The GDPR (General Data Protection Regulation) is a new EU Regulation which will replace the 1995 EU Data Protection Directive (DPD) to significantly enhance the protection of the personal data of EU citizens and increase the obligations on organisations who collect or process personal data.
It comes into force on 25th May 2018. The regulation builds on many of the 1995 Directive’s requirements for data privacy and security, and it includes several new provisions to enhance the rights of data subjects and it imposes harsh penalties for violations of data protection rights.
Key Terms Explained
If there is a data breach, you have 72 hours to inform your local Data Protection Agency (DPA). Depending on the data that was breached, you then have to inform the data subjects of the breach without delay.
There are significant penalties for companies that breach data protection law and fines can be up to €20,000,000 or 4% of annual global turnover.
If you, as an individual or an organisation, collect, store or process any data about living people on any media, then you are a data controller. Most companies, clubs, organisations would all be Data Controllers.
If you are using MindaClient and collecting, storing and using client information then you are a data controller.
If, on the other hand, you hold the personal data, but some other organisation decides and is responsible for what happens to the data, then that other organisation is the “data controller” and your organisation is a “data processor”. An example of this might be, using a third party for processing your payroll. You are the data controller but the service provider you are using for payroll is the data processor.
Rights of the individual
Data subjects’ right to privacy – the Data controller needs to be able to demonstrate that privacy concerns are a key part of the decision making in the business. It’s not just a question of awareness or acknowledgement, it needs to be demonstrable. Documented procedures relating to the privacy of the data needs to be part of every business decision and project going forward.
You cannot use a person’s information for any purpose other than the original reason that they shared their data
A person will have the right to be forgotten. This will apply to large companies in relation to Social Media but it will also apply to small organisations in Ireland. A person can contact you, ask you what information you store relating to them and request that you remove their data.
Document your data protection and security procedures
As well as having your policies and procedures it is important that these are fully documented and everyone is familiar with them and knows where to access them.
Incident response plan
Prepare an incident response plan. It is amazing how many organisations at the moment only put such a plan together after there has been a security incident or breach.
Once you have your plan in place and it is properly communicated, then everyone knows what to do in the event of an incident.
Train and communication with your staff – policies, importance & implications of data protection
Review the IT system security
This covers security, backups, updates to software, patching of servers. This is definitely an area that you may need to get expert help with. In a small organisation you would need to check the security with laptops, external hard drives etc. If your data is hosted externally then you should check with that company.
Encrypt your data – if you can show that the data is unreadable to anyone without the appropriate security credentials, and you maintain good password policy in your organisation then you are largely protected from a breach point of view in relation to GDPR.
Minimise collection of consumer data
Going forward, if there is no reason to collect data from clients or customers then don’t collect it.
Very easy to read Guideline document prepared by the Data Commissioner of Ireland here
The Data Commissioners main website which has information about GDPR and other areas of Data Protection www.dataprotection.ie
Definitive Checklist from the Data Commissioners website here
The data on the MindaClient GDPR web pages is not intended as a legal interpretation of GDPR regulation and should not be relied upon as legal advice.
It is intended
- To provide information
- To outline what MindaClient can do to help you become GDPR compliant
- To outline how MindaClient is complying with the GDPR regulation
You are advised to seek your own legal advice and to consult with the Data Commissioners website.