KnowledgeNET Blog

carmichael
The new General Data Protection Regulation (GDPR) is due to come into effect on 25th May 2018. It will provide a modernised, accountability-based compliance framework for data protection all over Europe. Below are some points to consider in advance:
  • Organisations must understand if they are a Controller or Processor: A data controller controls and is responsible for the keeping and use of personal information on computer, online or in structured manual files. If, on the other hand, you hold personal data, but some other organisation decides and is responsible for what happens to the data, then that other organisation is the data controller, and your organisation is a data processor. Examples of data processors include payroll companies, accountants and market research companies, all of which could hold or process personal information on behalf of someone else. It is possible for one organisation or person to be both a data controller and a data processor, in respect of distinct sets of personal data. For example, a payroll company would be the data controller in respect of the data about its own staff, but would be the data processor in respect of the staff payroll data it is processing for its client companies. 
  • Organisations that - as a core activity - monitor individuals systematically and on a large scale, or that process special categories of personal data on a large scale, will need to have Data Protection Officers (DPO’s) to facilitate compliance with the provisions of the GDPR. 
  • These organisations must be able to demonstrate compliance with the Regulation. The DPO is a cornerstone of the principle of accountability. 
  • Factors to be considered when deciding whether processing is “large scale” include the number of data subjects, the volume & range of data, duration of data processing and geographical extent of data processing. A simple example given is the processing of healthcare related data by an individual doctor (not large scale), or by a hospital (large scale). 
  • Unless a DPO is obviously not required, organisations should document the analysis and process leading to their decision on whether or not to appoint a DPO. 
  • DPOs may be appointed on a voluntary basis, but where they are, the same GDPR requirements regarding their designation, role and tasks will apply as to mandatory DPO appointments. Therefore, where organisations don’t appoint a DPO but do, as they may, assign data protection related tasks to their staff or external consultants, it should be made clear internally and externally that such staff or consultants are not DPOs. 
  • It is important to get prepared now for the implementation of the new regulation in 2018. 
  
What you need to do now:
  • Key personnel in your organisation should start planning now, including a review of the organisation’s risk management processes. 
  • Make an inventory of all personal data held by your organisation and review why you are holding it, where it is stored, how it was obtained, how long you retain it and how secure is it. 
  • Review how you alert people to the collection of their data and how you deal with complaints if people are unhappy about how you do this. Make sure you have systems in place to correct any errors that arise. 
  • Review how you delete, amend or restrict access to personal data.  
  • Review how you respond to requests for access to personal data and how long it takes. 
  • Check how much personal data you gather, and why. If any categories can be discontinued, then do so. 
  • Review how you seek, obtain and record service user or member consent. Are they fully aware their consent is being given and what they are consenting to? Are they informed of their right to withdraw consent? Have they given you explicit permission to contact them (e.g. via email or text message)? 
  • If you process data on children, do you have systems in place to verify age and gather consent from guardians? 
  • Do you have systems in place to detect, report and investigate personal data breaches? 
  • Draw up or review your privacy website notice. This should be in clear and plain language and contain details of who to contact in relation to privacy issues, types of date you process, who it is shared with and how long you keep it, use of cookies and tracking devices. 
  • Draw up or review data protection policies and procedures.  
  • Make sure you review any other existing policies and procedures that may be impacted by GDPR, e.g. HR, Health and Safety records, employment contracts, financial records, Garda vetting. 
  • Make sure there is proper handover of responsibilities in relation to data when personnel change role or move on from the organisation. 
 
 
Jargon Buster 
 
DAR: Data Access Request. A person has a right to find out if a person (an individual or an organisation) holds information about them. They also have a right to be given a description of the information and to be told the purpose(s) for holding that information. 
 
Data Controller: determines the purposes for which, and the way in which, personal data is processed. 
 
Data Processor: anyone who processes personal data on behalf of the data controller. 
 
DPO: Data Protection Officer, the person who facilitates compliance with the provisions of the GDPR. 
 
GDPR: General Data Protection Regulation. This is a European-wide regulation that comes into effect on 25th May 2018. It gives increased powers to the Data Protection Commissioner to impose heavy fines for breaches of the regulations. 
 
Personal data: data relating to a living individual who can be identified either from the data alone or from the data in conjunction with other information that is in or is likely to come into the possession of the data controller. 
 
Sensitive personal data: is data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health, details of any criminal allegations, proceedings or convictions. 
 
Check out more details on the Data Protection Commissioner's website or the GDPR Coalition website. 
 
Carmichael Centre will run a workshop on how to get ready for GDPR on 20th November 2017.

Add new comment

Featured Article

Alice Murphy

How to Establish a Company Limite...

Alice Murphy

ARTICLE ON HOW TO ESTABLISH A COMPANY LIMITED BY GUARANTEE The purpose of this article is to explore the relative advantages of a company limited by guarantee when compared with other...

News

carmichael

Our Chair Kevin Smyt...

09.02.2016

Watch our new video where our Chair Kevin Smyth, explains what goes into making a good Chair in...

carmichael

650 organisations on...

02.07.2015

http://www.governancecode.ie/news/article.php?article=includes/news/article_updatechairjul15.html