Latest Thinking / October 25, 2017
GDPR – what is it all about?
Recently, DNM held a breakfast briefing with a heavy focus on the topic of GDPR, the feedback we had from the event was very complimentary so we decided to share some of the most frequently asked questions and top tips here. It can be heavy reading at times, but as you can see from the penalties, we all need to be aware of what’s coming on 25th May 2018.
The objective of the GDPR is – “Effective protection of personal data throughout the Union requires the strengthening and setting out in detail of the rights of data subjects and the obligations of those [in the public and private sectors] who process and determine the processing of personal data, as well as equivalent powers for monitoring and ensuring compliance with the rules for the protection of personal data and equivalent sanctions for infringements in the Member States”
Finding it tough to get your head around? We are having GDPR conversations every day with our customers to ensure they are ready.
Make sure you’re ahead of the curve on this, get in touch via email or give us a call on 01 499 2500.
- ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed
- If the Processor is in breach of GDPR, it must notify the Controller [Article 28(3)]
1. Controllers have a legal obligation to give effect to the rights of data subjects
“Modalities should be provided for facilitating the exercise of the data subject's rights under this Regulation, including mechanisms to request and, if applicable, obtain, free of charge, in particular, access to and rectification or erasure of personal data and the exercise of the right to object. The controller should also provide means for requests to be made electronically, especially where personal data are processed by electronic means. The controller should be obliged to respond to requests from the data subject without undue delay and at the latest within one month and to give reasons where the controller does not intend to comply with any such requests.”
“The controller shall facilitate the exercise of data subject rights under Articles 15 to 22.”
2. Time limits for complying with the rights of data subjects
Article 12(3) to 12(4)
A controller must, within one month of receiving a request made under those rights, provide any requested information in relation to any of the rights of data subjects.
If the controller fails to meet this deadline, the data subject may complain to the relevant DPA and may seek a judicial remedy.
Where a controller receives large numbers of requests, or especially complex requests, the time limit may be extended by a maximum of two further months.
3. Right of Access (DSAR)
1,479 complaints to ODPC in 2016 – 835 related to access rights
Data subjects have the right to obtain the following information:
- confirmation by controller of whether, and where, is the processing;
- the purposes of the processing;
- the categories of data being processed;
- the categories of recipients with whom the data is shared, especially, third parties;
- where possible, the period for which the data will be stored (or the criteria used to determine that period);
- information about the existence of the rights to erasure, to rectification, to restriction of processing and to object to processing;
- the existence of the right to complain to the Supervisory Authority;
- where the data were not collected from the data subject, information as to the source of the data; and
information about the existence of, and an explanation of the logic involved in, any automated processing that has a significant effect on data subjects.
- Article 28(1)
“Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures [TOMs] in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.”
- Article 28(3)
Appointment = a binding written agreement which states that the Processor must:
(a) only act on the documented instructions from the Controller
(b) commit to confidentiality
(c) take all security measures as prescribed by Article 32
(d) abide by the rules for engaging a sub-processor
(e) assist Controller in complying with rights of data subjects
(f) assist Controller with security requirements, breach notifications and PIAs
(g) delete or return personal data to the Controller
(h) demonstrate compliance with the above (through audits and inspections)
- Current law – quantifiable loss, financial loss, material damage
- Article 82(1):
“Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered”
- Article 82(2):
Any Controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation.
A Processor shall be liable for the damage caused by processing only where it has not complied with its obligations specifically directed to Processors or where it has acted outside or contrary to lawful instructions of the Controller.
Tip #1 Accountability and Transparency
Make an inventory of all personal data you hold and examine it under the following headings:
- Why are you holding it?
- How did you obtain it?
- Why was it originally gathered?
- How long will you retain it?
- How secure is it, both in terms of encryption and accessibility?
- Do you ever share it with third parties and on what basis might you do so?
This is the first step towards compliance with the GDPR’s accountability principle, which requires organisations to demonstrate (and, in most cases, document) the ways in which they comply with data protection principles when transacting business.
Tip #2 The Controller/ Processor relationship
It's important to review Data Processing Agreements to ensure compliance with EU Article 29. Best thing you can do is to find yourself a certified processor so you don't have to worry.
Tip #3 Rights of Data Subjects and Access Requests
Review your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically.
Rights for individuals under the GDPR include:
- subject access
- to have inaccuracies corrected
- to have information erased
- to object to direct marketing
- to restrict the processing of their information, including automated decision-making
- data portability
Tip #4 Data Breach Management
Develop a system for early detection and deployment of a response team as quickly as possible.
- An audit of the company’s data structure and processes
- Privacy impact assessments, (Admin, Finance, HR, IT)
- Privacy by design to ensure data at every level of your business is protected
- Engage with a processor - guarantees to implement appropriate technical and organisational measures
- Employee training and awareness
- Preparation of a Data Breach Management Plan.