New GDPR Health Check Service Launched!

stethoscope, computer, keyboard, data, chart.jpg


Act Now is pleased to announce the launch of its GDPR health check service.

GDPR represents the biggest change to the European data protection regime in 20 years. It will take effect on 25th May 2018 and the Information Commissioner’s Office (ICO) has already confirmed that there will be no grace period after that date.

Now is the time to get your GDPR house in order.  There are many practical steps that can be taken quite easily. Some sectors are getting there; recent report by the ICO shows that local government is trying its best but there is more to do.

For those who have started (and may be stalled) or need a customised GDPR action plan, our experts are at hand. Our GDPR health check service will provide your organisation with:

  • A preliminary assessment of your current level of preparedness for GDPR;
  • A prioritised and specific compliance action plan;
  • Pointers to guidance, models and good practice resources relevant to your needs.

If required, we can also discuss how Act Now can assist you with implementation, through our acclaimed training offers or expert consultancy support.

Act Now has a proven track record in this area. We have undertaken many data protection consultancy projects in the last few years. In 2016 we won a contract to deliver consultancy services to a major organisation in the regulatory sector.

Our reputation is international. In 2015 Ibrahim Hasan and Paul Gibbons delivered data protection audit training to the Government of Brunei and our forthcoming GDPR Practitioner Certificate course in London has delegates from Spain and the USA!

Feel free to get in touch to discuss your requirements.

GDPR Guidance finalised and more published

Stack of Files and Papers

Unless you live on the planet Zog, you will be aware that the General Data Protection Regulation (GDPR) will come into force on 25th May 2018. Neither Brexit nor the recently announced General Election will have an impact on this date; GDPR is here to stay. There has been a flurry of activity from the Information Commissioner’s Office (ICO) and the Article 29 Working Party (A29WP) on the GDPR front of late.


Consent under GDPR is a thorny issue. Compare the old and the new definitions below:

Using opt out boxes and inaction as proof of individuals’ consent to processing will no longer be allowed (if indeed they ever were!). Last month the ICO launched its GDPR consent consultation. The deadline for responses has now passed but the document is still worth reading to understand how the landscape is changing.


GDPR introduces stricter provisions to protect individuals from a type of data processing known as “profiling”. This is defined in Article 4:

“Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.”

The GDPR gives individuals a right to know profiling is taking place and in some cases allows them to object to it or require human intervention.

The ICO’s discussion paper on this topic highlights the key areas it feels need further consideration. This includes subjects like marketing, the right to object and data minimisation. The deadline for feedback is 28th April 2017. The A29WP guidelines on profiling are due to be published later this year and any feedback the ICO receives will inform that work.

Data Portability

Article 20 of GDPR gives individuals the right to receive their personal data, which they have provided to a Data Controller, in a structured, commonly used and machine-readable format, and to transmit it to another Data Controller. This is known as the right to data portability.

In December 2016, the A29WP published draft guidance on this right and a useful FAQ. The final version was published on 5th April 2017. The key themes are the same but the latest version does clarify a few points and gives better examples. Here are the two documents compared.

Data Protection Officer

Section 4 of GDPR introduces a statutory position of Data Protection Officer (DPO) who will have a key role in ensuring compliance with GDPR. But who exactly will need a DPO and what is his/her role? The A29WP has now produced the final version of its DPO guidance, which was published for comments in December. Here are the two documents compared. Again the main themes of the documents are the same with some welcome clarifications in the final version.

Lead Supervisory Authority

Companies will be directly responsible for GDPR compliance wherever they are based (and not just their EU based offices) as long as they are processing EU citizens’ personal data. For those that have multiple processing operations in the EU or where a breach occurs in many countries there will be a need to identify a lead supervisory authority, which will be charged with investigating the breach. The A29WP has now finalised its guidance on this topic.

Data Protection Impact Assessments

Article 35 of GDPR introduces the concept of a Data Protection Impact Assessment (DPIA). In some cases Data Controllers will be required to do a DPIA in relation to one or more data processing operations. It will help them assess necessity and proportionality and to manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data (by assessing them and determining the measures to address them).

Carrying out a DPIA is not mandatory for every processing operation. A DPIA is only required when the processing is “likely to result in a high risk to the rights and freedoms of natural persons” (Article 35(1)). In certain situations a DPIA will be mandatory (see Article 35(3)).

The A29WP is requesting comments on the data protection impact assessment guidelines it recently published. The deadline is 23rd May 2017. Even if you don’t want to comment its still a useful document to read to understand what steps need to be taken to raise awareness of the DPIA processes and what training will be required for those undertaking this task.

Finally, the A29WP recently published its work programme for 2016 – 2018 accompanied by a supplementary statement explaining GDPR specific priorities.  As from 2018 it will become the European Data Protection Board.


Our full day workshops and new GDPR Practitioner Certificate courses are filling up fast. We also offer a GDPR health check service.

%d bloggers like this: