The General Data Protection Regulation (GDPR) significantly increases the obligations and responsibilities for organisations in how they collect, use and protect personal data. At the centre of the new law is the requirement for organisations to be fully transparent about how they are using and safeguarding personal data, and to be able to demonstrate accountability for their data processing activities.
The Regulation is binding throughout EU/EEA without the need for ratification in Member States and comes into force on 25 May 2018. The rights of Data Subjects increase with clauses on Transparency, Data Portability and Accountability.
Protection of Personal Data
- Everyone has the right to the protection of personal data concerning him or her.
- Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
- Compliance with these rules shall be subject to control by an independent authority.
Are you a Data Controller?
If you, as an individual or an organisation, collect, store or process any data about living people on any type of computer or in a structured filing system, then you are a data controller. In practice, to establish whether or not you are a data controller, you should ask, do you decide what information is to be collected, stored, to what use it is put and when it should be deleted or altered.
Responsibilities of Data Controller
- Obtain and process information fairly
- Keep it only for one or more specified, explicit and lawful purposes
- Use and disclose it only in ways compatible with these purposes
- Keep it safe and secure
- Keep it accurate, complete and up-to-date
- Ensure that it is adequate, relevant and not excessive
- Retain it for no longer than is necessary for the purpose or purposes
- Give a copy of his/her personal data to an individual, on request
Website resource: Guide for Data Controllers
Conditions for Consent
- Controller must be able to demonstrate consent of data subject to processing
- Consent must be distinguishable, accessible, intelligible and separate from other matter
- Must be as easy to withdraw consent as to give consent
- Contract cannot be conditional on consent that is unnecessary
Website resource: Checklist – Asking for Consent
GDPR: What YOU must do
- Increase Awareness / Knowledge
- Log your preparations for GDPR
- Identify and act on any “To Do” items (examples: Data Protection/ Privacy Policies, Records containing personal data, consent clauses to retaining personal data/ sending marketing materials, opt-out clauses)
Much of the personal data we retain is unnecessary and no longer useful, so it is a good opportunity to implement good “housekeeping”, consistent with HR records retention.
Download resource: 12 Step Guide to being GDPR ready
Website resource: Self Assessment Checklist
Subject Access Requests
A data subject is entitled to receive ALL personal information held by your organisation within 30 days of receiving the request (reduced from 40 days). This is the area of highest complaint to Data Protection Commissioner.
GDPR Workshop Facilitator: Dorothy Barry, DMBarry & Associates Management Consultants
LinkedIn: Dorothy Barry