GDPR - training!

[Fekko]

Does anyone know of and decent courses to get to grips with this? I've read up on it but still have questions.

I think this is now a support thread! Im concerned about client data and security too.

Tricksy, and others who are concerned about where to start, the ICO has created a useful checklist to get you started

ico.org.uk/media/for-organisations/documents/1624219/preparing-for-the-gdpr-12-steps.pdf

The key message is that, if your company has good DPA processes and controls in place, then GDPR will build on what you already have. You won't be starting from scratch, rather adding and improving.

I would like to join the support thread. I head a legal department for a public body and this is one of the main sources of stress for the moment. I have an action plan and am going to start looking at this in more detail next week. A mutual place to share information and ask questions would be great.

Ok cool. Anyone finds out anything juicy, then here's the place!

I'm going to start with an audit of what info we store where and how it is used.

I think with well thought-out classification and tagging we can work through the lists (getting the owners to have a good cleanup to get rid of contact no longer of use) starting with the assumption that everyone needs to opt-in or be assumed to have opted out. Major reach out to names project!

It's going to be a slog, but better safe than sorry.

Going forward I will need to make sure that everyone follows the procedure of tagging and recording opt in/outs. That's always a problem with databases. People cut corners and don't follow procedure.

Well, one of my institutes is offering a decent looking training day. I might make the effort to attend - I will probably have to go the night before.

www.icsa.org.uk/events/conferences-and-summits/data-governance-conference

Emma I am also public sector (and where the buck stops weeps).

I'm in. I work for a small firm and the buck stops with me. My CEO thinks I am making it up, and keeps putting new names into our marketing database without any proof these people want to opt in. I'm about to calculate the possible fine and send him the total! A place to ask questions and share tips would be great as I embark on a data audit.

Does anyone have any tips on where to start with the information audit/data flow mapping please?? Links to any good guidance would be massively appreciated.

Look at ICO website regularly and keep talking to them. I predict that there will be plenty of "certification " cons starting (like the notification ones). Don't get suckered into them out of panic.

Seriously doubt companies/organisations are going to get hit with multi million pound fines on day 1 from the UK. If you trade across EU you probably need to be a bit more switched on a lot earlier, though.

Pepelepew: all that said, if your CEO does that now the company could be in DP trouble, forget GDPR. Hoping you mean business contacts not private customers.

Bloody love MN, this would've been the last place I'd have thought I could get sympathy support on GDPR.

It's Sunday morning, my MN lovelies. we're here for each other on GDPR. Go and enjoy your day off . ( hope it is a day off for you all).

A thread for GDPR geeks! May I join you?

I'm a trustee of a charity. Most of our work is done by volunteers, only two paid staff. It's going to be an uphill struggle for us, because of the usual problem of too much work and not enough people to do it.

I'm in! Gdpr a major headache for me in work right now. I find it hard to get my head around and I'm the one who is supposed to explain it internally as well as to customers when they query our practices

Looked at the title and thought it related to the old East Germany! Abbreviations and not quite awake brains eh?

Can I join please?i have attended a very scary GDPR training event with an ICO commissioner and it put he fear of God in me!i work in HR for a public body and no one other than me bothers to even comply with data protection never mind GDPR.Out of curiosity,how do you organisations cope with people requesting information over he phone,such as employment history,date they started in roles etc?this happens frequently in my organisation and I want to stop giving information out in this way as we can't verify who anyone is,but it's going to be a difficult thing for me to phase out.thanks and sympathies to everyone in the same boat!

Seriously doubt companies/organisations are going to get hit with multi million pound fines on day 1 from the UK

I have heard otherwise, last week.

The word out there is that there will be some early strikes on the most serious offenders who fail to convince the regulators they have done due diligence in identifying deficiencies in their processes, technologies and organisation. Initially it will be able creating an example of offending companies ...

The key first steps are

1. Having a well structured project plan
2. Gaining cross functional engagement to meet the deadline of 25 May 2018
3. Prioritise actions based on show-stoppers, must haves and nice to haves
4. Regular reviews of progress

Some of the comments on here are alarming, like one person having sole accountability for GDPR compliance, hands off approach by management. Solution to getting them to sit up and take notice is highlighting the risk of a fine up to 4% of the company's global turnover.

Currently access to your own info must be in writing with proof of ID. You can charge £10 admin.
Under GDPR it doesn't specify "in writing " but I think there is an analogy with the current Environmental Regulations which is also an EU thing and is also an ICO thing (public authorities only - don't panic). Yes you don't have to do it in writing but why wouldn't you. And the organisation you are asking it from still needs to be certain it's you. Personally, unless the person was sight impaired, I'd be prepared to go to battle with the regulator if they insisted I do personal information requests by phone.
Check also what the ICO says about requests via social media currently. Doubt it will change much.

As for early regulator strikes on bad guys, maybe so. But it you can show you are doing what you can to get ready, a multi million pound fine on day one is unlikely. Good tactic for scaring the shit out of your board and getting them to take it seriously, though.
It depends on how much personal information you are screwing with, I think. And how sensitive it is.
You can already get hammered under PECR if you aren't looking after marketing data. That law has been around for years and the ICO is finally pretty tough on it. As far as it can be. That's a well trodden path now for the ICO and if it has bigger fining powers to do what is already doing then it will probably use them.

I guess it (the risk of being fined as an example) depends who you work for.

I object to it mainly on grounds of dullness. Though I like the Right to be Forgotten.

Not an absolute right to be forgotten- however there is special emphasis on the right for youthful online nonsense to be forgotten. This is brilliant.

I object to it mainly on grounds of dullness

Protection of people's personal identifiable information is hardly dull!

Not when there is a risk that the misuse of someone's data can lead to negative consequences on their life chances, opportunities and potentially affect their ability to gain access to goods, services, insurance protections etc.

I'd say GDPR cannot come in soon enough. Increased controls are critical.

Right to be forgotten is going to be an interesting one. Facebookers / Twitterers can heave a sigh of relief that they will have more control over years' worth of data being removed after telling the world stuff they wish they hadn't, but there could be some run-ins with these US social media platforms who give free access to the platform in exchange for people's lifestyle info (great for marketeers). And then there's the person who wants to be forgotten so they can gain access to special offers that are only for "new customers" so they do have to justify why they want to be forgotten.

Interesting times!

I had an email about a GDPR course yesterday which didn't tell me why they were sending me it (it's not really an area I work in and I have never signed up to emails from that company) and had no obvious unsubscribe link.

Appropros of nothing you can already ask for trivial and embarrassing nonsense about to be removed from an internet search. GDPR firms up what is already case law.

So we are now in event season - with the dreaded scanner (dreaded because some staff think it's a toy and scan everything that moves). So that's really verbal consent isn't it? There's no actual paper trail that they have agreed to be put on the mailing list or database. So I am guessing the follow up emails need to include a verification device?

Also - our database (clients, prospects, odds and sods) is chuffing huge. Sending out a mailer to ask for opt ins is likely to get a 30% open rate if we are lucky. How can we get around this?