Preparation for the GDPR (#11 of 12)

[Lauren]

Following on from a forum question I thought it might be helpful to go through some of the issues that you might need to take into consideration in preparation for the GDPR that comes into effect next year.
I have been using this document as the basis of this piece: Preparing for the General Data Protection Regulation (GDPR). 12 steps to take now [ ICO. V.20 201700525]
Thing you need to know:
•    GDPR stands for: General Data Protection Regulation
•    The new regulation comes into effect from 25th May 2018
•    Much of it is the same as the current Data Protection Act requirements - however some things are different, and you need to know about them!
Something you need to do first: Work out who in your team will be able to help make sure you're compliant. It's probably good to have at least a couple of you working together so you can help each other out. 

This is what early years settings might like to think about in preparation. 
•    Use the '12 steps to take now' document to audit what they already do to meet data protection requirements. 
•    Use the audit sheet to document the audit process
•    Collate details from 'To Do' list - make action plan 
•    Complete action plan!

This is #11 of 12 threads which will help you think about what you need to do to be ready for 25th May and is about data protection officers.

Data Protection Officer (DPO)

Under GDPR lots of companies now need to have a data protection officer. The DPO’s role is essentially to advise the company on data protection obligations, check that they are complying with GDPR (and tell the ICO if they’re not), and be the contact point with the ICO if they need to be in touch with them at any point.

There are some cases where having a DPO is an actual legal requirement. Every company that processes data can choose to have one, but it’s not always necessary and you may decide that you don't formally want to nominate one. 

You do have to have one if you’re a:

-        Public authority or body

-        Systematically monitoring individuals on a large scale

-        Processing special categories of data or data relating to criminal convictions and offence on a large scare

In reality, we think it’s unlikely that any of those things will apply to anyone reading this (although large scale isn’t actually defined so it’s open to interpretation), but if you don’t think you can justify your reasons not to have one, or you can but you want one anyway, the first thing to think about is whether your LA might have one that you can use. If not, it’s worth knowing that your DPO can have other tasks in the organisation, as long as they wouldn’t result in a conflict in interest. So the owner couldn’t be your DPO for example, because they’re the one coming up with the data protection policies and wouldn’t be likely to whistle blow on themselves if they’re not complying. They do need to be able to do the things mentioned in this first paragraph though and have expert knowledge of data protection law, so you might want to consider sharing one with other local settings.

If you do appoint a DPO, you'll need to make their contact details easily accessible to those who might need it e.g. the people who's data you're processing. If you have a website, that might be a good place to put them. You'll also need to tell the ICO. 

If you’d like to know a bit more about it you can find some guidance here and here. 

Edited April 18, 2018 by Lauren

[AnonyMouse_81276]

Hi!

Is there a "Preparation for the GDPR (#12 of 12)" concerning cross-border processing?

I can't find it! Thanks

[Lauren]

Sorry, I am writing it, but it's not quite ready yet! It should be out this week though :). 

[AnonyMouse_37007]

You are an absolute star! 

[AnonyMouse_81276]

Thanks Lauren!