GDPR - Are You Ready

The General Data Protection Regulation (GDPR) will apply from 25th May 2018 to all organisations that process European residents’ personal data. Under GDPR, businesses that fail to comply with the Regulation and suffer a data breach could face fines of up to €20 million or 4% of global revenues – whichever is greater.

Everyone has the right to respect for his private and family life, his home and his correspondence.

A Data Subject is an identified or identifiable natural person. There is no restriction on their nationality or place of residence, however, so a data subject can be from anywhere in the world – the regulation does not distinguish. Equally, however, a data subject has to be a living individual; a corporation or other entity cannot be a data subject, and the information on those subjects has no protection under the GDPR Regulation.

GDPR Principles

• Process Data fairly, lawfully, in a transparent manner.

• Data must be collected for a specific, explicit, legitimate purpose

• Date must be adequate, relevant and limited to what is necessary to merit the purpose of its collection.

• Data policy must state how long the information will be kept, its purpose and who you share it with.

• Data must be accurate and up to date

• Kept secure to maintain integrity and confidentiality - whether centralised, decentralised or dispersed on a functional or geographic basis.

• Must not be kept for longer than is necessary

• Processed by controllers and processors who can demonstrate compliance.

Data Controller

A Data Controller determines the purpose and means of the processing personal data.

Data controller must apply measures appropriate to your business that “implement appropriate technical and organisational measures” protecting the data subjects personal data.

Data controllers have to ensure that they secure clear and unambiguous consent from the data subject before processing personal data. “Silence, pre-ticked boxes or inactivity” are not consent. Consent must be given for each action carried out with data ie Marketing, Email, Newsletter etc.

The Data Controller is responsible for demonstrating adherence to the DGPR Principals, and they must secure the same assurance from any external data processor with whom they contract.

Appointment of a Data Processor in your Company – Controller must only use data processors that guarantee compliance with the GDPR and it must be in the form of a binding agreement in writing. This Processor:

• Must only act on the controllers documented instructions.

• Impose confidentiality obligations on all personnel who process the relevant data.

• Abide by the rules regarding the appointment of sub-processors.

• Implement measures to assist the controller and comply with the rights of the data subjects

• At the controllers election either returns or destroys the personal data at the end of the relationship.

• Provide the controller with all the information necessary to demonstrate compliance with GDPR.

Article 30 requires that every data controller retains a record of its data processing activities. This record needs to contain a specific set of information such that it is clear what data is being processed, where it is being processed, how it’s is being processed and why it is being processed.

Transfer of personal data outside the EU must comply with conditions in Chapter V of the GDPR which require specific safeguards to be put in place, and on the condition that the data subject’s rights and effective legal remedies are available. Use of services like MailChimp fall under this rule. The former US-EU Safe Harbour Framework was dismantled in 2015 and no longer applies. The EU-US Privacy Shield is due to be put in place. It should be noted that breaches of the Articles covering international transfers are subject to the highest administrative penalty.

Personal Data

‘Personal Data’ means any information relating to an identified or identifiable natural person (‘Data Subject’) an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. IP address, HR records and Photographs are considered personal data. Data held in Cloud solutions is also ruled by GDPR. Make a list of all personal data that you hold by looking at your processes. Check -

• How was it obtained

• When was it obtained

• What is the purpose

• Do you have proof of consent

Assign lawful basis to personal data

Consent – any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by statement or by clear agreement to the processing of personal data relating to him or her. Consent is an incredibly important concept in GDPR and must record

• Explicit use

• How long you will keep it for

• Purpose

• Who you will share it with

Date Breaches

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

• Must be reported within 72 hours, except where it is unlikely to result in any harm to the Data Subject. This is not necessary where appropriate protective measures are in place ie Laptops have Encryption, Documents are password protected, Phones remotely wiped.

• If high risk to Data Subject, must notify them without undue delay

• Data Processors must notify the Data Controller immediately once aware of the breach.

• Breach must be recorded in the Breach Log even if it is a breach that does not have to be reported to the Data Protection Commissions Office.

Source of further information

Data Protection Commissioner - www.dataprotection.ie

http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52012PC0011&rid=2

Disclaimer

This blog is intended purely for guidance and does not constitute legal advice or legal analysis. This guide is intended as a starting point only giving you general information and a general understanding of the subject and not to provide specific GDPR advice. This information should not be used as a substitute for competent advice from a GDPR Expert.