Are you panicking about GDPR? Stay calm and take a look at our item on GDPR Compliance.
Unless you’ve been sleeping under a rock you couldn’t have missed the news that GDPR – new General Data Protection Regulations – COMES INTO EFFECT THIS FRIDAY, 25TH MAY.
Whether you are a voluntary group, a company or an individual, if you hold or process personal data in anything but a private capacity, GDPR applies to you or your organisation. This is a short guide to getting on the road to compliance, and should be seen as the minimum you need to do; you will have to adapt this guide to the needs of your organisation. For small groups that do not hold sensitive information about people this should not be a problem if you have done the following by Friday 25th May 2018.
Audit the data you have, in digital and written format, and if you no longer have any legal or legitimate grounds for holding onto it remove it from your files and digital systems. You need to be able to justify why you hold about individuals, especially sensitive information.
The information should be examined under the following headings:
- Why are you holding it?
- How did you obtain it?
- Why was it originally gathered?
- How long will you retain it?
- How secure is it, both in terms of encryption and accessibility?
- Do you ever share it with third parties and on what basis might you do so?
Organisations must be able to identify and document the legal basis for processing and retaining personal data.
Some of the legal bases of most relevance to organisations include the following:
- Consent of the data subject.
- Processing is necessary for the performance of a contract to which the data subject is a party (such as an employment contract).
- Processing is necessary for compliance with a legal obligation to which the data controller is subject (such as Payroll, passing information to the Revenue Commissioners)
- Processing is necessary for the legitimate interests of the data controller unless such interests are overridden by the interests or rights of the data subject. For example, improving efficiency in the workplace could be a legitimate interest for keeping data as could the protection of company assets by maintaining an asset register that links equipment to individuals.
Organisations should, in particular, note the GDPR’s provisions on consent when carrying out their review of personal data held or processed. Because consent can be withdrawn, and data cannot be retained if consent was the only legal basis for retention.
Protect the data you have, password protect all digital systems, encypt personal data, get up to date real time malware protection, make sure your operating systems are up to date and compliant, make sure you have a secure back up system in place, and secure hard copies of files and letters from unauthorised access.
WHAT MUST BE INCLUDED IN PRIVACY STATEMENTS?
When first collecting personal data, the GDPR requires businesses to provide information such as the following to individuals, this information should also appear in a privacy statement on any website you run, and be available in written or digital formats on request:
- The business’s identity (the word business covers voluntary organisations even if they are not incorporated, or a registered business).
- Contact details for the business and for the data protection officer (DPO), if applicable
- The reasons for collecting the data
- The use(s) to which the data will be put
- To whom the data will be disclosed
- Whether the data will be transferred outside of the EU
- The legal basis for the processing of the data
- The period for which the data will be stored, or the criteria to be used to determine retention periods
- Where the processing is based on the legitimate interests of the business, the legitimate interests concerned
- Where the processing is necessitated by a statutory or contractual requirement, the consequences for the individual of not providing the data
- Whether the data subject will be subject to automated decision making
- The rights of the individual under the GDPR
When preparing notices, businesses must set this information out in a clear, concise and easily accessible manner.
WHAT ARE THE INDIVDUAL’S RIGHTS UNDER GDPR?
The rights for individuals under the GDPR include:
- subject access – access to the data you hold about them
- to have inaccuracies corrected
- to have information erased – if you have no legal basis to hold it
- to object to direct marketing
- to restrict the processing of their information, including automated decision-making
- data portability (to have the data provided in an easily accessible and transferable digital format)
If you are involved in direct marketing via email make sure that you have on option available on the emails that you send out for people to unsubscribe from your email contacts list.
If a third party repairs your IT systems or manages your social media put a third party data processing contract in place requiring them to be GDPR compliant.
Please note that the information presented here is meant as a guide only, and is particularly suited to small organisations. If you hold large amounts of sensitive information about employees or members of the public seek professional advice on your obligations under the GDPR.
Finally, if you haven’t started on the road to compliance yet it is vital that you do so.
More information about compliance with GDPR, including useful downloads and templates is available at the website of the Data Protection Commissioner – GDPR and YOU
Click here for Leitrim PPN Privacy Statement 25042018