The General Data Protection Regulation (GDPR) will come into force across the EU on the 25th May 2018, replacing the existing data protection framework. It emphasises transparency, security and accountability by data controllers and processors, while at the same time standardising and strengthening the right of European citizens to data privacy. With it will come new responsibilities for businesses and penalties, including fines, for breaches.
We’re pleased to introduce David Waldon, Senior Business Consultant with CloudStrong with advice for Irish businesses on how they can prepare for the new regime.
It’s safe to say that the majority of SME’s are not yet prepared for GDPR, with many citing a lack of clear cut guidelines on the steps and measures they should take to comply with these new regulations. However businesses need to be aware of their responsibilities and to start preparing now. Here are 12 steps to guide your GDPR preparations:
- Create Awareness of GDPR within the business
This is the most important step. Decision makers and key people in your business need to appreciate the impact GDPR is likely to have on the business. The law is changing and ignorance will no longer suffice.
- Are you a Data Controller or Data Processor or both?
A Data Controller generates Personal Data, whereas a Data Processor simply processes that said data. Being a Data Controller carries with it serious legal responsibilities, however Data Processors have a very limited set of responsibilities. Understanding your responsibilities is critical to becoming GDPR compliant.
- Assess what Information your business holds
You should document what personal data you hold, where it came from and who you share it with. Personal Data is defined as any information (including online identifiers such as IP addresses and cookies) relating to a person who can be identified either directly or indirectly. There is no distinction about an individual in their private, public or work roles. All are covered under GDPR.
- Document Legal Basis for Processing Personal Data
Collecting and using nice-to-have or just-in-case information isn’t an option. If an activity has no legal basis it cannot continue. Aside from consent, the Regulation sets out the following legal bases:
- Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract;
- Processing is necessary for compliance with a legal obligation;
- Processing is necessary to protect the vital interests of a data subject or another person;
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; and,
- Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject (unless you’re a public authority in which case you cannot rely on this condition).
- Communicating Privacy Information
- Personal Privacy Rights
Ensure your business procedures cover all the rights individuals are entitled to, including deletion and data portability (and how you do this). Individuals also have the right to subject access, to have inaccuracies corrected, to have information erased, to object to direct marketing, to restrict the processing of their information, including automated decision-making and data portability.
- Monitoring of Employees Activities such as Email, Internet Usage, CCTV etc.
Personal data can only be processed where it is necessary for the normal development of the employment relationship and the business operation. Monitoring and surveillance activities must comply with the transparency requirements of data protection law.
- Staff must be informed of the existence of the surveillance, and also the purposes for which personal data are to be processed.
- If CCTV cameras are in operation, and public access is allowed, there must be a “Fair Processing Notice” at the point of collection in the case of CCTV through which the information comes in. It must clearly state for what purpose the information is been gathered.
- Any monitoring must be carried out in the least intrusive way possible and must be a proportionate response by an employer to the risk he or she faces taking into account the legitimate privacy and other interests of workers.
- Only in exceptional circumstances associated with a criminal investigation, and in consultation with the Gardaí, should resort be made to covert surveillance monitoring and surveillance whether in terms of email use, internet use, video cameras or location data are subject to data protection requirements.
At a very minimum, staff should be aware of what the employer is collecting on them (directly or from other sources). Staff have a right of access to their data under section 4 of the Data Protection Acts. Any personal data processed in the course of monitoring must be adequate, relevant and not excessive and not retained for longer than necessary for the purpose for which the monitoring is justified.
- Explicit Consent for Marketing & Other Purposes
SME’s must get explicit and clear consent and Opt-In only for marketing activities. there is no such thing as ‘opt-out consent’” under the regulations.
- Data Breach Notification
A data breach is where a “high risk to the rights and freedoms of individuals occurs” and those affected must be notified without undue delay. Companies now have 72 hours to log the discovery of a data breach with the relevant data protection authorities. Companies which fail to do so may find themselves facing additional fines. Have an Incident Response Policy and Procedures in place to be prepared in the event a breach occurs. Treat a Data Breach drill like a Business Continuity Plan or a Fire Evacuation Plan. It needs to be rehearsed and tested: the likelihood is, it is not a case of IF you get a breach, rather WHEN you get a breach.
- Prepare for “Subject Access Requests”
You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.
- Implement Security Measures for Personal Data Protection
Providing adequate protection for the data you process is essential for compliance with GDPR. Physical and procedural security controls will be just as important as technical ones.
- Privacy Impact Assessment if processing High Risk Data
A PIA is required in high-risk situations only, for example where a new technology is being deployed or where a profiling operation is likely to significantly affect individuals, or monitoring activities, systematic evaluations or processing special categories of data such as Financial, Legal or Children. Where a PIA indicates high risk data processing, you will be required to consult the Data Protection Office to seek its opinion as to whether the processing operation complies with the GDPR.
Data has become a currency of sorts in recent years, and you should seek to protect this Data at all costs, as if it had monetary value. Ensuring you do not in any way neglect the GDPR regulations for privacy, compliance and consent when it comes personal data will be part of this.
Keystone Procurement want to thank David Waldon of CloudStrong for his time in explaining what how Irish businesses can prepare for GDPR. People can contact David through LinkedIn or via www.cloudstrong.ie.
Finding Public tenders
Over 100 tenders issue every week, we have been tracking these tenders for nearly two years now and know that almost all industries and sectors have opportunities. Opportunities present in almost every conceivable category of good or service.
www.etenders.ie – register to obtain the latest tenders from State bodies
www.supplygov.ie – the latest lower value tenders for trades / supplies from local authorities
www.tenderscout.com – a tender engine highlighting opportunities in Ireland and overseas