With just four months to go until the GDPR comes into force, we all know that we should have been getting our plans in place to ensure that our organisations have responsible, compliant data practices by May the 25th.
The Information Commissioner, Elizabeth Denham, noted five key ‘building blocks’ for effective implementation of responsible data practices in her blog just before Christmas:
- Ensuring commitment across the entire organisation from board level downwards
- Understanding the information that you hold and documenting it
- Implementing accountability measures including consideration of appointing a Data Protection Officer or lead
- Ensuring appropriate security is in place
- Regular and refresher training of staff on the GDPR
How ready are you?
Where is your organisation with all of this though? What does the GDPR mean for you? There is an alarming amount of conflicting information out there both on what the changes are and what you actually need to do.
The College has been running workshops and seminars on the GDPR and the proposed ePR (e Privacy Regulation) since May 2017. We saw various indicators at the tail end of last year that indicated many organisations were not even close to being ready.
The GDPR is coming
There is no grace period. On the 25th May it will be enforced and places much stronger requirements on organisations that process data on individuals (natural persons).
The key questions we get asked are:
- when consent is needed
- whether the GDPR applies to B2B? (it does)
- can data be transferred to non EU countries and, if so, which are they
- what penalties are applicable for different types of non-compliance
- what the key changes to individuals' rights are
- when Data Protection Officers need to be appointed and
- when a Data Protection Impact Assessment must be done
ICO self-assessment checklists
The ICO has revised its readiness self-assessment checklists which are very helpful. Most of us will be looking at the Data Controller* or Data Processor* assessments or both.
Note: * the definitions of these terms can be found in the introduction to the self-assessment
There are differences so if you are doing both roles, as many organisations are, you will need to do the two assessments to be certain that you get an accurate picture on where you are currently.
We can help
We are offering new “GDPR Essentials” workshops.
We recognise that the time has come for most of us for less talk and more action.
Our new workshops take a practical, pragmatic approach to the steps that you need to take before May.
These will fill in any gaps in your knowledge but the main focus is to provide you with answers to what you need to actually do and why, how to do it, when and who should be involved both in the organisation and outside.
The workshop will:
- use the ICO self-assessment checklists as a basis to give you the in-depth understanding that you need to implement the changes your organisation needs to be ready
- explain what the 29 questions in the data controller assessment and 17 questions in the data processors assessment mean in the context of your organisation and its markets
- help you to establish what gaps exist and which are the priority to address
- provide practical, specific answers to what you need to do. For example: what should the privacy notice contain?; does my organisation need a DPO or a data protection lead?; what should our consent forms contain in terms of wording? and so on
Our workshops are available for small numbers of delegates from various organisations at a Cambridge venue or as tailored in-house sessions.
For more information and to book, please take a look at the workshop details.
You can also download our handy GDPR 12-step action plan.