2040 vision

The turn of the year is always an opportunity to make resolutions in your personal or professional life, but it’s hardly a revelation to observe that such aspirations often evaporate. The easy option presents itself, and the temptation to take it is difficult to resist. For many years, I have claimed to be a “freelancer” but in fact, although I’ve been doing my own thing since 2008, quite a lot of my work has come from Act Now Training. Every year, I tell myself that this is the year that I will cut the apron strings completely and strike out on my own, and every year, I don’t quite get there. I’ve done some fascinating work for a variety of people, but I haven’t found enough of it myself.

2018 was already shaping up to be an interesting year, given that the much-hyped General Data Protection Regulation will finally be enforceable, and we will find out whether the apocalyptic predictions of The Certified will come to pass (SPOILER: they won’t). Reader, that isn’t interesting enough for me. Much as I am grateful to Act Now for offering me my first training course in 2005, and for all the opportunities they’ve given me since, all good things must come to an end. I had to turn down all sorts of opportunities in 2017 because of all the courses I was running, and there are a number of things I’ve always wanted to do, but simply didn’t have the time. So from March 1st, if you want to be trained by me, or use my services, it’s 2040 Training or bust.

A couple of announcements in this context:


I am running some public courses with a practical, procedure based approach in London and Manchester. The first is a ‘GDPR SOS‘ course for those bodies large and small who either haven’t prepared for GDPR’s live incarnation, or don’t know whether they have got what they might need in place. It’s commonplace in the Data Protection world to sneer at those who haven’t thrown themselves into a compliance frenzy, but rather than brag about putting up my daily rate (which some LinkedIn GDPR bods have said they would do in 2018), I thought I would put on a no-nonsense, plain English guide for those who want to get up to speed. The first courses run at the end of March, and you can find out more about them here: http://2040training.co.uk/gdprcourses/

Following on from the SOS course, I hope to be running a detailed practical course on the GDPR rights in April and May, taking into account guidance from the ICO, the Article 29 Working Party, the DP Bill / Act, and of course, the many cases and examples that we’ve already got from 20 years of Data Protection. There will also be a course on PECR and Direct Marketing.

These courses will not be ‘Article or Section X says Y’ but will be based on real-life cases and scenarios. Both, and a range of other options, are of course available in house, and everything else that I can do for you is listed on my website, a link for which is above.


I wrote two free guides in 2017, one on fundraising and Data Protection, the other on choosing a DPO as a service. The feedback on both has generally been very positive, apart from the DPO as a service people who didn’t like reading that experience  is an essential part of being someone’s expert. It is. Live with it.

First, I am updating the fundraising guide to make it solely about GDPR and the DP Bill to the extent that this is possible. I want to complete this soon, so if any fundraisers have any specific questions about GDPR that you’d like to see answered, especially if you read the original and know the kind of questions I featured next time around, let me know but quickly!

Send any questions, as soon as you can, to: fundraising@2040training.co.uk

Second, I will be writing a guide for GDPR and Councillors – a simple guide to Data Protection as it relates to the role of a local elected politician. It’s not going to cover what councils do, but the way in which a councillor operates their office, deals with constituents and how they store data. Once again, any questions or concerns about this area from Councillors and those who work for or with them would be very welcome. I hope to get this finished by the end of February, so any questions or comments that you can send before then would be more than welcome.

Send any questions (preferably before 20th Feb) to: councillors@2040training.co.uk

Both the updated Fundraising guide and the Councillor guide will be free and available to download from my website.

After these two are done, I will be working on a number of other guides including the use of violence warning markers under GDPR, and no matter how unpopular this will make me, a free guide for individuals who want to use their Data Protection rights. If you have thoughts or comments about this, please let me know.


Seriously, I’m available. More here: www.2040training.co.uk.

The Naked Truth

The story of Damian Green’s porn-clogged computer has several facets, with a surprising number of them related to data protection. Whether it was a breach for former Deputy Commissioner Bob Quick to reveal that there was porn on the computer is hard to say for certain – I think Quick has a journalistic defence in revealing hypocrisy given that the Government is current waging a moralistic war on adult websites, but you are welcome to disagree. The fact that Quick has form for revealing information that he shouldn’t have only adds spice to the mix.

The question of why Green’s other accuser Neil Lewis still has his police notebooks raises more serious questions. Did he keep them without authorisation from the Met? If he did, this could be a criminal offence under Data Protection’s Section 55 for which Lewis would be liable. Did the Met Police fail to recover them properly? This would be a serious breach of the seventh data protection principle, for which the Met should expect to answer. In any case, I have to agree with those who say that public servants should respect confidences even after they leave the service. Sensitive material should never be retained by former officers of any organisation. I know my reaction to the story is clouded by the entertaining spectacle of seeing a politician caught with his pants down, or at least, unzipped. The question of how the story came to light needs to be interrogated.

Green’s use of the Shaggy Defence to claim that he knows nothing about the porn begs more questions. If he didn’t download it, this means that someone else did (none of the Tories defending him seem to claim that it doesn’t exist). Part of Green’s outrage when his office was raided in 2008 was the threat to the sanctity of Parliamentary Privilege and the confidentiality due to his constituents. In the light of this, Green needs to explain how it was possible for someone else to download porn onto his computer. The best case scenario for him is that this was the result of malware, rather than someone else being able to log into his computer without his knowledge. Of course, malware infecting an MP’s computer is a story in itself. Regardless of whether this story should be in the public domain, we can’t be expected to ignore it now. As someone who processes highly sensitive data about his constituents (as well as possibly other sensitive information), at some point Green has to explain who had access to his computer and what they were doing downloading porn. Or he has to admit that it was him.

I don’t know what, if anything, Green is guilty of, but his fellow Tory Nadine Dorries’ spectacular contribution on Saturday doesn’t allow for any ambiguity. The MP for Mid Bedfordshire has a habit of deleting tweets when she (or someone else running her account) realises how stupid they make her look, so I have screengrabbed this one and I reproduce it in full here:

My staff log onto my computer on my desk with my login everyday. Including interns on exchange programmes. For the officer on @BBCNews just now to claim that the computer on Greens desk was accessed and therefore it was Green is utterly preposterous !!

UPDATE: There’s more:

All my staff have my login details. A frequent shout when I manage to sit at my desk myself is, ‘what is the password?

ANOTHER UPDATE: Robert Syms MP is at it as well

As a constituency MP, Dorries will be handling sensitive correspondence on a wide variety of matters, and she has publicly confirmed that access to information is open to a wide variety of people, including interns on exchange programmes. To this, there is no defence. The seventh data protection principle states that a data controller must have in place appropriate technical and organisational security measures to prevent “unauthorised or unlawful processing of personal data, and against accidental loss of or destruction of or damage to personal data“. This means a mix of technical measures like passwords and encryption and organisational measures like ensuring that passwords are not shared or written down. Dorries has confirmed she has authorised password sharing in her office – which is bad enough in itself because it means passwords are spoken aloud or written down, greatly increasing the chance of the password being known to someone nefarious. But worse than that, she says specifically that a wide group of people share her login. There is no way of knowing who has accessed what, because even if the intern has done it, it looks like Nadine was the person responsible.

The only way that Dorries has not admitted a clear breach of Data Protection’s security principle is if she (or whoever wrote the tweet) is lying in order to defend Green,  which is quite the stupidest thing I can imagine.

There are several possible breaches here – Quick’s original revelations about Green, Lewis’ retention of his notebooks / the Met’s failure to recover them when he left, Green’s insecure computer equipment and Dorries’ admission of her completely lax security. While Quick and Green’s problems are somewhat murky, Lewis / Met Police and Dorries present much more straightforward issues for the Information Commissioner. Both should be investigated as a matter of urgency.

Given Dorries’ casual admission of the insecure way in which her office operates, a much wider investigation might be required. Elizabeth Denham has put huge resources into investigating the possibility of political use of analytics and big data in an unlawful way, even though it’s hard to imagine anything coming of it. On the other hand, here we have a sitting MP openly admitting that constituents’ data is unsafe – how many more of Dorries’ colleagues operate in a similarly unlawful fashion? I cannot complain to the ICO about these matters, as I am not affected by them. However, the issues are serious, and Wilmslow should step in immediately. A bland press release reminding MPs to process data safely is not good enough; the ICO needs to demonstrate that Data Protection law applies to MPs just as it does to the rest of us.

Just say no

On Friday December 16th 2016, I had a routine eye test. The optician noticed swelling on the optic discs at the back of my eye, and I was dispatched to the Manchester Eye Hospital to attend their Emergency Eye Clinic. This is basically A&E for eyes, a mix of swollen eyelids, sudden blindness and people who should have just gone to an optician. I arrived at 2.45pm, and fairly quickly, I was put in the ‘people who need to be seen’ pile. However, this meant waiting for the next available doctor, and like any A&E, the wait was long.

At 5.30, having waited in a dull holding area (with the files of other patients unattended and clearly visible), I was seen by a doctor. At this point, I was bored and worried, desperate to go home but desperate to find out what was going on in my head. Swollen discs can mean all sorts of things, you see, but one of the things Google told me that they can mean is Brain Tumour.

The doctor was terrible. He examined my eyes, pulled faces, and asked lots of questions about the medical history of my family without explaining the significance of any of them. In the middle of that barrage of questions was this one: ‘Any history of tumours in your family?’. Of course, having sat there for nearly three hours with only Google Searches That Spell Imminent Death for company, this question fired out of nowhere was just perfect. After the obligatory disappearance act to consult with a more senior doctor, I was told that they wanted to scan my brain in case “God Forbid” there was a tumour in there.

I was shunted back into another holding area, then at around 7pm a very sympathetic nurse inserted a cannula into my arm so that they could put a dye into my bloodstream when scanning me (a process that never actually happened) and explained ‘We’d like to do a CT scan’. She told me where to go, and because I was evidently in a bad place mentally, made clear that if I wanted to go for a walk before the scan, that would be fine. At length (and after it became clear that the people doing the CT scan weren’t actually expecting me), I had the scan. Several hours later, they decided I had high blood pressure and I went home at 10.45pm.

Looking at the whole thing as a Data Protection professional rather than a patient, the thing that leapt out at me at the time were the boxes of paper records left unattended. During the day, the holding area I was sitting in is very busy, with at least one member of staff behind the desk able to prevent access. When I was there on the Friday evening, there were long stretches when I could have got behind the desk and read the files, and nobody would have known. It’s an open question as to whether a patient left alone with unattended medical records is a ‘personal data breach’ that would have to be reported to the Information Commissioner.

In retrospect, there is a more interesting question. Carrying out a CT scan is processing personal data – it involves the creation of a scan of the patient’s brain which is plainly sensitive personal data (under GDPR, special categories data). So, what condition did Manchester Eye Hospital have for processing my personal data, and did they provide me with adequate fair processing?

Here’s the thing: they didn’t have my consent and I suspect they think they did. They probably didn’t have Data Protection Act consent, but they definitely didn’t have GDPR standard consent. I’m sure many readers will disagree. Surely my lying down to have the scan is a “clear affirmative action”, signifying my agreement to the processing?

Well, it’s not that simple. First, there is the lack of fair and transparent processing. I was told why they wanted to do the scan, but I wasn’t told who would get access to it (which in today’s NHS could be Google), how long it would be kept for, what legal basis they were relying on and so on. Even if the DPA doesn’t demand this now, it’s hard to argue that the processing would be fair unless I was told these things. Moreover, without any fair processing, any consent I gave would not be informed and specific.

The second problem is that my consent was not freely given. I was tired after hours of sitting around, I had been given limited information by a doctor with poor communication skills and frankly I was scared that I had a brain tumour. I hadn’t eaten and or drunk very much, and my phone was dead so I couldn’t discuss it with anyone else. I do not believe I had the capacity to freely give my consent to have my brain scanned. At no point did anyone say ‘Do you consent to having your brain scanned?’, it was couched in passive language: we would like to do this, and if I didn’t object, my consent was assumed.

Then there is the power imbalance – people like to talk about ‘Our NHS’ as if we all collectively own it, but that’s bullshit. Surrounded – outnumbered – by doctors and nurses who want to do something, it’s hard to say no. Indeed, I am aware of cases where a person who refuses to do what the doctors want have been sectioned. Admittedly, as a white, middle-aged, middle-class man, I’m probably less likely to be subjected to this, but who knows. What would they have done if I had said no?

In this context, recital 43 of the GDPR is worth reading:

consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation

I think the power imbalance between the assembled medical staff and me made it impossible for me to say ‘no’, especially when considering the specifics of the situation. I had gone from a routine eye appointment to a request for a brain scan to find out if I had a brain tumour. My ability to make decisions was fried. A few months later, I got up at 7am on a Sunday to drive to Trafford Hospital where some improbably chirpy technicians did an MRI on my head. That interaction was certainly closer to consent than the CT scan, but strictly speaking, nobody asked my consent. It was a lot better, but by no means the only way in which the NHS processes data.

Since my diagnosis of high blood pressure, I have spent an afternoon in a specialist diagnostic ward in one hospital, had the above MRI in another, had separate MRIs and ultrasound scans on my kidneys, a shedload of blood tests and monthly appointments at my GP. My GP aside (who is excellent at explaining everything), the standard of fair processing in all my interactions with the NHS since last December has been lamentable. I don’t know who gets access to my data, I don’t know what for, and nobody has told me how to find out. There may be a privacy notice somewhere on a website but I don’t know where it is and nobody told me how to find it.

I respect and trust my GP. Every nurse I have met, even those briefly sticking a needle in my arm, has been exemplary. The team at the ARMU at Wythenshawe Hospital are superb, both at medicine and communication (in fact, every experience I have had there has been good). But for all the fact that I can be a troll sometimes, I have never caused as much hostility and frustration as when I give my honest opinion about my experiences in the NHS. People are angry with me if I speak my mind. Criticising the NHS is modern-day blasphemy. I’m only writing this blog now because it looks like my eyes are getting better and I probably haven’t got a brain tumour (although the fact that the hospital lost the brain MRI for several months because of the virus infection in May dents my confidence in this). I worry about pointing out the Eye Hospital’s failings because I do have to go back there. Do I want to be treated by people who know that I have criticised them online? This is the power imbalance in a nutshell.

So what’s my point?

The GDPR is built on an improved model of Data Protection – organisations should be transparent, and wherever possible, subjects should be empowered. One of the most important elements in this relationship is the proper treatment of consent. Ironically, given the number of ill-informed articles claiming that GDPR requires consent for data processing, a significant effect of GDPR should be to reduce reliance of consent. Organisations, especially those like the NHS who purport to rely on it, should be much more honest with people. Sometimes you don’t have a choice at all and a thing is going to happen whether you like it or not (HELLO, ROYAL FREE HOSPITAL). Sometimes, there isn’t a real choice – ask me whether I want you to find out whether I have a brain tumour, and honestly, the answer’s no. Rationally, the answer’s probably, ‘OK then’, but it’s not much of a choice and in my case, the question wasn’t even posed.

The NHS is going to breach the GDPR as much in spirit as in practice if it continues in its dubious mantras of implied consent and ‘no decision about me without me’. The fact that a person doesn’t have to be physically forced into the scanner does not mean that they have consented, especially if they haven’t been told clearly and directly how that data will be used. In many situations throughout the NHS, medical professionals think they have consent, tell each other they have consent and they don’t. There are other options in the GDPR, of course, including a rock-solid legal condition for special categories data for the purposes of medical treatment and diagnosis. But many people in the NHS still think consent is their byword and it really isn’t.

For one thing, secondary uses for analysis and research either have to stop, or a much more open and transparent process has to be developed to contact people directly, either to be transparent or, if that’s the basis that being relied on, to seek consent. For all my many scans and blood tests since last December, I have to assume that none of them will ever be used for any purpose other than the direct diagnosis and treatment of my condition because I have never been given a hint that anything else will happen. But is that true?

For another, if the NHS is going to get to grips with GDPR philosophically, it has to be much more honest about the flawed nature of the consent it thinks it’s getting. For years, NHS staff have told me on training courses that a patient rolling up their sleeve is evidence of ‘implied consent’ to take blood (and by further implication, process the data that flows from the test). In fact, what they have at best is inferred consent; and with the power imbalance, possibly not even that.

We know for certain that the Information Commissioner will not tackle this issue because they are terrified of challenging such fundamental issues. Elizabeth Denham’s trumpeting of a slapped-wrist undertaking for the Royal Free Hospital’s misuse of 1.6 million people’s personal data was, at least for me, the final nail in the coffin of her credibility. As a friend of mine said, the chief role of each new Commissioner is make the last one seem better. I am not predicting fines or enforcement of any kind; it won’t happen. But the best thing about the GDPR is its recognition that we are human beings who deserve respect and autonomy. My experience of the NHS in Manchester is far from achieving that.

Actually Asked Questions II

Last year, I wrote a blog asking for questions from fundraising and charity professionals about Data Protection for a guide that I was writing. Despite something of a lull between asking and delivering the guide, those ‘Actually Asked Questions’ were one of the things I thought worked best. It was great to include real questions from real, lovely people.

I am doing it again. This time, the guide I am writing is shorter and more focussed than the charity one, although it is not for charities, but for any data controller. The subject is choosing a company to provide your Data Protection Officer (AKA DPO as a Service). Most organisations that need a DPO will recruit a staff member, and to be honest, that’s what I consider to be the wisest choice. Nevertheless, the GDPR plainly allows data controllers to hire DPOs under contract, and many so-called GDPR experts and companies are offering themselves as DPOs on Demand. I am writing a short practical guide, containing questions and tips for anyone who is thinking of hiring a company to provide DPO as a Service. What should you look for? What should you avoid? How do you spot the cowboys? What questions should you ask?

FULL DISCLOSURE: I am not going to be a DPO for hire, either by myself or via any organisation. I have turned down several organisations already (two in particular who know they are and that I adore). This is not a way to get you to hire me, although an organisation did have me on the interview panel for their DP officer role recently, and I WOULD SNATCH YOUR HAND OFF TO DO THAT AGAIN.

What I would like to know is this: are there any questions you have about DPOs as a service, or hiring a DPO generally? If possible, I will extend the text to be a general guide to getting a DPO internal or external, but at the moment, I have more material on the external side than the internal side.

Send me a question, send me an issue you’d like to see someone talk about, send me anything you’d like a smart-arse to think about when writing a guide like this. You will not be mentioned in the guide unless you want to be, and the guide will be free to anyone who wants it.

SEND ME YOUR QUESTIONS HERE: tim@2040training.co.uk

DEADLINE: September 30th 2017

If you approve of this endeavour and would like to promote it, please do.


The slow progress of GDPR has been agonising. From the beginning, with a series of disputed drafts bouncing around European institutions, we’ve had the fraught last minute negotiations in December 2015, the clouds of doubt cast by the Brexit vote, and finally, through a series of government announcements, apparent confirmation that it was still on track. We’re not there yet – the much-discussed position paper released by the Department for Culture Media and Sport this week is still just the hors d’oeuvres, with the full meal only beginning next month, when the Data Protection Bill itself will be published.

Throughout this seemingly endless grind, there has been one consistent thread, one thing on which the weary GDPR traveller could rely, no matter how much doubt there was elsewhere: the constant stream of bullshit. Everywhere you look, on whatever subject you choose to read about, bullshit everywhere. There is the nonsense about having to have consent, spread by parties as varied as the admirable Rights Info (since corrected) and the GDPR Conference, who sponsored an article about the oncoming Data Protection Apocalypse and then had to withdraw it because it was bollocks. There is the relentless scaremongering about fines that will turn companies into dust, spread by the world and his dog and finally punctured by the Information Commissioner herself, admitting that she would far rather not fine anyone if that’s all the same to you. I’m not certain that waving the white flag this early is the masterstroke that Wilmslow thinks it is, but at least they’ve finally caught up to where I was in April.

Hype is one thing. If I was still a Data Protection Officer, up until today I probably would have shamelessly exploited the bazillion pound fine nonsense if I thought it would persuade my employer to take the changes seriously. Being a DPO is the ultimate thankless task where nobody notices you until somebody else does something stupid and you get the blame, so if the threat of fire and fury gets the chief executive’s attention, it’s nobody else’s business. However, there’s a difference between selling internally, and just plain selling.

As has already been noted by experts more distinguished and less biased than me, there are a lot of new entrants into the market whose experience lies outside the conventional route of Actually Working On Data Protection Ever. This does not stop them from making grand claims. The idea that Carl Gottlieb’s customers already call him ‘The GDPR Guy’ definitely doesn’t sound made up, but it must be confusing for all the people who presumably called him the Anti Virus Guy a few months ago.

If you prefer, perhaps you might try Get Data Protected Reliably Ltd, whose website boldly describes it as “the UK’s leading GDPR Consultancy“, which for a company that was only incorporated three weeks ago is quite an achievement. The owner confirmed to me that he doesn’t have any Data Protection experience, but he is in the process of hiring people who do, so that’s something to look forward to.

You could try GDPR Training (established 25th April, so more than double the experience of Get Data Protected Reliably), and run by the husband and wife team of Emma Green (former IT consultant) and John Green (former Legal Costs Draftsman). The Greens were upset about the fact that people tweeted facts that were in the public domain about them and made some threats about libel, which is odd given that John accused a highly respected DP expert of jumping on the GDPR bandwagon before blocking everyone on Twitter who noticed. Given that they use the same P.O. Box in Wilmslow that I do, at least they won’t have to go far if they want to take issue with this blog.

More pernicious is the sudden rise of the GDPR Certified Practitioner / DPO / Professional. Now here, I have to declare an interest. One of the training courses I run is a four day course with an exam and a project at the end. If you pass both elements of the course, you get a certificate. It’s a practical course designed to get people ready for GDPR (its predecessor did the same for the DPA). Nobody is ‘qualified’ to be a GDPR Data Protection Officer because they complete the course – no course can qualify you for a job that doesn’t really exist yet. Nobody who completes it is ‘GDPR certified’ as a result, because certification in the GDPR context has a very specific meaning that makes such a claim impossible.

To be certified under the GDPR, data processing has to be approved by an accredited certification body. To be an accredited certification body, an organisation has to be approved by the appropriate national body – in the UK, DCMS has announced that the Information Commissioner’s Office and the UK Accreditation Service will carry out this role, but they aren’t doing it yet. Given that Article 42 refers to the certification of “processing operations by controllers and processors“, the mechanism for certifying a product like a training course is unclear. The other important element here is that certification is voluntary. The elements of GDPR that certification applies to do not require it – the organisation is at liberty to find other ways to prove their compliance, which is what many will do.

A GDPR certification may be very useful – a controller or processor can use certification to demonstrate their compliance (a requirement of Article 24), and can also have their DP by design approach certified. It’s obviously appealing to data processors or controllers who are bidding to provide services – the certified cloud provider will undoubtedly be more attractive than the one who is not. But whether many Data Controllers will take it up is an open question – whether a company is certified will make zero difference to consumers.

And we’re not there now, which is why claims about being a ‘Certified’ DPO should be taken with a big pinch of salt. If you say you’re certified, that claim should be very carefully interrogated. If, for example, you mean ‘I have successfully completed an course with an exam and I got a certificate at the end of it’, fair enough. But is that what most people will think when they see you describe yourself as a ‘Certified DPO Practitioner‘? Will anyone think you’ve just been on a training course (however good that course might be), especially if your company website says the following:

  • GDPR Practitioners – As certified practitioners we can assist you through the new data law minefield.
  • Data Protection Officers – We are qualified to act as outsourced DPOs to consult on data protection issues.

In the GDPR world, ‘certified’ is a big word; ‘certificated’ is a much more accurate one, but it doesn’t have the same heft. The question is, why not use the right word? All of these courses – including mine – are certificated – there’s a test at the end, and you get a certificate. Claiming to be ‘GDPR certified’ sounds like a process that hasn’t started yet.

Some training companies do have external accreditation of their courses, so when they say that they are offering a “Certified EU General Data Protection Regulation (GDPR) Training Course”, surely that is worth more? IT Governance, for example, offer a range of Certified GDPR courses that have been accredited by the International Board for IT Governance Qualifications, which is obviously different because the IBITGQ is an external body whose training and examination committees are staffed by “industry experts”. The IBITGQ currently only accredits one organisation (IT Governance) and though they are open to accrediting other organisations, they refuse to take anyone else from the United Kingdom.

The names of the ‘industry experts’ aren’t available on the IBITGQ website, so I asked IT Governance who the “industry experts” on the IBITGQ committees were, but they refused to tell me and told me to ask the IBITGQ itself. I asked them, but they didn’t acknowledge my email. Meanwhile, people who have been the IT Governance courses are describing themselves as ‘GDPR Certified Practitioners’, and I’m not sure what that means. The IBITGQ may be doing a sterling job, but the accreditation they offer to a single training company has nothing to do with GDPR certification. They are not accredited in the UK to offer GDPR certification, because no-one is.

I’m not saying that IT Governance want to create any confusion, I don’t know anyone who has actually done the course, and I have no idea what it is like. Nevertheless, no-one should be using the word ‘Certified’ in a GDPR context until the certification process actually starts. It is impossible to have a GDPR certification at the moment, and anyone who has completed or delivered any kind of training on the subject knows this better than most.

The idea of a GDPR seal (also encouraged in Article 42) will be revolutionary in the training business – once courses or organisations can have a GDPR kite mark, it will be difficult to trade without one. I don’t know whether to look forward to the dawn of the DP seal or not, but it’s coming and I will have to get used to it. In the meantime, it’s important that everyone who is buying training or consultancy looks at the bona fides of the provider. Anyone with ‘GDPR’ in their name probably doesn’t have a long history of Data Protection experience, and given that GDPR is evolutionary not revolutionary, that’s a problem. Anyone with a predominantly IT security background is an expert in one part of the GDPR, not the whole of it. And anyone who describes themselves as ‘Certified’ should be asked plainly and simply: beyond getting a certificate, what does that mean?