You may or may not have heard of GDPR which stands for General Data Protection Regulation but you will hear a lot more about it in the coming months.
It is a new European wide regulation that comes into force in May 2018 that deals with the security and protection of personal data.
It will affect different organisations in different ways depending on your organisation, industry and whether you are a Data Controller or Data Processor. (See key terms below !)
The Data Commissioner’s summary says “The General Data Protection Regulation (GDPR) very significantly increases the obligations and responsibilities for organisations and businesses in how they collect, use and protect personal data. At the centre of the new law is the requirement for organisations and businesses to be fully transparent about how they are using and safeguarding personal data, and to be able to demonstrate accountability for their data processing activities.”
If there is a data breach, you have 72 hours to inform your local Data Protection Agency (DPA). Depending on the data that was breached, you then have to inform the data subjects of the breach without delay.
There are significant penalties for companies that breach data protection law and fines can be up to €20,000,000 or 4% of annual global turnover.
Key Terms Explained
If you, as an individual or an organisation, collect, store or process any data about living people on any media, then you are a data controller. Most companies, clubs, organisations would all be Data Controllers.
If you are using MindaClient and collecting, storing and using client information then you are a data controller.
If, on the other hand, you hold the personal data, but some other organisation decides and is responsible for what happens to the data, then that other organisation is the “data controller” and your organisation is a “data processor”. An example of this might be, using a third party for processing your payroll. You are the data controller but the service provider you are using for payroll is the data processor.
MindaClient who provides the CRM / Client database function would therefore be a Data Processor
Data Protection Officer
A data protection officer is someone who would be appointed in your organisation and would be given responsibility for ensuring data compliance.
This person should be fully aware of the GDPR obligations and requirements.
The Rights of the individual
Data subjects’ right to privacy – the Data controller needs to be able to demonstrate that privacy concerns are a key part of the decision making in the business. It’s not just a question of awareness or acknowledgement, it needs to be demonstrable. Documented procedures relating to the privacy of the data needs to be part of every business decision and project going forward.
You cannot use a person’s information for any purpose other than the original reason that they shared their data
A person will have the right to be forgotton. This will apply to large companies in relation to Social Media but it will also apply to small organisations in Ireland. A person can contact you, ask you what information you store relating to them and request that you remove their data.
If you or your organisation is dealing with minors there are a number of additional requirements. One such example – you need to demonstrate that requests for information were acknowledged and agreed to by legal guardians.
What do you need to do.
This is not an exhaustive list and depending on your organisation and what data you store, you may have much more areas to cover and you might need to engage external expertise.
This is more a road map about where you should start.
Appoint your Data Protection Officer
This person may require training so that they are fully aware of all the requirements for security and data protection for your organisation.
Carry out an audit of your data
You have to ask yourself a number of questions in relation to the collection, storage and use of data. Here is a way to try to remember the questions you should ask. This should be asked of existing data you hold as well as new data you collect.
|On my||O||Obtaining||How did you obtain it?|
|Computer or||C||Consent||Did you get consent?|
|World||W||Why gather||Why was it originally gathered?|
|Wide||W||Why hold it||Why are you holding it?|
|Web my||W||When retain until||When will you get rid of it. How long will you retain it?|
|Data is||D||Data security||How secure is the Data, both in terms of encryption and accessibility?|
|Secure||S||Sharing data||Do you ever share it with third parties?|
What to remember when collecting data
Develop a data protection policy
This is the complicated bit, and depending on your industry, you might take legal advice with regard to same. Once a policy is developed you need to be able to show that you are adhering to it. It’s not enough to have one, it must be followed.
Document your data protection and security procedures
As well as having your policies and procedures it is important that these are fully documented and everyone is familiar with them and knows where to access them.
Incident response plan
Prepare an incident response plan. It is amazing how many organisations at the moment only put such a plan together after there has been a security incident or breach.
Once you have your plan in place and it is properly communicated, then everyone knows what to do in the event of an incident.
Train and communication with your staff – policies, importance & implications of data protection
With all the money invested in advanced security systems it is often the organisations own staff where the weakest link can be.
- This can be a member of staff leaving their password on a yellow sticker stuck to their desktop.
- It can be choosing a password 12345678
- It can be not having a procedure in place to remove a persons access to your data when they leave your organisation or when they are transferred to a different department in a company.
As well as writing all these policies and audit procedures, you need to communicate them effectively to your staff.
Review the IT system security
This covers security, backups, updates to software, patching of servers. This is definitely an area that you may need to get expert help with. In a small organisation you would need to check the security with laptops, external hard drives etc. If your data is hosted externally then you should check with that company.
Encrypt your data – if you can show that the data is unreadable to anyone without the appropriate security credentials, and you maintain good password policy in your organisation then you are largely protected from a breach point of view in relation to GDPR.
Minimise collection of consumer data
Going forward, if there is no reason to collect data from clients or customers then don’t collect it.
The data Commissions website explaining GDPR www.gdprandyou.ie
11 Page Guideline document prepared by the Data Commissioner in easy to read format https://www.dataprotection.ie/docimages/documents/The%20GDPR%20and%20You.pdf
The Data Commissioners main website which has information about GDPR and other areas of Data Protection www.dataprotection.ie
The EU GDPR Portal which has its own countdown to “G-day“ www.eugdpr.org
HAPPY READING !
This is not a legal interpretation of GDPR regulation. It is intended as awareness raising about the subject.