Getting ahead of the game with the GDPR

With the deadline for the General Data Protection Regulation (GDPR) looming, Peter Boyall, Head of Operations at twentyeightb, decided to take the plunge and sign up for an online training course from IT Governance, here is his review.


There is still a degree of uncertainty around what ‘GDPR compliance’ actually means, but it is fast becoming too late to wait for the Article 29 working party to rule or for a course to be officially certified by the EU data protection board or the UK information commissioner’s office.

Having looked around and found that my preferred British Computer Society provider had no current course available, I looked to the IT Governance company which offered a depth of courses and a specialism in information security. This gave me the confidence that their course would cover the key points. In addition, they offered an exam which was certified externally by GASQ, providing some assurance that the exam itself was not simply a box-ticking exercise.

The course I selected was the certified foundation, intended to provide a background and grounding but not to push the envelope. With a background in data security already, I felt that a ‘GDPR top-up’ was sufficient.

The course

  • The information was reasonably paced, with a set of notes to go along with it that helped immensely. I was able to make a precis in advance then listen to the video and fill in gaps rather than try to type notes while listening.
  • It seemed to cover the main points and included self-tests as well as an FAQ.
  • Lawyers being needed was referred back to several times – avoiding the trap of it being purely IT-focused.
  • It was also made clear that there are no official certifications issued at that point.

Areas for improvement

  • There was just the one presenter so limited points of view and I did have to take a few breaks.
  • The subject matter has understandably dated very quickly with interpretation of GDPR legislation changing all the time.
  • Some cyber security practitioners take a dim view of the implication that the IT Governance qualification is in some way officially approved by the government. It is made clear in the course itself that no official qualifications yet exist, but it is important to stress that there is no intention to pass off the certificate as the answer to everything.
  • Accompanying book is very out of date and doesn’t tie in particularly well.

The exam

Ouch! The instructions were somewhat contradictory – one set said to use Firefox, another to use a secure browser app. To run the app you have to turn off all but one screen. Once you start the ‘secure browser’ it takes over the screen so you can’t read the PDF of instructions (or get your username/PIN code). You have to fumble your way to the exam and the ‘face detected’ icon kept flickering (albeit that may have been down to my laptop).

The actual questions in the exam were very different to the self-tests, although I saw this as being a good thing as it meant the exam wasn’t too easy. There was quite a lot of brainwork involved and it definitely wasn’t just a case of answering questions by rote in the manner of, say, PRINCE2 Foundation exams.

In conclusion

All in all, I’d say that in order to get your hands on the certificate you do need to have a pretty good grasp of the GDPR, as the only way to pass the exam is to both know and understand the material in order to be able to extrapolate answers to the questions.

There is a lot of fear, uncertainty and doubt at present surrounding ‘GDPR compliance’. It’s easy to be fooled into thinking it is just an ‘IT exercise’, that it is necessary to pay large amounts of money to a management consultancy or that an impressive collection of paper certificates are required to ‘demonstrate compliance’. In reality it is quite possible that companies are already compliant and a quick confirmation check is all that is needed. The above course has given me the confidence that we don’t need to spend tens of thousands of pounds on external consultancy or tools in order to discharge our duties regarding the data we handle. Gaining peace of mind that you have adequate data protection policies in place is in some respects the ideal scenario when enrolling for a qualification. While you won’t be able to just tick a box and say “we’re compliant now”, you will be far clearer on any steps you may need to take to stay ahead of the forthcoming legislation.