GDPR - training!

[Fekko]

Does anyone know of and decent courses to get to grips with this? I've read up on it but still have questions.

Also, Topcat, if you are saying you have a database listing name and employer, that is personal data. It may comply with DPA and PECR to market them but it is still personal data, I think.

Ahh interesting - I am just about to start with the project team at a local council on GDPR.

I went to the IRMS workshop in London a few weeks ago and they also suggested that there was a lot of hype and people trying to fleece you of money to get it 'sorted'.

What I did find interesting is that the terminology is ambigious - there is a lot of 'reasonable' 'appropriate' and 'limited' but these will probably be tested by individual lawcases.

Happy New Year fellow GDPRers. I wish you compliance

I am thinking of asking for a pay rise to do all this. Is anyone else? It is above my pay grade but not my capabilities and there is no one else at my place willing and able to take it on...

Good luck with asking for a pay rise .

I work in ecommerce/digital marketing and, frankly, have no idea where to start!

Go on to the ICO website. As good a place to start as any.

My worry on the GDPR is the fact that there are supposed to be two people overseeing all sensitive data in all organisation
even sole traders
and bodies with only one employee

the rules have been written for big organisations but will apply to small ones

yikes, I'm going to have to sort this for our business, and for a charity I work with, and i haven't got a clue where to start .

We inherited a whole load of paper client files from a business we took over the other year, I'm assuming as a start I need to get them out of storage and go through them to see exactly what is in there (there won't be current client files, but we have to keep old stuff for six years). Does it all need to be digitised (and properly referenced)?

Also, for the charity, I have a couple of discs of scanned Gift Aid declarations which I understand HMRC want us to keep forever. What do I need to do with those? Do I need to separate them out into current donations and old donations?

I should be able to get some professional body training once they sort some out, but can someone give me an idiots guide as to what I should be doing with the examples above? I've looked at the ICO guidance, and it doesn't really tell me specifically what I need ot be looking at. I'm thinking we need a list of what info we hold, in what database(s)/files/boxes, and we need a policy of when to remove what bits of info? Also amend engagement terms to say what we do with info and why (like we need to keep records for six years etc?).

Is an email address counted as personal information as well? So if a client leaves, do I need to remove their email address from my address book? What about DH's massive contacts list, one of his skills is putting people together, and some of his contacts aren't used for years, but then someone will need something.

Or have I got the wrong end of what this is all about (quite likely, I'm a bit brain foggy these days)?

It’s an absolute hit isn’t it? Every time I read legislation I see something else I’ve missed or misinterpreted.

I have booked onto some free seminars via eventbrite and warned work that we will have a shit load fewer names on the database after 25 May!

I have started adding notes to emails and comma along the lines of ‘if you don’t opt in then you will miss out on x,y,z...’ with links to online opt in forms, to get people used to the idea that they won’t hear about special offers, deals, news, freebies etc.

The problem will be making sure that the database is kept clean!

Myvisions
Anything you are required to keep for other reasons eg tax law, that is your reason for keeping it.

My business is tax accounting : I am therefore required to hold LOTS of information about my clients for seven years
and for seven years after they stop being my clients
they therefore cannot request that I delete it
but I have to be able to prove what I have and why.

DH does his marketing emails using MailChimp and it appears that their opt in / opt out boxes have already been updated to be compliant

One of my colleagues has taken to screenshotting the ICO website as they change the guidance almost every day on some topics

The safest marketing lists have double verification - mail chimp do this.

I did the one day course with these guys and the person who has been designated our DPO did the 5 day certification, they were really good

https://www.itgovernance.co.uk/gdpr-training?gclid=EAIaIQobChMI5vHRoJvE2AIVCTwbCh1Fag9zEAAYAyAAEgLuLDD_BwE

Thing is, a lot of GDPR is stuff you should be doing already under existing data protection law.

Yup,
And those who most need to know have the furthest to go.

My prediction is that just like Y2K it's going to turn out to be a big fuss over nothing much and also just like Y2K, there are a lot of people with a vested interest in making it more complicated than it is.

There are an awful lot of people making money out of this with their scaremongering but realistically those huge fines are going to be for companies who willfully and deliberately failed to comply, not people who tried but didn't get it quite right. Also, there aren't going to be "inspections", investigations will only happen where there is a complaint that brings a breach to light, just as they do now.

This is most helpful thing I've found

ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf

Hmmm, I disagree with the Y2K parallel... it's not an end of the world hysteria, it's not a technical fault. This is a very real, human issue that is far-far more important. It's about consumers/users having control and ownership of their personal data and companies being held responsible.

I do get where the parallel comes from, there's a lot of panic around fines and I don't think everyone is going to be slapped with £££ if they're found to not be fully compliant. As long as they're showing willingness and progression to change, I truely think that'll be enough. I mean, they've not actually finalised the bloody thing themselves yet, it's just not as simple as one size fits all!

Surely, is it not only a good thing if that when a company mistreats or fucks up with the personal data and then they are be held responsible? You wouldn't leave your workplace unlocked over night, you wouldn't trick people into entering and you definitely wouldn't let any old sod rummage through your drawers!

The only thing GDPR is highlighting is the incompetencies and flawed existing set-ups that an archaic legacy of policies have allowed companies to get away with for decades.

It'll be a butt load of work, but it feels really positive IMO.

THe fines do not worry me - there will be a shed load of case law before they really kick in.

Its the lack of scalability in the compliance that bugs me.

How is a sole trader supposed to have two separate people handling sensitive data ?????

Lurking with intent. Ive been looking at this for months now and I still think its inclear. That ICO website & 12 steps is too vague. It needs to say ‘in marketing, do a b and c.’ In IT, do x y & z’ all this ‘perhaps you should’ and ‘it may be that’ bollocks is irritating. Can you tell I’m cross?

Doubt the ICO website would ever have something bespoke for you. The whole point, at this stage, is to make efforts to update compliant practices you should already have.
Anyone going "shock horror" over this probably didn't have compliant practices in the first place.

Just lurking on this post since as of today I have been appointed the person responsible for GDPR compliance for my tax department! Hilariously I am the most junior colleague there, but always up to learn something new (and it gives another reason to ask for a pay rise after qualification in July).

I will make a start on the ICO website and expand into some other suggestions made here.

Take it steady. Don't be freaked out. And damn well ask for a pay rise!

How's progress going for everyone?
I work in HR for a public sector organisation and got landed with implementation of this having had little exposure previously. Steep learning curve - have done loads of webinars and free training. The organisation is just getting going now with ext project team running the show. However I think I know more about GDPR than they do - if I ask a question they direct me to ICO website!!
The requirements to check third parties is a real burden and we really need better technology in place than we do to help compliance.

Thing is, you were always supposed to check third parties. It's just spelling that out a bit more explicitly.

Ive had to attend two sessions last week.
They were death by PowerPoint. But was actually very useful.
Our legal team assessed which depts to work on first. We’ve go questionnaires about how/when/where we currently process date and the specific processes or decisions in collecting etc it. And then how these might change.

Curious to know which departments (in larger organisations) are promoting / encouraging compliance and spreading the word? Is it IT, is it legal, is it HR / Marketing /something else?

In ours central IT are running info sessions, and our parent dept's IT dept is doing info sessions also. When I asked our on-site IT guy his shoulders visibly sloped as he answered 'it's driven by business need, IT won't tell you what you need to do, people need to make themselves aware'. Thanks mate - I no longer feel bad bypassing him to get advice from elsewhere in the organisation. In fact, I see a gap I could fill.