The General Data Protection Regulation (GDPR) is coming! Keep calm and don't panic, there are plenty of resources to help. In my current work I help various organisation prepare for the commencement of GDPR on we have found many useful documents, posts and courses helpful.
This post is a collection to resources that either they or I have found useful. I will try and keep this updated as new resources become available.
Many people are talking about GDPR as though it's a completely new thing. And although there is much which is new about GDPR, it is just an evolution of the existing legislation and it's 8 data protection principles. Therefore for many organisations the steps they are talking to prepare for GDPR is an evolution of their existing data protection policies and processes.
Here is a good infographic to give you a quick overview. The one thing I would add is an organisation will hold personal data about their employees, volunteers and/or members.
If you are responsible for personal data it would be wise for you to read it through thoroughly. When reading the regulation read shall as must. So failure follow these shalls means failure to comply with the regulation.
Getting information direct from The EU's independent data protection authority
Article 29 Working Party, which has an advisory status and acts independently. They do not reflect the position of the European Commission. Here there are guidelines, some fo which have been adopted.
Information Commissioner's Office (ICO)
The first stop in the U.K. for any data protection question is the Information Commissioner's Office (ICO), which has a good web site with many articles. The ICO also has its own blog which often posts useful and interesting articles.
There is a section on Guide to the General Data Protection Regulation (GDPR) for organisations to help them get ready for GDPR compliance. Note this is for all organisations, not just companies. Any organisation that holds personal data is covered by the GDPR.
There also a section on the new Data Protection Bill with what else the new bill covers.
There is a short document on preparing for GDPR and 12 steps to take now.
- Awareness - appreciate the impact GDPR is likely to have
- Information you hold - what data you have and what processing you do with it
- Communicating privacy information - understand how things like privacy notices need to change
- Individuals’ rights - see how these have been enhanced, for example rights around data erasure and providing data electronically and in a commonly used format free of charge
- Subject access requests - make sure you are able to cope with new timescales and as they are now free the volume of them is likely to increase
- Lawful basis for processing personal data - Be clear what your basis for holding data in
- Consent - how this has changed, with consent as easy to withdraw as to give
- Children - Making sure you are aware about the status of 'data subjects', are they children and what needs to change in your processes if they are
- Data breaches - Make sure you have the right procedures in the event of a breach
- Data Protection by Design and Data Protection Impact Assessments - 'data protection by design and by default' and where and when you are required to do a mandatory 'Data Protection Impact Assessments' (DPIA).
- Data Protection Officers (DPO)- does your organisation fall into the category of requireing a DPO
- International - if you are international organisation or process data cross-border see how GDPR will effect you
There is guidance for contracts and liabilities between controllers and processors. (For a definition of controllers and processors please see chapter 4 of the GDPR). It highlights that controllers and processors must be able to demonstrate their compliance to various articles of GDPR. It has a good check list at the back as to what a contract must detail and its terms.
The guidance is still under review and it covers:
- what's new in GDPR,
- when contracts are required (which is in most cases),
- why contracts are important between controllers and processors,
- what needs to be included in the contract, including what the contract terms must 'set out'
- whether standard contract clauses can be used:
- GDPR allows for the ICO to create standard contract clauses that can then be used; sadly none exist at present,
- GDPR allows for certification to be created to demonstrate compliant processing; again sadly this does not exist at present
- what responsibilities and liabilities do controllers have when using a processor
- what responsibilities and liabilities do processors have in their own right.
For Marketing the current law is Privacy and Electronic Communications Regulations 2003. See Post GDPR and 'Soft Opt-In' For Marketing for expected changes.
UK Government resources
The Data Protection Bill Factsheet – Overview shows that the UK Data Protection Bill builds on the UK Data Protection Act 1998 and EU General Data Protection Regulation. Brexit will not stop the need for compliance.
As a business we focus on system and data architectures and I found the foundation GDPR training course very helpful. It was run by a information governance consultant not a full-time trainer. That may be the luck of the draw, but certainly the trainer knew their stuff and was able to field all of the attendees' questions. There is also a certification test at the end of the course that was sufficiently hard to feel like you needed to have paid attention.
Speaking with the Head of Digital at a direct marketing firm they found IDM Award in GDPR very helpful.