The General Data Protection Regulation (GDPR) is coming! Keep calm and don't panic, there are plenty of resources to help. In my current work I help various organisation prepare for the commencement of GDPR on we have found many useful documents, posts and courses helpful.
This post is a collection to resources that either they or I have found useful. I will try and keep this updated as new resources become available.
Many people are talking about GDPR as though it's a completely new thing. And although there is much which is new about GDPR, it is just an evolution of the existing legislation and it's 8 data protection principles. Therefore for many organisations the steps they are talking to prepare for GDPR is an evolution of their existing data protection policies and processes.
Here is a good infographic to give you a quick overview. The one thing I would add is an organisation will hold personal data about their employees, volunteers and/or members.
Information Commissioner's Office (ICO)
The first stop in the U.K. for any data protection question is the Information Commissioner's Office (ICO), which has a good web site with many articles. The ICO also has its own blog which often posts useful and interesting articles.
There is a section on data protection reform for organisations to help them get ready for GDPR compliance. Note this is for all organisations, not just companies. Any organisation that holds personal data is covered by the GDPR.
There is a short document on preparing for GDPR and 12 steps to take now.
There is guidance for contracts and liabilities between controllers and processors. (For a definition of controllers and processors please see chapter 4 of the GDPR). It highlights that controllers and processors must be able to demonstrate their compliance to various articles of GDPR. It has a good check list at the back as to what a contract must detail and its terms.
The guidance is still under review and it covers:
- what's new in GDPR,
- when contracts are required (which is in most cases),
- why contracts are important between controllers and processors,
- what needs to be included in the contract, including what the contract terms must 'set out'
- whether standard contract clauses can be used:
- GDPR allows for the ICO to create standard contract clauses that can then be used; sadly none exist at present,
- GDPR allows for certification to be created to demonstrate compliant processing; again sadly this does not exist at present
- what responsibilities and liabilities do controllers have when using a processor
- what responsibilities and liabilities do processors have in their own right.
UK Government resources
The Data Protection Bill Factsheet – Overview shows that the UK Data Protection Bill builds on the UK Data Protection Act 1998 and EU General Data Protection Regulation. Brexit will not stop the need for compliance.
As a business we focus on system and data architectures and I found the foundation GDPR training course very helpful. It was run by a information governance consultant not a full-time trainer. That may be the luck of the draw, but certainly the trainer knew their stuff and was able to field all of the attendees' questions. There is also a certification test at the end of the course that was sufficiently hard to feel like you needed to have paid attention.
Speaking with the Head of Digital at a direct marketing firm they found IDM Award in GDPR very helpful.