My Department has a dedicated Data Protection Unit in place since November 2015, which has been promoting Data Protection and GDPR awareness since its inception. This Unit has been leading the preparation in advance of May 2018 and actively informing staff of their obligations under GDPR utilising our internal communications systems, circulating easy read guides, FAQs and updates via email, a poster campaign, and targeted Data Protection talks.
A GDPR project group is in place since May 2017, led by a Management Board sponsor and with representation from key stakeholders across the Department. This group meets regularly and has examined the GDPR text with a view to its implementation in this Department. The legal and IMT teams are both key partners in the work of this Project Group. A risk based approach has been adopted and is focusing on those areas within the Department which process a high volume of personal data.
Training for all staff in the area of Data Protection has been ongoing since 2016. My Department’s Learning and Development Unit have provided courses in Data Protection and GDPR in 2016, 2017 and 2018 to date. Further Data Protection training will be provided throughout 2018. An online Data Protection package for staff is currently being examined.
GDPR preparation is also included as part of the Business Planning process in my Department.
The appointment of a Data Protection Officer is actively under consideration and it is expected that this appointment will be made shortly.
In addition my Department has been certified for ISO 27001 (international information security standard) since 2016 for all areas involved in EU scheme payments. ISO 27001 compliance is currently being rolled out to other areas of the Department. My Department is also planning to implement a records management system to assist with its future GDPR obligations.