Just prior to Christmas the Information Commissioner, Elizabeth Denham, published her last blog of 2017. In it claims that the ICO would be “making early examples of organisations for minor breaches or reaching for large fines straight-away and that the new legislation is an unnecessary burden on organisations” were refuted as being “rooted in scaremongering because of misconceptions or in a bid to sell ‘off the shelf’ GDPR solutions.” The Information Commissioner goes on to say that although the 25th May 2018 is the date the legislation takes effect it does not end there unlike the Y2K Millennium Bug - for those of you that remember that scare! GDPR will, in fact, be an evolutionary process for organisations and they will be expected to continue identifying and addressing emerging privacy and security risks in the weeks, months and years to come. That said, the ICO states there will be no ‘grace’ period as there have been two years to prepare and they will commence regulating from 25th May. They do, however, pride themselves on being a fair and proportionate regulator and intend to continue to be so beyond the inception of GDPR. Therefore, those who self-report and engage with the ICO to resolve issues and, who demonstrate effective accountability can expect this to be considered before any regulatory action is taken. Your organisation should already be putting the ICO’s key building blocks below in place to ensure it implements responsible data practices. They are: - Organisational commitment – Preparation and compliance must be cross-organisational, starting with a commitment at board level. There needs to be a culture of transparency and accountability as to how you use personal data – recognising that the public has a right to know what’s happening with their information. Understand the information you have – document what personal data you hold, where it came from and who you share it with. This will involve reviewing your contracts with third-party processors to ensure they’re fit for GDPR. Implement accountability measures – including appointing a data protection officer if necessary, considering lawful bases, reviewing privacy notices, designing and testing a data breach incident procedure that works for you and thinking about what new projects in the coming year could need a Data Protection Impact Assessment. Ensure appropriate security – you’ll need continual rigour in identifying and taking appropriate steps to address security vulnerabilities and cyber risks Train Staff – Staff are your best defence and greatest potential weakness – regular and refresher training is a must Much of the GDPR builds on the existing Data Protection Act 1998 and there is a lot of guidance already, such as the ICO’s Guide to the GDPR. The ICO recognises that small organisations, like golf clubs, have particular challenges and have a web page dedicated to help. That said there are still a few issues where the guidelines and advice are lacking that will be of particular relevance to golf clubs. The first one is consent where only draft guidance is...
This is member only content
Please LOGIN to read the full
Not a member? Please click here to join today.