If you are currently working in IT in the lead up to the GDPR implementation date (25 May 2018) you were probably trying to decipher the huge volume of data available on how to be GDPR compliant. I had already spent the year prior quietly reading and trying to absorb the thousands of free (!!!) GDPR resources online and I was becoming increasingly disillusioned at the reams of conflicting advice that seemed to emerge each day. More so because colleagues and customers alike were looking at me to advise them on the best way forward.
As GDPR day came ever closer I discovered that “IT Governance”, a well-known provider of risk management and compliance training were offing a one day “Certified” GDPR training course, just down the road from our offices in London. As it was a foundation course that was aimed at novices I jumped at the chance to clarify my thoughts and gain the knowledge I needed when I was offered the chance to attend as part of our own GDPR compliance initiative.
Fast forward a few weeks and I was sitting down in plush office in London with a room full of (mostly) IT professionals ready to start learning. It didn’t take long before I realised that “Nicky” our trainer really knew both the GDPR regulation and the IT industry extremely well. She obviously had a long background in IT/compliance and she was easily able to explain each concept in a way that resonated with my own past experiences in IT.
The day besieged by a great deal of PowerPoint, however each slide was backed up with Nicky’s excellent explanations and examples of GDPR in action. As the day progressed I found my GDPR misconceptions being quickly erased and some genuine knowledge replacing it. Apart from the expected information on Principles, Rights of Data Subjects and the Legal Basis for processing, the most memorable take away was that in addition to the headline fines of up to 2% & 4% of global turnover for infringements, individuals also have the right to extra compensation for any material and/or non-material damages resulting from a GDPR infringement. This inevitably opens the floodgates to “ambulance chasing” legal claims that will undoubtedly become a whole new area for data controllers to worry about in the future.
At the close of the day’s training I was faced with a 60 minute moderated exam comprising of 40 questions. I was entirely nervous and the questions were considerably harder than I had anticipated. However the knowledge dump I had received earlier in the day from Nicky had given me all I needed to pass the exam, even if it required 59 minutes and plenty of head scratching.
All in all, GDPR is good for us all and I believe it’s a necessary step in our increasingly risky online world. You can either see GDPR as a minefield to be avoided or disarmed, or as a way to have a better relationship with those who interact with your business, giving them more transparency and helping them to reduce risk.