Everybody is talking about GDPR. Many organizations are spending time and money to cover all aspects of the General Data Protection Regulation. Many more offer fulfillment services.
For this reason, we have gathered the information on the Web we have found most relevant – tools, training resources, and certification information in one place.
Most of the sources listed below are either free of charge or have a free option.
GDPR self-assessment tools
The official website of the UK’s Information Commissioner’s Office has prepared lots of useful information in regards to data protection and more specifically to GDPR.
They have also provided several self-assessment tests that help organizations detect the main issues related to their data protection procedures.
Upon successful completion, you are able to review a detailed analysis of every answer along with a recommendation.
Unlike most of the similar questionnaires across the Web, the UK ICO ones are free of charge:
- Controllers checklist– a questionnaire designed for the needs of the controllers
- Processors checklist – a questionnaire designed for the needs of the data processors
- Information security checklist – a questionnaire that needs to be filled out by the Information Security Team Lead
- Direct marketing checklist- a questionnaire that needs to be filled out by the Marketing Team Lead
- Records management checklist – a questionnaire related to the records management (Art. 30 from GDPR); the DPO/GDPR Owner of the organization is usually responsible for this aspect
- Data sharing and subject access checklist – a questionnaire that needs to be reviewed by the DPO / GDPR owner of the organization, along with the IT team lead and the internal ISO auditor (if any)
- CCTV checklist– a questionnaire that needs to be reviewed by the DPO / GDPR owner of the organization, along with the Security Manager (if applicable)
NB: There is a Data Protection fee applicable to all UK-based companies processing personal data. The fees may vary between £40 and £2,900. Every company can check whether they should pay a Data Protection fee by taking this free quiz published on the ICO’s official website.
Tools for keeping records of processing activities (as per Art. 30 from GDPR)
We reviewed the LogSentinel’s GDPR tool which helps organizations keep a proper tracking of all processing activities in our previous article: How to fulfill Art. 30 from GDPR (Records of processing activities)?
To summarize, this tool may help organizations comply with the GDPR by covering several areas, such as:
- Keeping records of processing activities, in line with the authorities’ best practices
- Ensuring limited access to the platform (only those who have been granted with access will be able to review the information)
- Easy integration between GDPR-related processes and logs (e.g. data breach-related processes)
- Reduced risk of record deletion/data manipulation
- Integration with data logs and other GDPR-related activities
Another option for keeping records of processing activities is using a simple spreadsheet (Google Sheets, MS Excel, etc). This option has also been reviewed in the mentioned article.
There is a free option for using the LogSentinel GDPR Tool. Sign up now and check how to comply with Art. 30
Keeping digital evidence of different events
The General Data Protection Regulation required from the businesses to request consent from their users and customers for any marketing-related activities, such as:
- Mass mailing
- Phone calls
- Advertising, etc
To be on the safe side, we recommend implementing event tracking and log management software collecting digital evidence for consent.
Such event management software is also supported by LogSentinel and can be tested for free. The log events collected by this software cannot be modified or deleted, which ensures that organizations can keep legit digital evidence. It also allows management of different GDPR-related activities in one place, such as keeping a list of processing records, receiving alerts of data breach events, and reviewing user actions in real-time.
Courses, DPO certifications, and self-education
The Internet offers thousands of options to “Get GDPR-Certified”. However, according to the DPO standards published on the Official website of the European Commission, the most relevant certification at this stage would be the one provided by:
- The International Association of Privacy Professionals (IAPP)
- Certified Information Systems Security Professional (CISSP): developed for information security professionals
- Certified Information Systems Auditor (CISA) certification: developed for information systems (IS) audit, control, and security professionals
- Certified Information Security Manager (CISM) certification: developed for persons who manage, design, oversee and/or assess an enterprise’s information security.
The guidelines also state that the possession of such certification should be considered as an asset by EU institutions/bodies when selecting their DPO.
Other sources of information and courses, which are not recognized by the EC, but are best for limited budget needs, are:
Udemy training courses
Udemy offers tens of GDPR-related courses covering different aspects – from GDPR-compliance guides to Information Security and DPO training. Some of them are free of charge. Every course can be rated by the trainees upon its completion so users can review the feedback before they enroll.
Cisco online learning programs (free InfoSec certification programs included)
InfoSec and Data Privacy Training Materials by The National Institute of Health
The National Institute of Health has prepared 60 and 90-minute training courses in relation to Data Privacy and Information security.
Even though that the Institute is US-based the training materials can be found relevant for many EU-based companies especially if their business area is healthcare-related.
Cybrary is a library of various cybersecurity materials. A simple account creation allows you to access tons of useful materials and supercharge your cybersecurity knowledge for free.
Daily Security Tips & Lessons
Many websites provide a daily tip option in exchange for an e-mail.
Useful GDPR-Related Blog Articles
The following two articles provide very useful and compressed information about the highlights of the GDPR that every organization (and their IT team) needs to know: