ICO issues guidance on GDPR awareness

OutThink Product Update

The UK’s ICO has just published its GDPR self-assessment toolkit, and it starts with set of GDPR awareness related controls which we would like to detail:


The new European General Data Protection Regulation (GDPR) will be effective from May 2018 and will impose requirements for businesses globally when they process personal data of EU residents.

1.1: Awareness – Decision makers and key people in your business are aware that the law is changing to the GDPR and appreciate the impact this is likely to have. Your business has identified areas that could cause compliance problems under the GDPR and has recorded these on the organisation’s risk register. Your business is raising awareness, across the organisation of the changes that are coming.

To fulfil the above ICO comes with a series of suggestions:

It is important that decision makers and key people in your organisation are aware of the changes in the law. Your business should:

Clearly set out your business’s approach to the new GDPR legislation and assign responsibilities for managing the change;
Assess and identify areas that could cause compliance problems and record these on your business’s risk register; and
Plan for a more general awareness campaign across your business to educate staff on the changes to the current legislation and highlight how these changes will impact them.
ICO recommends formally assigning responsibility for GDPR deployment. Organizations can consider if they will assign this responsibility to a Data Protection Officer or to a GDPR Project Manager. In any case, you will need a formal high-quality project plan.

Second point resolves ambiguity on where GDPR related risks must be recorded – in the Enterprise Risk Register, and must be managed as such. A standalone GDPR risk register would be a less preferred option as creating a parallel risk governance structure that would undermine the efficiency of PII risk management process. A holistic approach to risk management should also cover GDPR.

In addition, ICO recommends a company-wide awareness campaign on GDPR related changes and their impact on existing business processes. An eLearning option would be the most efficient way to accomplish this. Here at OutThink, we have created a 5-minutes module on GDPR and for existing clients it comes at no cost. Also, if you would like to provide your staff with more insights on how they will be affected by GDPR, you can consider using our policy attestation module to make sure that your employees are aware of your Privacy Policy updates and to keep documented evidence of their acknowledgement.

And the last one, if your organizations would like to baseline its privacy practices against a recognized standard, you can consider using BS 10012:2017 Data protection. Specification for a personal information management system. It is the first standard aligned with Annex SL in the privacy area and it is an excellent tool to benchmark your GDPR maturity