In 2108 I completed a course at Henley Business School under Professor Ardi Kolah to get under the bonnet of GDPR.  Brilliant course lasting 6 months with 6 tough exams to pass with 80% pass mark.  I have since conducted a GDPR review for a charity, investigated the market for outsource Data Protection Officer (DPO) services and run procurements to appoint a DPO service.

 Is it working out as intended?

Many think of GDPR as a compliance exercise whereas Henley looked at it from the point of view of business continuity that incorporates compliance.  That changes the perspective of the board and senior management team to consider the risks in a different way, e.g. what would be the impact on the business if we were forced to stop processing data by the Regulator?

GDPR is still a hot issue and should be on every board agenda and included under a governance review.  As the Data Protection Authorities (DPAs) exit the bedding-in grace period expect a harsher regulatory regime and fines to increase.

So, one year on here is a state of the nation infographic by IAPP.

There is also a report at https://iapp.org/news/a/study-an-estimated-500k-organizations-have-registered-dpos-across-europe/

What did you just say?

In a random conversation exchange it was spoken: ‘A charity that has had a data breach may choose not to report it for fear of harming its reputation and losing donor support’.  I was shocked!  This thinking will only further harm the reputation of the charity sector.

If there is potential harm to those data subjects, as a result of a data breach that you as a Data Controller or Data Processor has responsibility for, then YOU MUST report it to your DPA within 72 hours of it coming to your attention.  Your reputation or financial position is no reason not to report a notifiable incident and will only result in much heavier fines when this later comes to light.

Europe lead the world in regulation that protects the rights of citizens – you need to be aware of what they are: