GDPR
At The Pulse Club, Ballinasloe, Co. Galway we know that legislation and compliance can sometimes hamper the road to entrepreneurship. All that red tape can make people reluctant to take the plunge into setting up their own business. Using your feedback we will seek to clarify any obligations that you may have and hopefully, ease your fears through these web-based FAQ’s.
First up is GDPR. This came into effect on May 25th 2018 all across Europe and with it came a lot of fear and fanfare much like the Y2K “bug”. However, there is nothing to be afraid of. Once you know the basics (specify the legal basis for processing data, only keep what you need for as long as you need it, encrypt and secure the data you need, report breaches within 72 hours) you’ll soon realise that it just makes good sense to be compliant.
More than ever, securing personal data has become an essential part of our lives – from shopping to traveling to setting up WhatsApp groups, we all give our personal information and are given personal information regularly. How that data is protected forms part of the fundamentals of the new GDPR legislation.
It is imperative that everyone who owns a business or is on the cusps of setting up a business understands the principles of Data Protection and how the changes in legislation impact your day to day responsibilities.
At the centre of the new law is the requirement for businesses/organisations to be fully transparent about how you are using and safeguarding personal data, and to be able to demonstrate accountability for your data processing activities.
How do you as an entrepreneur make sure that you are compliant? There are some simple yet effective steps to take to ensure you are protected. Remember that GDPR protects YOU as much as it does your “data subjects”.
The following 9 steps, when adhered to, will ensure that you are fully compliant:
First up is GDPR. This came into effect on May 25th 2018 all across Europe and with it came a lot of fear and fanfare much like the Y2K “bug”. However, there is nothing to be afraid of. Once you know the basics (specify the legal basis for processing data, only keep what you need for as long as you need it, encrypt and secure the data you need, report breaches within 72 hours) you’ll soon realise that it just makes good sense to be compliant.
More than ever, securing personal data has become an essential part of our lives – from shopping to traveling to setting up WhatsApp groups, we all give our personal information and are given personal information regularly. How that data is protected forms part of the fundamentals of the new GDPR legislation.
It is imperative that everyone who owns a business or is on the cusps of setting up a business understands the principles of Data Protection and how the changes in legislation impact your day to day responsibilities.
At the centre of the new law is the requirement for businesses/organisations to be fully transparent about how you are using and safeguarding personal data, and to be able to demonstrate accountability for your data processing activities.
How do you as an entrepreneur make sure that you are compliant? There are some simple yet effective steps to take to ensure you are protected. Remember that GDPR protects YOU as much as it does your “data subjects”.
The following 9 steps, when adhered to, will ensure that you are fully compliant:
Step 1 – Increase awareness and visibility
Step 1 – Increase awareness and visibility
GDPR will benefit all of us, it will ensure that our personal information is protected from misuse by any organisation or business. It is vital that every member of your team/staff is aware of the changes that GDPR has brought and how that impacts them.
To point your team in the right direction you can visit http://www.gdprandyou.ie.
Some tips on making people GDPR aware:
GDPR will benefit all of us, it will ensure that our personal information is protected from misuse by any organisation or business. It is vital that every member of your team/staff is aware of the changes that GDPR has brought and how that impacts them.
To point your team in the right direction you can visit http://www.gdprandyou.ie.
Some tips on making people GDPR aware:
- Leaflets
- Publishing of Privacy Policy/Statement online
- Emailing updates
- Your Local Enterprise Office may offer subsidised courses
Step 2 – Be Accountable
Step 2 - Be Accountable
So why do you need this data? You should be able to answer YES to the following questions:-
When customers/clients/colleagues are giving you information:
If you collect information about an individual from a third party (e.g., from a husband about his wife) you have to consider whether the individual (in this case the wife) needs to be made aware of what is being noted about her as well as the purpose for holding that data. In general, the fair obtaining principle requires that every individual about whom information is collected for holding will be aware of what is happening.
It is imperative that everyone on your team understands exactly what personal information it holds (and is responsible for). To ensure this is clear, it is important that each member of staff makes an inventory of the personal data that it holds. Completed, this serves as a record of your processing activity. A simple way to do this is to set up a data log template answering the following questions on your activity:
So why do you need this data? You should be able to answer YES to the following questions:-
When customers/clients/colleagues are giving you information:
- do they know what information you will keep about them?
- do they know the purpose for which you keep and use it?
- do they know the people or third parties to whom you may share information with?
If you collect information about an individual from a third party (e.g., from a husband about his wife) you have to consider whether the individual (in this case the wife) needs to be made aware of what is being noted about her as well as the purpose for holding that data. In general, the fair obtaining principle requires that every individual about whom information is collected for holding will be aware of what is happening.
It is imperative that everyone on your team understands exactly what personal information it holds (and is responsible for). To ensure this is clear, it is important that each member of staff makes an inventory of the personal data that it holds. Completed, this serves as a record of your processing activity. A simple way to do this is to set up a data log template answering the following questions on your activity:
Attention must be paid to how and where data is stored (it must be secure and should be encrypted) and individuals must be informed if a third party is being used to provide a system for this purpose. If you are using a third party system (such as cloud based storage) you should contact them to verify that they are in compliance with GDPR. An email checklist would suffice.
Personal information held by you or your company might include:
Personal information held by you or your company might include:
- Information required for Garda Vetting (if your company requires it)
- Text or messaging systems (WhatsApp, Bulktext etc.)
- Facebook Fanbase
- Email lists or distribution groups
- Ad-hoc sign in sheets at events or registration forms
- Information captured on websites or social media
- Minutes of meetings
- Payroll details
- Staff details
sTEP 3 - Transparency
Step 3 - Transparency
Individuals must be made aware of certain information - such as why their data is being collected and who will have access to it, before their data is obtained. GDPR insists that information must be given to individuals in advance of collecting and using their data.
It is imperative that you have an updated Privacy Statement or Policy on your website.
Individuals must be made aware of certain information - such as why their data is being collected and who will have access to it, before their data is obtained. GDPR insists that information must be given to individuals in advance of collecting and using their data.
It is imperative that you have an updated Privacy Statement or Policy on your website.
sTEP 4 – Ensure Personal Privacy Rights
Step 4 - Ensure personal privacy rights
GDPR enshrines certain rights for individuals that must be supported by every Data Controller. These rights include:
• Access to all information held about an individual. This must be provided within one month.
• To have inaccuracies corrected
• To have information erased
• To object to direct marketing
• To restrict processing of their information including automated decision making
GDPR enshrines certain rights for individuals that must be supported by every Data Controller. These rights include:
• Access to all information held about an individual. This must be provided within one month.
• To have inaccuracies corrected
• To have information erased
• To object to direct marketing
• To restrict processing of their information including automated decision making
step 5 – Obtain and manage consent
Step 5 - Obtain and Manage Consent
Where you have chosen Consent as the legal basis for processing data, the following applies:
GDPR is very clear that an individual must be informed of what their personal information is going to be used for, who will have access to it, where it will be stored and how long it will be held for.
Consent must be ‘freely given, specific, informed and unambiguous’. People cannot be forced into consent or unaware that they are giving consent. Obtaining consent requires a positive indication of agreement. In other words – NO PRETICKED TICK BOXES!
Consent must also be verifiable – Data Controllers must be able to demonstrate that consent was given and an audit trail should be maintained. The retention period (how long it will be kept for) should correspond with the need to demonstrate consent, notwithstanding legal obligations (financial documents need to be kept for 6 years).
Under GDPR and Irish Data Protection, children under 16 are not permitted to give consent for Data Processing. A child’s parent or guardian must give consent on their behalf. In the UK the age of digital consent is 13.
Where you have chosen Consent as the legal basis for processing data, the following applies:
GDPR is very clear that an individual must be informed of what their personal information is going to be used for, who will have access to it, where it will be stored and how long it will be held for.
Consent must be ‘freely given, specific, informed and unambiguous’. People cannot be forced into consent or unaware that they are giving consent. Obtaining consent requires a positive indication of agreement. In other words – NO PRETICKED TICK BOXES!
Consent must also be verifiable – Data Controllers must be able to demonstrate that consent was given and an audit trail should be maintained. The retention period (how long it will be kept for) should correspond with the need to demonstrate consent, notwithstanding legal obligations (financial documents need to be kept for 6 years).
Under GDPR and Irish Data Protection, children under 16 are not permitted to give consent for Data Processing. A child’s parent or guardian must give consent on their behalf. In the UK the age of digital consent is 13.
sTEP 6 – Legal Basis
Step 6 - Legal Basis
Does the processing of this data have legal basis? You should look at the various types of data processing you carry out, identify your legal basis for carrying it out and document it. This is particularly important where consent is relied upon as the sole legal basis for processing data. Under GDPR, individuals have a stronger right to have their data deleted where customer consent is the only justification for processing.
You have to explain your legal basis for processing personal data in your privacy notice and when you answer a subject access request.
Legal basis comes under 6 headings:
Does the processing of this data have legal basis? You should look at the various types of data processing you carry out, identify your legal basis for carrying it out and document it. This is particularly important where consent is relied upon as the sole legal basis for processing data. Under GDPR, individuals have a stronger right to have their data deleted where customer consent is the only justification for processing.
You have to explain your legal basis for processing personal data in your privacy notice and when you answer a subject access request.
Legal basis comes under 6 headings:
- Consent (consent must be specific, granular, clear, prominent, opt-in, documented and easily withdrawn)
- There is a Legal Obligation to process the data
- The processing of data is necessary for the Purposes of a Contract
- The processing of data is to Protect Vital Interests
- The processing of data is in the Public Interest
- There is a Legitimate Interest for processing the data
All organisations need to carefully consider how much personal data they gather, and why. If any categories can be discontinued, do so. For the data that remains, consider whether it needs to be kept in its raw format, and how quickly you can begin the process of anonymisation and pseudonymisation. Remember keep data to the minimum. Don’t gather or keep data “just in case”.
step 7 – Report Data Breaches
Step 7 - Report Data Breaches
If unauthorised access to Personal Data occurs or Personal Data is lost or stolen, this must be notified to the Data Protection Commissioner within 72 Hours of being identified. This is a requirement for all paper information and all electronic information (unless the data is encrypted or anonymised).
If the breach is likely to cause harm to the individual (identity theft or breach of confidentiality) then the individual must also be informed. A procedure to detect, report and investigate data breaches should be in place.
It is imperative that Data Breaches or possible Data Breaches are not ignored in the hope that no one will notice, they must be investigated and reported if appropriate to do so.
NB: The 72 hour deadline for notification to the Data Protection Commissioner applies irrespective of any steps being taken to understand the causes of the breach.
Visit this page to report a breach to the Data Protection Commission in Ireland. It is worth noting that organisations can be fined for failing to report a data breach in time.
If unauthorised access to Personal Data occurs or Personal Data is lost or stolen, this must be notified to the Data Protection Commissioner within 72 Hours of being identified. This is a requirement for all paper information and all electronic information (unless the data is encrypted or anonymised).
If the breach is likely to cause harm to the individual (identity theft or breach of confidentiality) then the individual must also be informed. A procedure to detect, report and investigate data breaches should be in place.
It is imperative that Data Breaches or possible Data Breaches are not ignored in the hope that no one will notice, they must be investigated and reported if appropriate to do so.
NB: The 72 hour deadline for notification to the Data Protection Commissioner applies irrespective of any steps being taken to understand the causes of the breach.
Visit this page to report a breach to the Data Protection Commission in Ireland. It is worth noting that organisations can be fined for failing to report a data breach in time.
sTEP 8 – Ensure Privacy by Design
Step 8 - Ensure Privacy by Design
GDPR seeks to ensure that all significant new processes, initiatives or projects undertaken consider and ensure GDPR compliance. This requires that a Data Protection Impact Assessment be undertaken to understand the potential impact of that project / initiative on the privacy of individuals.
When using new technology or systems you should always conduct a DPIA (Data Privacy Impact Assessment) by identifying potential privacy issues and agreeing ways to reduce the risk of issues occurring.
GDPR seeks to ensure that all significant new processes, initiatives or projects undertaken consider and ensure GDPR compliance. This requires that a Data Protection Impact Assessment be undertaken to understand the potential impact of that project / initiative on the privacy of individuals.
When using new technology or systems you should always conduct a DPIA (Data Privacy Impact Assessment) by identifying potential privacy issues and agreeing ways to reduce the risk of issues occurring.
Step 9 – Identify someone to be the Data Protection Officer/Liaison Person
Try and identify someone to coordinate your approach to meeting the Data Protection obligations. This will include identifying and recording the specific locations where data is held and ensuring that consent is obtained in the appropriate manner and maintained.
The designated person should ensure that subject access requests and data breaches are dealt with in accordance with GDPR.
The designated person should ensure that subject access requests and data breaches are dealt with in accordance with GDPR.
By becoming a member of The Pulse Club you will have exclusive access to our 1st Tuesday Clubs and also our Workshops. It costs just €50 a year and is a great way to network with like-minded people – who may just have the same fears and questions you have! Click here to register you interest.
|
This webpage does not constitute legal advice. Please make sure that your organisation is fully compliant with GDPR and validate your own data processing with regard to legal basis et al. GDPR has many elements that you need to be aware of with regards to data breaches, subject access, fines, retention, minimisation etc.
|
