and restriction requests to third parties that hold relevant data, unless a specified exception applies.
2.7. Right to data portability
Under article 20, GDPR, an individual may have a right to receive their personal data, in a structured, commonly used and machine-readable format or to have that data transmitted to another controller (where technically feasible). This right only applies in limited specified circumstances. The request must be responded to within tight time frames (usually one month).
2.8 Right to object
Under article 21, GDPR, an individual has a right to object on certain ground to processing of personal data for the performance of a task in the public interest or in the exercise of official authority or for ‘legitimate interests’ (point (e) and (f) respectively of article 6(1)). If the individual objects to processing for direct marketing purposes, the processing must stop (including any related profiling) (article 21(2), GDPR). Otherwise, the processing can continue only if the controller can demonstrate that it can meet a balancing test (article 21(1), GDPR). The request must be responded to within tight time frames (usually one month).
The ICO has guidance on direct marketing, specifically relating to the use of electronic mail. The guidance provides practical steps to ensure compliance with the Privacy and Electronic Communications Regulations 2003.
2.9 Automated decision-making, including profiling
Under article 22, GDPR, individuals have the right not to be subject to decisions based on solely automated decision-making, including profiling, which produce legal or similarly significant effects for the individual. There are exceptions to this linked to the lawful basis that underpins the decision. If such processing is permitted, certain additional safeguards need to be put in place to protect individuals’ rights. There are even stricter controls on making solely automated decisions in respect of special category personal data.
2.10. Technical and organisational measures by processors to support DSRs
When acting as a processor on behalf of a controller organisation, you are required to implement technical and organisational measures to support the controller in meeting its obligations to respond to DSRs (article 28(3)(e), GDPR).
For further guidance, see Checklists: Data subject access rights under the GDPR; What information to include in your organisation’s privacy notice.
Step 3 – Controller and processor
3.1. Technical and organisational measures for compliance with the GDPR
The controller must implement and maintain appropriate technical and organisational measures to ensure and be able to demonstrate that processing is performed in accordance with the GDPR (article 24(1), GDPR). This may include the controller putting in place appropriate data protection policies, in addition to systems and technical controls around personal data.
3.2 Data protection by design and default
Under article 25(1), GDPR, the controller must implement appropriate technical and organisational measures (such as pseudonymisation), which are designed to implement data protection principles (such as data minimisation) effectively both:
- at the time of determining the means for processing: and
- at the time of the processing itself.
The necessary safeguards need to be integrated into the processing to comply with the GDPR and to protect individuals’ rights. Certain specific considerations need to be taken into account in this ‘data protection by design’.
The controller must also implement appropriate technical and organisational measures for ensuring that, by default, only personal data that is necessary for each specific purpose of the processing is processed. This so-called ‘data protection by default’ applies to the volume of personal data collected, the extent of the processing of that data, its storage period and its accessibility.
If children’s personal data is being processed, the guidance provided by the ICO will need to be complied with. The ICO’s 10 Step Guide to Sharing Information to Sharing Information to Safeguard Children and Guidance on ‘Likely to be accessed' by children are also relevant when processing personal data relating to children.
3.3 Joint controller arrangements
Under article 26, GDPR, arrangements between joint controllers need to be determined transparently and properly documented, in particular as regards exercising rights of data subjects and provision of privacy information. The essence of the relationship needs to be made available to data subjects.
3.4 Representatives
Under article 27, EU GDPR, controllers and processors not established in the EEA but otherwise caught within the territorial scope provisions of the EU GDPR (ie, under article 3(2)) will need to appoint an EEA representative. The UK GDPR imposes an equivalent requirement on controllers and processors not established in the UK to appoint a UK representative. There are exemptions for occasional, low risk processing. Public authorities or bodies do not need to appoint a representative.
3.5 Pre-contract due diligence on processors
Article 28(1), GDPR requires that controllers only appoint processors that give ‘sufficient guarantees’ to implement appropriate technical and organisational measures to ensure that processing will comply with the GDPR and that data subject rights are protected. In practice, this means carrying out pre-contract due diligence on such processors.
3.6 Processor contracts
Article 28 imposes certain requirements on the appointment of processors to process personal data on behalf of controllers. There are also mandatory terms that need to be included in all processor contracts (article 28(3)).
3.7 Controller’s instructions
A processor, or anyone under the authority of the controller or of the processor, who has access to personal data, must not deviate from the processing instructions given by the controller, unless applicable law requires them to do otherwise (article 29, GDPR).
3.8 Records of processing
The controller and the processor must maintain records of processing containing certain mandatory information (article 30(1) and (2), GDPR). Some smaller organisations that only carry out lower-risk processing are exempt (article 30(5), GDPR).
3.9 Cooperation with the ICO and other data protection regulators
Article 31, GDPR requires the controller and the processor, and their representatives, to cooperate on request with the data protection regulator (or supervisory authority) in the performance of its tasks.
For further guidance, see Checklist: What information to include in your organisation’s privacy notice.
Step 4 – Security and personal data breaches
4.1 Technical and organisational security measures
Article 32, GDPR sets out the requirements in relation to security – these apply to controllers and processors. In particular, the organisation must implement appropriate technical and organisational measures in relation to personal data to ensure a level of security appropriate to the risk.
4.2 Unresolved personal data breaches
A ‘personal data breach’ is defined as ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’ (article 4(12), GDPR). Check that there are no unresolved personal data breaches and ensure that preventative measures are in place to guard against breaches recurring.
Article 33(5), GDPR requires the controller to document any personal data breaches, including the relevant facts, its effects and the remedial action taken.
4.3 Reporting personal data breaches
See explanatory notes at 4.2 for the definition of ‘personal data breach’.
The controller must ‘without undue delay and, where feasible, not later than 72 hours after having become aware of a personal data breach’, notify the ICO or other relevant data protection regulator of the breach, unless it is unlikely to result in a risk to the rights and freedoms of individuals (article 33(1), GDPR). Certain information must be included in the notification (article 33(1), (3) and (4), GDPR).
Article 33(5), GDPR requires the controller to document any personal data breaches, including the relevant facts, its effects and the remedial action taken.
4.4 Notifying breaches to controller when acting as a processor
The processor has to notify the controller ‘without undue delay after becoming aware of a personal data breach’ (article 33(2), GDPR).
4.5 Communicating personal data breaches to affected individuals
When a personal data breach is likely to result in a ‘high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay’ (article 34(1), GDPR).
The communication needs to be clear and disclose certain prescribed information and measures (article 34(2), GDPR). There are certain limited exceptions when such communication is not necessary (article 34(3), GDPR).
4.6 Assisting the controller with notifying breaches to regulators and affected individuals when acting as a processor
Article 28(3)(f), GDPR requires processors to assist controllers with notifying data breaches to data protection regulators and affected individuals.
For further guidance, see How-to guides: How to reduce the risk of a data breach and How to deal with a data breach.
Step 5 – Data protection impact assessments (DPIAs) and prior consultation
5.1 DPIAs for high-risk processing
The controller must carry out a DPIA in advance of starting processing where ‘a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons’ (article 35(1), GDPR). The GDPR lists certain types of processing requiring a DPIA.
The Article 29 Working Party’s Guidelines on Data Protection Impact Assessment (DPIA) list criteria that may indicate probable high-risk processing. The UK ICO’s DPIA guidance also gives further guidance on situations where processing is likely to be high-risk and requires a DPIA.
5.2 Processors supporting DPIAs
Processors must assist controllers in ensuring compliance with the controller’s obligations in relation to DPIAs (article 28(3)(f), GDPR).
5.3 Prior consultation
Where a DPIA is carried out and ‘indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk’, the controller must consult with the ICO and other relevant data protection regulators before data processing commences (article 36(1), GDPR). A detailed consultation process follows where the regulator decides whether the intended processing would infringe the GDPR, in particular where the controller has insufficiently identified or mitigated the risk (article 36(2) and (3), GDPR).
5.4 Processors supporting prior consultations
Processors must assist controllers in ensuring compliance with the controller’s obligations relating to prior consultations (article 28(3)(f), GDPR).
Step 6 – Data protection officer (DPO)
6.1 Appointment of a DPO (where required)
Organisations meeting the specified criteria in article 37, GDPR must appoint a DPO. Where a statutory DPO is appointed, their appointment must fulfil the requirements in article 38, GDPR and they must fulfil the tasks listed in article 39, GDPR. The ICO and other relevant data protection regulators must be notified of the appointment and the ICO’s details must be included in privacy notices.
For further guidance, see Checklist: When and how to appoint a data protection officer.
Step 7 – Codes of conduct and certifications
7.1 Codes of conduct
Under article 40, GDPR, relevant data protection regulators and EU bodies encourage drawing up of codes of conduct to contribute to the proper application of the GDPR, taking account of the specific features of the various processing sectors and the needs of micro, small and medium-sized enterprises.
At the time of publication there are no approved UK GDPR codes of conduct.
7.2 Certifications
Under article 41, GDPR, relevant data protection regulators and EU bodies encourage the establishment of data protection certification mechanisms and data protection seals and marks, to demonstrate compliance with the GDPR of processing operations by controllers and processors.
Details on certification criteria or accredited certification bodies for issuing UK GDPR certificates can be found in the ICO’s Certification guidance.
Step 8 – International data transfers
8.1 International data transfers
Under the EU GDPR, in the absence of an adequacy decision (article 45(3), GDPR), a ‘controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available’.
Under the EU GDPR, a ‘third country’ means a jurisdiction outside the EEA which, after Brexit, includes the UK. Under the equivalent provision of the UK GDPR, a ‘third country’ means a country or territory outside the UK.
For now at least, there is an EU adequacy decision in place for the UK and a UK adequacy decision in place for the EEA countries. The European Commission has granted various other countries adequacy and the UK has adopted this list.
Whilst the EU uses the terminology ‘adequacy’ the UK government uses ‘data bridges’. The UK Government has concluded data bridges with the Republic of Korea (December 2022) and the United States of America (US) (October 2023) since leaving the EU. The data bridge with the Republic of Korea is broader than the EU adequacy decision with South Korea, in that it covers personal data transfers but also financial services data transfers such as credit information to facilitate payment verification processes. The data bridge with the US is an extension of the EU-US Data Privacy Framework (EU adequacy decision for safe EU-US data flows adopted by the European Commission during July 2023). This Data Privacy Framework is a bespoke, opt-in certification scheme for US companies and includes as set of enforceable principles and requirements that must be certified and complied with in order for US organisations to be able to join the Framework. US organisations certified under the Framework can opt in to receive data from the UK (only when the relevant US organisations have been certified and publicly placed on the Data Privacy Framework List).
Additional requirements, including ‘appropriate safeguards’ and transfer adequacy assessments, need to be met if personal data is to be transferred to a third country from the UK or the EEA if there is not an adequacy decision in place. ‘Appropriate safeguards’ include standard contractual clauses with supplementary measures as appropriate, binding corporate rules and specific derogations. In the UK, the international data transfer agreement (IDTA) and the international data transfer addendum to the European Commission’s standard contractual clauses for international data transfers (Addendum) can be used as a transfer tool to comply with Article 46 of the UK GDPR when making restricted transfers. The IDTA and Addendum replaced standard contractual clauses for international transfers. They take into account the binding judgement of the European Court of Justice, in the case commonly referred to as Schrems II. All existing contracts entered into on or before 21 September 2022 which rely on the old EU SCCs as a valid transfer tool will need to be amended to incorporate the IDTA/Addendum by 21 March 2024. See also Checklist: GDPR compliance self-assessment audit for more information.
In the absence of an adequacy decision or of appropriate safeguards, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the conditions set out in Article 49.
The ICO offers guidance on international transfers with guidance on IDTA following the introduction of the UK IDTA, and the international data transfer addendum to the EU SCCs for international data transfers ‘UK Addendum’ and guidance on transfer risk assessments ‘TRA’ and a TRA tool which provides a detailed, practical application of the provisions on international transfers under UK GDPR.
This is a fast-moving area, and it is advisable to check the ICO website for the latest guidance.
Additional resources
Related Lexology Pro content
How-to guides:
Understanding key data protection definitions
How to comply with data processing principles under the GDPR
How to ensure compliance with the GDPR
How to establish a valid lawful basis for processing personal data under the GDPR
How to transfer personal data lawfully outside the UK
How to reduce the risk of a GDPR data breach
How to deal with a GDPR data breach
How to deal with an ICO dawn raid
Checklists:
Assessing whether an organisation is a controller or processor under the GDPR
Lawful processing of personal data under the GDPR
Obtaining and managing consent under the GDPR
Processor due diligence (data protection and cybersecurity)
Making an international transfer of personal data under the UK GDPR
Data subject access rights under the GDPR
What to include in your organisation’s privacy notice
When and how to appoint a data protection officer
Complying with cookie requirements under the PECR and the GDPR
Reliance on information posted:
While we use reasonable endeavours to provide up to date and relevant materials, the materials posted on our site are not intended to amount to advice on which reliance should be placed. They may not reflect recent changes in the law and are not intended to constitute a definitive or complete statement of the law. You may use them to stay up to date with legal developments but you should not use them for transactions or legal advice and you should carry out your own research. We therefore disclaim all liability and responsibility arising from any reliance placed on such materials by any visitor to our site, or by anyone who may be informed of any of its contents.