GDPR is coming but don’t panic!

GDPR General Data Protection Regulation

The General Data Protection Regulation (GDPR)will come into force in 3 weeks time. 25thMay though is not a cliff edge; nor is it doomsday when the Information Commissioner will start wielding her 20million Euro (fine) stick!

In December, the Commissioner addressed some of the myths being peddled about GDPR:

“I‘ve even heard comparisons between the GDPR and the preparations for the Y2K Millennium Bug…

In the run up to 25 May 2018 there have been anxieties too, albeit on a less apocalyptic level. Things like we’ll be making early examples of organisations for minor breaches or reaching for large fines straight-away and that the new legislation is an unnecessary burden on organisations.

I want to reassure those that have GDPR preparations in train that there’s no need for a Y2K level of fear…”

There are a number of steps that you should be doing to prepare for GDPR. Remember, failure to have completed these tasks by 25th May will not lead to a 20 million Euro fine. However, to quote the commissioner at the ICO Conference this year, “It’s important that we all understand there is no deadline. 25th May is not the end. It is the beginning.”

  1. Raising awareness about GDPR at all levels. Our GDPR e learning course is ideal for frontline staff.
  2. Carrying out a data audit and reviewing how you address records management and information risk in your organisation.
  3. Reviewing information security polices and procedures in the light of the GDPR’s more stringent security obligations particularly breach notification.
  4. Revising privacy polices in the light of the GDPR’s more prescriptive transparency requirements. See our policy
  5. Writing polices and procedures to deal with new and revised Data Subject rights such as Data Portability and Subject Access.
  6. Considering whether you need a Data Protection Officer and if so who is going to do the job. Our GDPR certificate course is ideal for new DPOs.

Done everything? Have a go at the ICO’s GDPR Self Assessment Toolkit. Read the Commissioners full speech here.

Please get in touch if Act Now can help with your GDPR preparations. We provide audits, health checks and can offer a gap analysis, all followed by a step by step action plan!


The school that didn’t learn its lesson.

In 2011 I received a gorgeous CD through the mail from a school. It invited me to send my children (at the time aged 30, 29 and 25) to their school (35 miles away from my house). Read the full story on Act Now website ( a Northern school). I did complain to the ICO but his decision was in favour of the school. This was my conclusion to the affair.

“A school/college with no prior relationship with me buys my name from a list broker as I am apparently rich and with junior age children (wrong on both counts) and then sends me unsolicited marketing material through the post. When I exercise my right to subject access they ignore it for two and a half weeks then fail to give me what I ask for because they don’t know from where they obtained my personal data.

The ICO when asked to look into the case decides the college did nothing wrong.

Moral – keep bad records, mail who you like even those with no relevance to your product, fail to respond to individuals exercising their right to access promptly and you’ll be fine rather than fined. “

I put it down to experience never expecting to hear from the school again but today they emailed me. Despite me reporting them to the ICO and an investigation taking place and their promise to delete my name and address from their database they emailed me with an offer I couldn’t refuse.

I will complain again. This time I have PECR on my side as they have strayed into electronic marketing as well as basic section 11 stuff. The school is also now a serial offender. Will the ICO listen, take action or will I get a similar response 5 months after I complain. See you around Xmas time.

It’s time to name and shame Queen Ethelburgas. Look out for the information notice.

It gets worse.  I chose to report the message as spam as they invited me to. Here’s the screenshot of  their procedure. Only a few errors in spelling and punctuation.


Playground Duty

Teaching? A mugs game. The (mythical) long holidays, the (mythical) 3-30 finish, the (mythical) relaxed and friendly environment as you helped the enthusiastic next generation prepare for adult life…

Playground duty was the bane of my life when I was a teacher. Once a week you had to forgo the 15 minutes of peace in the staff room and that warm cup of coffee and patrol the school playground, breaking up fights, solving Rubik’s cubes and avoid being caught by those awful children’s jokes (If a bottle of medicine cures a cough what does half a bottle of medicine cure?).

So on a recent training session for schools in a northern council we talked to the delegates – mostly Headteachers – about the Publication scheme. We looked at the definition document listing the material the ICO recommended schools to pro-actively publish, we gave them the two common sense Act Now solutions (1. find all the relevant documents and put a paper copy of them in a ring binder in the school office then photocopy on demand or 2. turn them into PDFs and put them on the website so people can download what they want).

After considering all this and thinking for a moment or two one of the delegates (a headteacher no less) said  ” I don’t think we’ll bother with this. It’d take too long.”

What’s the punishment for forgetting to do playground duty?

Opprobium, embarrassment,  ridicule, double duty next week.

What’s the punishment for failing to carry out a duty under section 19 of the Freedom of Information Act for seven and a half years?

Over to you….

(The answer is 50% of a cough. Whatever you do don’t say half a cough).

Marion. The FOI exemption for schools.

We delivered some training today to a school in the north – we have a briefing for schools covering DP & FOI in a half day – and as usual prior to the training we did some research which included making a FOI request to the school. Right at the very end of the afternoon after the case studies and the questions the trainer asked if the school had received any FOI requests in the last 7 years. The head teacher sitting bravely on the front row shook his head. Others chimed in and consensus was milliseconds away when the trainer showed on the screen the screen grab of the request that had been made by email 19 days ago using the school’s contact us page.

Silence and almost simultaneously darkness fell.

‘Looks like a request to me” intoned the trainer, “it’s asked for a biography of the Headteacher and details of his reimbursement package for the last financial year”.

Then Marion the school secretary who’d been sitting at the back spoke. “I might have seen that one” she chirped, ” but I delete anything that looks dodgy”.

“What’s dodgy?” ventured the trainer,

“The name, the email address – I don’t allow hotmail ever”, replied the determined administrator.

The trainer tested out a few requests that he knew had been sent to schools in general – the knife incident request, “deleted that” , The CRB question, “deleted that” and the realisation that Marion had set up a foiwall that had yet to be penetrated settled on the room.

Add in the lack of publication scheme, lack of privacy policy and lack of training and it’s clear there’s a lot of work to do in schools. We have a range of services from an online session to a full day in school with audit, policy work & training. See our website.

Marion is of course a pseudonym. Her real name was Margery.

%d bloggers like this: