Something for Nothing
It’s not often that you get something for nothing. Not from consultancies at least I hear you say. And you would be right, but consultants need to eat too. This something for nothing isn’t really ours to give away but it might just save you some money, or better a fine or an enforcement notice.
What is it, what is it?
It looks like the ICO website has had a bit of a revamp, subtle but there none the less. The home page is now a little simpler and the guidance and tools areas relating to GDPR and the DPA 2018 have had some major improvements. Some of these things may have been on the site for a while but not so easy to find so here’s a few highlights to start you off.
Data Protection and Brexit
Possibly two of the most hated phrases in the English language, but important enough that you should read what the ICO have to say. Main page here: https://ico.org.uk/for-organisations/data-protection-and-brexit/ FAQ’s here: https://ico.org.uk/for-organisations/data-protection-and-brexit/information-rights-and-brexit-frequently-asked-questions/ There’s a heap of other information on the main page too, including an interactive tool to help you keep data flowing between the EEA and the UK.
Assessment for Small Business Owners
One of the biggest issues with the GDPR and the DPA is how do you make it understandable and palatable for small businesses. These are businesses whose IT is most likely outsourced, they don’t have data protection specialists, and most importantly they need to devote 100% of their time to just making money. That being said, small businesses are not exempt from data protection and those that handle large amounts of personal data are perhaps most at risk. To help with this the ICO has provided a small business assessment tool https://ico.org.uk/for-organisations/business/assessment-for-small-business-owners-and-sole-traders/ The result of completing the assessment will be a simple report telling you what you need to do. This is just one element of the Data Protection Self-Assessment Toolkit which includes a whole suite of resources for DIY compliance. https://ico.org.uk/for-organisations/data-protection-self-assessment/
Perhaps one of the most useful of resources in the ICO website and one which you really should bookmark is What’s New: https://ico.org.uk/for-organisations/guide-to-data-protection/whats-new/ As it suggests this page has all the latest information on guidance, tools, European Data Protection Board Rulings, amongst other useful information.
Cool, do this mean I can do data protection all on my own?
Yes and No.
The ICO website, along with other websites offering information and advice on data protection. It’s just like buying a toolkit and a maintenance manual for your car. What you can do yourself is down to what you feel comfortable with and have the right tools for. So you might change a wheel, or top up the oil, maybe even change a bulb. What about spark plugs or head gasket, or catalytic converter?. Sometimes you just need a professional, because like car maintenance if you get it wrong it could have serious consequences.
What we Recommend
By all means do as much as you can yourself, not only will it save you money but you will gain an understanding of data protection. You will also be able to take some responsibility for your business. When you reach a point where you no longer feel comfortable then talk to a professional. Just like taking your car to a garage. Professionals should be able to help you with all aspects of data protection including:
- Policies and procedures
- Website Privacy Policies
- 3rd Party Contracts
- Records of Processing
- Cyber Security
- Data Protection Officer duties
- Data Protection Impact Assessment
Unfortunately, it’s unlikely a professional who will help for nothing but it is almost certain that getting data protection right will save you money in the long run.
It is highly likely that in the medium term the ICO will introduce mandatory GDPR/DPA Certification. This will be a bit like a car MOT…… most organisations will need it so even if you do nothing now, you will need to do something eventually …. A bit like buying a new car, after 3 years it needs an MOT. For details about the progression towards certification see below
The European Data Protection Board (EDPB) has adopted:
- Guidelines on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation 2016/679.
- Guidelines on the accreditation of certification bodies under Article 43 of the GDPR (2016/679).
The information provided in this post is for general information only and is not intended to provide legal advice.
© GDPR Auditing 2020.