2 December 2017
GDPR Top Tips
Following a series of data protection – GDPR training sessions for schools, charities and museums this month, here are my top tips.
Top Tip #1: Avoid scare-mongering about GDPR. Its a step up from current data protection laws, and there is no magic bullet. GDPR is about embedding long term systematic “privacy by design” processes and policies within organisations. There is no ICT system that solves it!
Top Tip #2: You can bring together your external compliance obligations in one place. For example, your privacy notice should clearly state why you are collecting personal data etc. It can be published online with your copyright notice which explains what your position is on copyright, and stating what users to your website can do with your content.
Top Tip #3: Being compliant with Data Protection falls within Schools, colleges and university’s broader safe guarding responsibilities.
Top Tip #4: Data Protection laws apply to print and digital forms of personal data. Know what you have, why and where it is stored. Decide if you should keep it or not, and if so, make sure you plan how you keep it safe.
Top Tip #5: If you can’t find a legal justification for processing personal data, delete or destroy. Otherwise its your risk.
Top Tip #6: The new Data Protection laws are a great opportunity to spring clean your personal data and/or reconnect with people with whom the personal data you hold on them belongs.
Top Tip #7: Make sure you understand your obligations as a Data Controller when others are processing your personal data on your behalf. Always ensure you use robust contractual agreements between you and your data processors.
Top Tip #8: Think holistically about how you can embed “Privacy by Design” into everything you do. Your existing policies like social media, ICT & HR can usefully be amended to cover your new GDPR obligations.
Top Tip #9: Embed clear guidance about data protection into staff awareness & engagement. its everyone’s responsibility.
Top Tip #10: Map out your next steps to be complaint with GDPR in an action plan comprised of short, medium and long term actions and who will take them forward. You won’t be able to do everything at once, but you can start your journey sensibly whilst committing to long-term organisational change.
The contents of this blog post can be shared and re-used under the terms of a Creative Commons Attribution Share Alike Licence http://www.creativecommons.org