Useful Links on the General Data Protection Regulation (GDPR)

Resources for GDPR

  • Data Protection
  • GDPR
  • General Data Protection Regulation
  • PII
  • Personal Data
  • Personally Identifiable Information
Posted on

Useful Links on the General Data Protection Regulation (GDPR)

Resources for GDPR

Peter Marriott

The General Data Protection Regulation (GDPR) is coming! Keep calm and don't panic, there are plenty of resources to help. In my current work I help various organisation prepare for the commencement of GDPR on we have found many useful documents, posts and courses helpful.

This post is a collection to resources that either they or I have found useful. I will try and keep this updated as new resources become available.

Many people are talking about GDPR as though it's a completely new thing. And although there is much which is new about GDPR, it is just an evolution of the existing legislation and it's 8 data protection principles. Therefore for many organisations the steps they are talking to prepare for GDPR is an evolution of their existing data protection policies and processes.

Here is a good infographic to give you a quick overview. The one thing I would add is an organisation will hold personal data about their employees, volunteers and/or members.

The Regulation

The full English text of the GDPR is available either as a downloadable PDF or as an online version with linkable sections.

Information Commissioner's Office (ICO)

The first stop in the U.K. for any data protection question is the Information Commissioner's Office (ICO), which has a good web site with many articles. The ICO also has its own blog which often posts useful and interesting articles.

There is a section on data protection reform for organisations to help them get ready for GDPR compliance. Note this is for all organisations, not just companies. Any organisation that holds personal data is covered by the GDPR.

There is a short document on preparing for GDPR and 12 steps to take now.

There is guidance for contracts and liabilities between controllers and processors. (For a definition of controllers and processors please see chapter 4 of the GDPR). It highlights that controllers and processors must be able to demonstrate their compliance to various articles of GDPR. It has a good check list at the back as to what a contract must detail and its terms.

The guidance is still under review and it covers:

  • what's new in GDPR,
  • when contracts are required (which is in most cases),
  • why contracts are important between controllers and processors,
  • what needs to be included in the contract, including what the contract terms must 'set out'
  • whether standard contract clauses can be used:
    • GDPR allows for the ICO to create standard contract clauses that can then be used; sadly none exist at present,
    • GDPR allows for certification to be created to demonstrate compliant processing; again sadly this does not exist at present
  • what responsibilities and liabilities do controllers have when using a processor
  • what responsibilities and liabilities do processors have in their own right.

UK Government resources

The Data Protection Bill Factsheet – Overview shows that the UK Data Protection Bill builds on the UK Data Protection Act 1998 and EU General Data Protection Regulation. Brexit will not stop the need for compliance.

Other sources

I have found IT Governance's Data Protection blog useful. They have an article on the Scope of GDPR which is a little out of date, but still gives a good background.

Courses

As a business we focus on system and data architectures and I found the foundation GDPR training course very helpful. It was run by a information governance consultant not a full-time trainer. That may be the luck of the draw, but certainly the trainer knew their stuff and was able to field all of the attendees' questions. There is also a certification test at the end of the course that was sufficiently hard to feel like you needed to have paid attention.

Speaking with the Head of Digital at a direct marketing firm they found IDM Award in GDPR very helpful.