GDPR and Open Data Standards workshop

GDPR and Open Data Standards workshop
Facilitated by Open Data Services Co-operative
Wednesday 25th April from 1pm - 4pm
Location: Space4 in Finsbury Park.

Our agenda will include an overview of GDPR from Darren Wright of Inside Outcomes, followed by group discussions on the particular issues that arise of open data standards, and the challenges and opportunities of GDPR.

We aim to all be able to leave with key actions for meeting the GDPR, and ideas for next steps to continue to have the right balance of transparency and privacy embedded in our work.

If you are interested in attending, please email Ben Webb <>.


Hey Ben,

I’ve been asking whether people can join virtually for the event? We could put them up on the projector if you’re not using it, or on another screen or something.

Yes, happy to look into this if people are interested. I think we’re using the projector, but we can easily set up another screen.

1 Like

Thanks for organising, looking forward to it!

BTW, please could anyone attending, including remotely email me, so that I know numbers, and can send a videoconferencing link out.

1 Like

Hi, sorry that I can’t make the workshop in person, but do want to cover everyone in this space so can you fill us in afterwards, please? Here is a light and quick read from the Wave Design #wavewhistlestop Blog on #GDPR compliance -

If anyone else would like some inclusion in our second post of the series of 3, please email with info. My focus will be on challenges / opportunities as above with a more granular focus including guidance from the coop movement etc. Looking forward to hearing from members :wink:

Darren’s presentation and sample Data Protection Policy are available at

We also have some notes from the second half of the event, but we’re sharing those with attendees first so they have chance to make any corrections. I should be able to share them next week

1 Like

Notes from the second half of the event are now available at

I also had a follow up discussion with Aptivate, with a particular focus on them hosting software for people. Notes from that at

One particular issue that has come up is where to find reusable examples of contract terms, or a Data Processing Agreement (that sets out the relationship between controller and processor wrt. the GDPR). We’re currently looking at using some terms from, but that is £35 to some proprietary docs company.

1 Like

hi @ben.webb.opendata I’m sorry I missed the talk, I was really gutted as it clashed with the Ethical Careers Fair that I was at on behalf of CoTech.
I’m leading on getting us GDPR compliant and did a presentation internally for our team on Tuesday. I’ve had a look at the Data Protection Policy as well and it looks really helpful - does anyone have a good Privacy Policy for websites? We have one but would love to check out others…

One question came up which I’m currently looking at but wondered if anyone has the answer to…

“Can we confirm if we are responsible for confirming that the controller has a legitimate interest when we are processing data? If we process data where the controller falls foul of GDPR and does not have a legitimate interest, are we covered by insurance / law?”

If anyone has any thoughts on this, then please let us know…

Hi Aaron and all,

We have arranged a follow up session at Space 4 for Wednesday 23rd May, to look at all aspects of GDPR compliance

This can be in the afternoon or evening depending on which works best for people.

The idea is to do precisely what you suggest as regards website privacy notices: rather each co-op spending a lot of time and effort developing policies and procedures in isolation develop a way for sharing the process.

This needs to be ongoing as the level of confusion over GDPR (they were still making amendments yesterday) means that 25 May will be the beginning of a new phase of Data Protection Legislation rather than cliff edge.

I have started a Policy Corner on the Cotech Wiki as a place where Co-ops can share their policies. So far I have added three Digital Liberties Policies, including our Contractor Application Form. It means that workers and other contractors have explained to them how their data as employees/freelance contractors will be handled. Actually, strictly speaking it may not be necessary (this is an area covered by contract and legitimate interest), however it creates a record that the individual has had the matter explained to them and should encourage them to take Data Protection seriously.

It would be good if people could publish suvch things as their privacy notices their for others to copy that would be great.

As for your question:

“Can we confirm if we are responsible for confirming that the controller has a legitimate interest when we are processing data? If we process data where the controller falls foul of GDPR and does not have a legitimate interest, are we covered by insurance / law?”

This question needs to be rephrased:

When an organisation claims “legitimate interest” (LI) this needs to be spelt out in the organisations Data Protection Policy, which should be a policy agreed by the Co-op as a whole. Procedures may be measures which have been devolved to teh Data Controller, but these should be written out and available to all co-op members. There is an element of risk here, in that it may turn out that the ICO does not accept the claim, or , indeed it could be tested in court.

At the moment questions of LI have not been tested, so we all moving into an unknown future. The ICO has said that in the event of non-compliance organisations which have a well developed Data protection Policy will face less severe sanctions - possibly just a warning - compared to organisations with rudimentary or completely absent policies. i.e. even if the ICO does not accept the argument you present for LI, if they still find them reasonably coherent they will view this as an honest mistake and not impose punitive sanctions.

What is covered by insurance will depend on the insurer - and also whether the organisation actually acts in accordance with the policy. So that is a bit hard to answer.

What will happen over time is that as issues are tested in individual cases, the reality of GDPR will emerge from the misty future as something with much clearer characteristics. Therefore what is important is that people with responsibility for Data Protection will have to regularly check for ICO rulings/court cases etc. for developments and then take any necessary policy reviews to their Co-op management meeting.

We should be clear here that in general it will be the co-op falls foul of the GDPR, not the controller, and the rules changes spread the burden more evenly amongst all data processors as well as the controller - who I would regard more as a co-ordinator ensuring the co-op as a whole complies with the GDPR.

I hope these comments are useful and encourage all fellow co-operators with an interest in Data Protection to start working more closely together, whether that means coming to the session at Space 4 on Wednesday 23rd May - in person or online - and also participate in ongoing GDPR collaboration through the setting up of a working group.

all the best,



@aaron would it be worth splitting your last post and the follow ups, into a new thread on “GDPR compliant Privacy Policies for websites”?

We were looking at this for our site yesterday and we do currently set an optional Matamo tracking cookie in users browser (see our existing privacy policy), but we are going to not set any cookies, after we update our policy (see our draft new policy), apart from an optional one to indicate that a user doesn’t want to be tracked, which is somewhat ironic… :roll_eyes:

1 Like

Thanks @Leutha - this is probably the most coherent thing I’ve read in recent weeks on GDPR. Please include me in further conversations on this, although I won’t be able to get to the May 23 event in person.

1 Like

This was shared at last nights Oxford Drupal User Group, a tempalte GDPR compliant privacy poplicy, free to use if credited:
I’ve not read it in detail, but I thought it might be of interest here and also good also good for clients with less resource to spend time or money on such things immediately.

1 Like

Hi @ben.webb.opendata, spotted a small error in IO_Data_Protection_Policy.docx. Accidental double negatives at the bottom of page 1:

  • company seeks to reduce the risk that breaches of confidentiality do not occur …
  • company seeks to reduce the risk that data is maintained in a secure environment …
1 Like

Hi all,

I’ve just had a chat with Ben who kindly pointed out that I got the wrong end of the stick as regards Aaron’s query, which should be seen in the context of one organisation being a Data Controller as regards another organisation to whom they supply a service.

This raises a number of issues as regards what sort of Data Protection clauses we should be putting in Service level agreements. That seems like quite a big topic actually.

It is precisely around drafting such clauses that I think the CoTech Co-ops can effectively work together, helping to create appropriate policies, procedures etc, and also facilitating co-ops working together on collaborative contracts.
all the best,

1 Like

This is now fixed in