GDPR Guidelines

The General Data Protection Regulation (GDPR) will apply from 25th May 2018 to all organisations that process European residents’ personal data. Under GDPR, businesses that fail to comply with the Regulation and suffer a data breach could face fines of up to €20 million or 4% of global revenues – whichever is greater.

Everyone has the right to respect for his private and family life, his home and his correspondence.

A Data Subject is an identified or identifiable natural person. There is no restriction on their nationality or place of residence, however, so a data subject can be from anywhere in the world – the regulation does not distinguish. Equally, however, a data subject has to be a living individual; a corporation or other entity cannot be a data subject, and the information on those subjects has no protection under the GDPR Regulation.

Staff

• Must be trained and records of training kept.

• Must have access to GDPR Document Framework. This must contain all policies and procedures.

• Be aware of the Risk Register

• Be aware of the Breach Log; and understand how to record a breach.

• Staff Privacy handbook must include a document that is signed to show that they -1- agree and 2 -understand the companies GDPR regulations.

• Must be made aware if any Data Breaches occur there will be a disciplinary process activated.

• All laptops must have the Hard drive encrypted (using FIPS 140 compliant cryptography. Secure Socket Layer (SLL) is no longer considered secure, Transport Layer Security (TLS) 1.2 or higher is required.)

• USB keys must be secure – Mycript

• Mobile phones must have the facility to wipe data remotely in the case of the phone being lost or stolen.

• If sending documents by post containing sensitive data - use registered post

Train your staff

• Train staff in your GDPR Procedures.

• Training records must be kept

• Policies and Procedures must be up-to-date and available.

• Must be made aware of Disciplinary process if a breach occurs

Date Breaches

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

• Must be reported within 72 hours, except where it is unlikely to result in any harm to the Data Subject. This is not necessary where appropriate protective measures are in place ie Laptops have Encryption, Documents are password protected, Phones remotely wiped.

• If high risk to Data Subject, must notify them without undue delay

• Data Processors must notify the Data Controller immediately once aware of the breach.

Create policies and procedures

• Staff Handbook

• Risk Register

• Breach Log

• Breach Notification Procedures

Ensure your organisation can comply with any Data subject requests.

You should review and update your procedures and plan how you will handle requests within the new timescales. (There should be no undue delay in processing an Access Request and, at the latest, they must be concluded within one month). You have one month to reply to a data subject request and no fee is required. They are entitled to request more information on – location, retention period, and use of data.

Subject access rights include

• to have inaccuracies corrected

• to have information erased

• to object to direct marketing

• to restrict the processing of their information, including automated decision-making

• data portability

Implement Breach notification procedure

You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.

GDPR brings mandatory breach notifications. All breaches must be reported to the Data Protection Commission (DPC), typically within 72 hours, unless the data was anonymised or encrypted. In practice this will mean that most data breaches must be reported to the DPC. Breaches that are likely to bring harm to an individual – such as identity theft or breach of confidentiality – must also be reported to the individuals concerned. Larger organisations need to develop policies and procedures for managing data breaches, both at central or local level.

Failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself.

Source of further information

Data Protection Commissioner - Click HERE

REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL Proposal Click HERE

Disclaimer

This blog is intended purely for guidance and does not constitute legal advice or legal analysis. This guide is intended as a starting point only giving you general information and a general understanding of the subject and not to provide specific GDPR advice. This information should not be used as a substitute for competent advice from a GDPR Expert.