GDPR (General Data Protection Regulations)
The General Data Protection Regulation (GDPR) will come into force on the 25th May 2018. GDPR sets out rules which organizations have to follow regarding an individual’s personal data.
THE THEORY GDPR sets out in article 5(1) six principles for processing personal data.
Article 5(2) also introduces Accountability This sets an obligation on data controllers to be responsible for and to demonstrate compliance with GDPR.
- Lawfulness, fairness and transparency Personal data shall be stored and processed lawfully, fairly and in a transparent manner. This could include measures such as making privacy policies more user friendly and promoting the rights of users / customers.
- Purpose limitation Personal data shall be collected and stored for specified, defined and legitimate reasons. GDPR also allows further processing for public interest and/or scientific purposes such as census and population statistical analysis.
- Data minimization Personal data should be adequate, relevant and limited to the purpose for which it is collected and stored. Data minimization lays a close role with purpose limitation since controllers only collect enough data to achieve their purpose, but only the amount needed to do that.
- Accuracy Personal data should be accurate and, where necessary, kept up to date. GDPR states that the erasure or rectification of personal data should be implemented without delay. However, a longer time is permitted where data is stored and processed for statistical, historical, public interest and scientific purposes.
- Storage limitation Personal data should be kept in a form which permits identification of data subjects for no longer than is necessary.
- Security Personal data shall be processed in a manner that ensures appropriate security of the data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
Data controllers must demonstrate their compliance with GDPR by e.g. documenting their decisions when undertaking processing and storage activities.
GDPR allows for financial sanctions for breaches. GDPR makes a distinction between a data controller and a data processor organisation. If you collect data for use in your organisation you are a data controller, for example, if customers register online to buy from you online. On the other hand, if you are working with someone else’s data, such as a payroll firm or a marketing firm then you are a data processor. Organisations should ensure that the personal data they hold is accurate and document how and for what it is being processed. They have to show evidence of compliance. https://www.fondia.com/blog/what-are-the-data-protection-principles-under-the-gdpr
THE PRACTICE … for individuals Personal data includes name, address, phone number, transaction or search history, date of birth, marital status, id number, images or anything relating to the physical, physiological, genetic, mental, economic cultural or social identity of the individual. Under GDPR, individuals have the right to
- Obtain details about how their data is processed and stored by an organisation or business
- Obtain copies of personal data that an organisation holds on them.
- Have incorrect or incomplete data corrected.
- Have their data erased by an organisation, where for example, that organisation has no legitimate reason to hold the data.
- Obtain their data from an organisation and to have that data transmitted to another organisation (Data Portability)
- Object to the processing of their data by an organisation in certain circumstances
- Not to be subject to (with some exceptions) automated decision-making, including profiling.
- Object to direct marketing
… for businesses
Businesses cannot charge for processing a data access request (unless it involves excessive costs)
- Review and enhance your organisation’s risk management processes. Identify risk areas. Assign the role of Data Controller.
- Make a list if all the personal data your organisation holds on customers. Does it comply with the 6 Principles?
- Document what information you hold, and how and why you use it.
- Obtain customer consent for the use of their personal data.
- When gathering personal data from customers, provide the following …
- Your identity
- Why you are gathering the information
- How you will use the information
- Who it will be disclosed to
- If it will be transferred outside the EU.
- Retention period
- If it will be subject to automatic decision-making
- Right of complaint
- Their rights
- Respond within 30 days
- Display a Privacy Notice
Data Controller responsibilities (The Eight Rules of Data Protection)
To fairly obtain data the data subject must, at the time the personal data is being collected, be made aware of:
- the name of the data controller;
- the purpose in collecting the data;
- the identity of any representative nominated for the purposes of the Acts;
- the persons or categories of persons to whom the data may be disclosed;
- whether replies to questions asked are obligatory and the consequences of not providing replies to those questions;
- the existence of the right of access to their personal data;
- the right to rectify their data if inaccurate or processed unfairly;
- any other information which is necessary so that processing may be fair and to ensure the data subject has all the
- information that is necessary so as to be aware as to how their data will be processed.
Data Processor responsibilities
the processing must be necessary for one of the following reasons -
- the performance of a contract to which the data subject is a party;
- in order to take steps at the request of the data subject prior to entering into a contract;
- compliance with a legal obligation, other than that imposed by contract;
- to prevent injury or other damage to the health of the data subject;
- to prevent serious loss or damage to property of the data subject;
- to protect the vital interests of the data subject where the seeking of the consent of the data subject is likely to result in those interests being damaged;
- for the administration of justice;
- for the performance of a function conferred on a person by or under an enactment;
- for the performance of a function of the Government or a Minister of the Government;
- for the performance of any other function of a public nature performed in the public interest by a person;
- for the purpose of the legitimate interests pursued by a data controller except wherethe processing is unwarranted in any particular case by reason of prejudice to the fundamental rights and freedoms or legitimate interests of the data subject.
The Data Commissioner’s website for GDPR is http://gdprandyou.ie/
Posted on Mon 09 Apr 18