Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice

X

When you request to download our free implementation guide, we use your name, company name (which is optional) and your email address to email you a link to download the requested document. We may also email you after your download in order to follow up on your interest in our products and services. We will do this based on our legitimate interest in marketing to prospects for our products and services. Your name and email address are stored on our website which is hosted with Digital Ocean. Your personal data is stored for one year after you requested your download, after which it is deleted.

Reveal Menu

 

 

It’s been a few months since I last blogged on the subject of the GDPR so it seemed about time to review the situation as of now (November 2017).

There are now about six months left before the GDPR becomes law on 25 May 2018 and many organizations are frantically trying to work out what it means for them. CertiKit launched its GDPR Toolkit in June and quickly followed up with version 2 in October and the degree of interest has been staggering. But beyond the core text of the regulation there is much work going on at government level to clarify what the GDPR means.

The Article 29 Working Party

Those of you that are heavily into data protection (and let’s face it – who isn’t at the moment?) will know that there is a body that was set up under the current Data Protection Directive of 1995 to discuss and cogitate on issues of data protection. This goes by the catchy name of The Article 29 Working Party and consists of the heads of the various supervisory authorities from around the European Union. These representatives meet on a regular basis to try to shed a bit more light on some of the trickier aspects of the upcoming GDPR and to help everyone work out what it all means.

The Article 29 Working Party has produced a number of guidance documents on the subjects of:

  • Personal data breach notification
  • Automated individual decision-making and profiling
  • Right to data portability
  • Data protection officers
  • Lead supervisory authorities
  • Data protection impact assessments
  • Application and setting of administrative fines

These are available here – http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083

So if you are struggling to understand how some of the above issues might affect you, these guidance documents may be worth a read.

What about the UK Information Commissioner?

The UK Information Commissioner’s Office has also been busy preparing for the GDPR. On 1 November 2017 it launched a new telephone helpline for small businesses in the UK. To access this, the ICO website instructs you to “dial the ICO helpline on 0303 123 1113 and select option 4 to be diverted to staff who can offer support.”

The ICO will also be simplifying its 12 Steps to Take Now guidance and will be publishing a Guide to the GDPR by the end of the year (which some would say is maybe a little later than they would have preferred) which will be based on their current Overview of the GDPR guidance.

They will also be giving a better steer on a number of GDPR-related subjects, including

  • contracts between controllers and data processors;
  • children’s data; and
  • accountability, including documentation

But all this doesn’t come free. Whereas the current Data Protection Act requires many organizations to pay a fee to the ICO to fund its operation, the GDPR effectively does away with this requirement. “Hurray!” you may shout but don’t be so hasty. When have you ever known Government fees to disappear? Instead, the Digital Economy Act steps in to re-instate such a fee for data controllers. The new amounts payable to the ICO are changing with a new schedule of charges that take account of organization size and of the amount of personal data being processed. Proposals suggest that the charges will range from “up to £55” for small businesses to “up to £1000” for larger business that process more data.

The UK Data Protection Bill

All of this is complicated enough, but of course the other factor that is thrown into the mix is Brexit. Although the UK is likely to still be a member of the European Union when the GDPR becomes law, the plan is to leave the bosom of the EU sometime afterwards. The GDPR will of course still apply where the personal data of EU citizens is concerned, but to plug the gap the UK government is introducing a new Data Protection Bill. The general view seems to be that this will be very GDPR-like but will also define some areas where the UK may diverge slightly or set out specific derogations or exclusions.

What does this all mean for me?

If you’re working for an organization that is trying to stay on the good side of the law by preparing for the GDPR, then what should you be doing now?

In my humble opinion, your first step should be to decamp to a local coffee shop with a copy of the actual GDPR document and have a read. No amount of sage advice and bluster from industry experts will replace the simple act of having read the source document for yourself. Ok, it’s not Booker Prize-winning literature but it is surprisingly readable in most places and the simple fact is that about two thirds of the Articles won’t apply to you anyway as they are aimed at various governmental structures such as the supervisory authorities. Go on – you won’t regret it.

After that, remember that the key to all of this is to follow the data. What personal data do you collect, what is it used for and where does it go? Many of the other issues to do with the GDPR will fall into place once you have this basic understanding.

Use the guidance on your supervisory authority’s website and check out the Article 29 WP’s site where necessary. Webinars, seminars, courses, qualifications, books and of course document toolkits will all come in useful too.

You still have six months – use them wisely my friend.

Over 3000 businesses have purchased our toolkits

Testimonials

Just so you know, we got ISO/IEC 27001-2013 certified in December 2015 (last year) thanks to this toolkit. The best part is that the toolkit had 99% of the text for all documents and some actually were generic enough, just to the point and made me feel as if it was tailored purposely for our environment. You guys do put in a lot of work into your documents and it is always almost ready.

Information Security Analyst
Reeher LLC

View all Testimonials