This week The College of Will Writing put on the first two of four General Data Protection Regulation (GDPR) Essentials courses, tutored by Gary Payne of the Gill Payne Partnership Ltd. The course is designed to outline the obligations that the GDPR imposes on individuals and organisations, as well as data subjects. No doubt the day was to be filled with a lot of brand new information, covering the key changes between the The Data Protection Act (DPA) and the GDPR, and whilst there was a lot of engaging discussion surrounding the changes, the repeating message for the day was simply ‘compliance’.
The GDPR is written into law and by the 25th of May 2018 you must either be compliant with it or be able to demonstrate that you are taking all the necessary steps to ensure that you will be. It won’t be as simple as become compliant and that’s that, it will be an ongoing process whereby you’ll re-evaluate your processes and procedures to ensure you stay compliant. The GDPR is designed to give consumers more control and more of a say in how their data is processed. There were of course mixed feelings about this in the room, because delegates realised how this would benefit them as consumers, but it became very apparent that work would need to be done to ensure that they, and their businesses, became compliant.
A clear understanding of personal data and all it encompasses formed the basis for the rest of the discussions throughout the day. This covered everything from its basic definition, to more detailed areas such as what is in/outside the scope of GDPR, as well as all the categories and special categories of data. Once there was a solid understanding of this, it was easier to understand how to manage it properly.
Perhaps the biggest talking point of the day was surrounding Articles 13 and 14. These articles cover what a data subject must be informed of when personal data is collected from them [13] and what a data subject must be informed of when personal data has not been collected from them [14]. This means that certain things must be made abundantly clear to the data subject at the point of data collection, including (but not limited to) who is the data controller; the lawful basis for processing; how secure the data is, etc. This applies for both Article 13 and 14, with the only difference being under Article 14 you must make it clear where the data subject’s personal data came from. It was suggested that the simplest way to cover both these articles, at least on first contact, is an updated Privacy Notice detailing exactly how you process personal data. You can then point people to this notice through email, as well as relevant areas of your website.
Other aspects of the GDPR discussed were the financial penalties you could face if found to be in breach of the GDPR, as well as how to handle cross border processing and international data transfers. It was made clear that if you intend to transfer personal data to a country outside of the EEA to first check if they’re on the list of ‘Adequacy Countries’, and if not, to contact the relevant Supervisory Authority (in the UK, The Information Commissioner’s Office (ICO)) to ask what the procedure would be if needing to do so.
The course included 5 exercises which were very helpful in gauging what we thought we understood, and then confirming if it was correct or not with the rest of the group. We then went through 2 case studies at the end of the day, picking out all the faults we thought we could find within them. Both covered very real-world scenarios which helped ground just how important the GDPR is for businesses and the possible implications of not being compliant.
If you would like to read more about what this course offers, or to book a place on the next available date, please visit our website: https://www.collegewillwriting.co.uk/courses/gdpr-essentials/