Appoint a Data Protection Officer (DPO) Identify the data collection approach Identify the most appropriate legal basis Create a repository for supporting documentation Verify if a Data Protection Impact Assessment is necessary Perform a DPIA (if necessary) Implement risk mitigating measures