GDPR - training!

[Fekko]

Does anyone know of and decent courses to get to grips with this? I've read up on it but still have questions.

ImNot, there's going to be a fair bit of noise about it when it comes in, some reactive panic too. Good idea to be a go-to person.

Legal dept dealing with it here. Worldwide manufacturing company.
They started with the marketing/accounts/customer service depts first. And then other depts attended some training which then raised some issues and they now how to complete the tasks.

As for ‘people need to make themselves aware’ this is all well and good... but it won’t be the individual paying millions of pounds in fines will it!

Does anyone have any guidance on use of photography in terms of GDPR? I am thinking of people's right to be forgotten and how that must mean they can ask us to delete any photos of them. We have lots of unlabelled photos, which we had consent to take originally (and should still have consent forms), but as they are unlabelled we won't have the trail to prove it

How about GDPR and schools?

Well, guess who's in charge of GDPR compliance now

Patsy I am also hoping to get clarification about the use and storage of photos, and videos. Based on my very limited reading so far, I think they are treated the same as any other identifying data, ie you need to have obtained consent to store and use them. Hoping someone else who is further along this journey than me can point us in the right direction!

I have attended a number of courses and learned a lot less than what's already available on the Infirmation Commisioners website. Start there. It's become a whole "Industry" when it didn't need to

Shameless place marking to read later.

Bump, how is everyone getting on?

Ahem.

Just wanted to highlight the need to avoid using consent as your legal basis for processing. Look to the other options first.

Marketing still needs consent under PECR for electronic messaging though, of course.

Me too Dumbledee. I have been issued with a sector specific toolkit which is 200 pages long. I haven’t got time to read it let alone implement it!

Chocolala I agree wholeheartedly. The more work I've done the less it turns out we need to repermission people. Which is good

This is currently my headache working in a school office and so far only person who has been on a course is our head who doesn’t seem to have any handle on this but keeps saying Petunia that’s another thing you need to look into?!! Me why me ? Not liking the sound of it at all.

New stuff for small businesses on Information Commissioner website today.

Most large companies (should) have had their programmes around GDPR in progress for at least a year now. Are you a small/medium size org?

Regarding training - well it depends on what your role is. Specific training on how to respond to a SAR or RTBF (which doesn't have to be justified) or in Data Privacy or Security or an industry sector specialisation? There is training available in all these areas. Some of it is actually useful.

Certifications may not help you do your job. Even the BCS is not cheap or widely recognised although a useful basic framework.

I'm dealing with databases that are not user friendly and I'm going to have to do all the data capture manually.

What do you call large or unfriendly? If all the data capture is manual I'm guessing you are a small org with little technical help available?

The rules don't only apply to structured (database) stores. Data held in emails, random files, backups, recordings of phone conversations, video recordings (eg cctv) is all in scope. It also includes test data iwhich may need anonymising or pseudonymising (HMRC have indicated the latter for financial records)

Sending out a mailer to ask for opt ins is likely to get a 30% open rate if we are lucky. How can we get around this?

That isn't really the point - you should be aiming for compliance. Your approach of "opt in or you will miss out" is the right mindset, "fail to check box 194 iin invisible ink and we keep your data" is the wrong mind set.

As well as the ICO you will find useful free information and guidelines at:

gdpr-info.eu

Some organisations are opening up their process and frameworks for free reference eg:
www.nymity.com/gdpr-toolkit.aspx

Most big consultancies have a large amount of info including toolkits and guidelines for free as do vendors. Big 6 will be vendor agnostic typically, vendors obviously have a bias to their own products.

@amaliaa metioned charities and very small orgs.

Most big consulting firms have sizeable pro bono groups who will offer ad hoc advice/support to registered charities or small NFPs. Its worth asking.

If you have a volunteer who works in 'Big' consulting, or has a family member so doing, then ask them to find out. If not look for charities pages on Big4/6 websites - they don't only help large charities. As well as advisory help they will often share additional content on a no-liability basis which could be useful to get started.

GDPR project manager here. Been on a programme in a large FS firm for 15 months (I'll be so pleased when it's the end of May!)

I would echo some of the earlier posts around fines and the unlikelihood that the regulator will go in big from Day 1, but you need to demonstrate a roadmap to compliance. And to do that, you need to analyze where you are currently. So at a very high level...

• What is the legal basis for processing personal data? Do you need consent?
• Do you tell your customers what you are going to do with their data?
• Do you know where you hold this data, what it is and where it comes in and goes out?
• Do you know what controls are in place to keep that data secure?
• Do you have the right processes in place to fulfill subjects' rights? For example, 'I'd like you to delete all my data.'
• Do you have a good breach management system?
• what does your risk and control framework look like?
• do you have (GDPR) contracts in place with those 3rd parties you share personal data with?

Some good links above. Good luck everyone ;-)

Haven’t RTFT and it is quite old so may not be relevant but I did a really good one day course with IT governance (was meant to do the week but was a bit in depth for me so sent my boss instead!)

I'm 'enjoying' being the lead for this at our multi academy trust. I would say that it's a 10-rung ladder and I'm on rung number 5. It feels like a huge achievement to me.

I'm on an optimus course in London soon - the first one I went on was excellent for schools.

My college has just realised that GPDR exists so I'm placemarking to read at work next week.

Does anyone know of any precedents that can easily be found online? For instance, someone who has already produced a privacy notice or policy which is online?

I've only become aware of this recently too, and am scared about what this means. It seems over kill for my kind of work, but lots of private tutors, music teachers, etc in my area are trying to figure out what we need to do to comply - whether we need to register, what kind of policy is needed, how we have to store things. And it's nothing more than names, emails, and phone numbers, plus a record of who has paid or not - of people who have contacted us first. But it sounds like a massive hassle. And what's this about it being wrong to email people to get permission to keep their data? That seems about the only workable solution for it! I really don't understand what to do or how. I can't get rid of my physical contact book with names and addresses, surely. My computer is password protected, as is my phone.
I'm scared of these million pound fines I hear about for people who do things wrong.
Guidance is supposed to be coming from professional bodies of things like music teachers, tutors, private instructors etc, but no-body actually seems to know what/if we have to do anything.

Go on the Information Commissioner website. There's new stuff for SMEs.
If you are in business of any kind, I hate to say it but this is not brand new stuff. It's updated old stuff.

Place marking. I'm the admin person for a very small charity and tbh am struggling to find any straightforward info about how this affects us or what we need to be doing.

I’ve got to look into GDPR from 2 different angles!!!!😱

Work wise although we don’t deal with the public much, we are business2business

And then I have to look into it as I am on the exec committee for the scout group.

We're a new very small business and don't have any stuff yet. I can't find any actual precedents on the ICO website - just lists about stuff that needs to be done. Surely it would make sense for them to produce a couple of versions of precedent documents for people, especially small businesses, to use as a starting point. How does it make sense for eg every childminder in the country to have to get their heads around this and draft multiple documents?