Data Protection GDPR Basics

Data Protection Fundamentals - GDPR
Elizabeth Dunne Barrister-at-law, PC. dp
Elizabeth Dunne Consultancy Services
October 23rd 2018
Elizabeth Dunne Consultancy Services 2018

• EU Regulation on General Data Protection – GDPR – was adopted
April 2016 and enforced 25th May 2018.
• New Data Protection Act 2018 (25th May 2018).
• Fines / sanctions for infringement and breach of the Act directly by
Office of Data Protection Commissioner.
• Investigations and new offences.
Data Protection and GDPR

• Current landscape and legislation – road to GDPR – Regulation and Data
Protection Act 2018
• Definitions to remember
• Steps to achieving compliance – the “lifecycle” of data:
– Collection
– Storage
– Usage
– Sharing
– Disposal
• Types of personal data
• Demonstrating compliance: Policies and Procedures – Website Privacy
Notice, Breach Protocol, Data Subject Access Protocol and Form, Data
Protection Policy and Data Retention Policy.
• Questions

• ‘Personal data’ is defined as any information relating to an
identified or identifiable natural person (‘data subject’); (doesn’t
apply to deceased persons, recital 27)
– an identifiable natural person is one who can be identified,
directly or indirectly, in particular by reference to an identifier
such as a name, an identification number, location data, an
online identifier or to one or more factors specific to the
physical, physiological, genetic, mental, economic, cultural or
social identity of that natural person;
• Legal basis – the legal basis on which processing occurs under ART
6 or 9 and must be identified by the controller

‘Data Subject’: “an individual who is the subject of the personal data”.
‘Processing’ means: any operation or set of operations which is
performed on personal data or on sets of personal data, whether or not
by automated means, such as collection, recording, organisation,
structuring, storage, adaptation or alteration, retrieval, consultation, use,
disclosure by transmission, dissemination or otherwise making available,
alignment or combination, restriction, erasure or destruction;
‘Personal data breach’ means a breach of security leading to the
accidental or unlawful destruction, loss, alteration, unauthorised
disclosure of, or access to, personal data transmitted, stored or
otherwise processed;

‘Special categories of data’ will include personal data revealing
• racial or ethnic origin,
• political opinions,
• religious or philosophical beliefs, or
• trade union membership, and the processing of
• genetic data, biometric data for the purpose of uniquely identifying
a natural person,
• data concerning health or
• data concerning a natural person's sex life
• sexual orientation
• Criminal convictions of offences
Processing of these categories is prohibited, unless one of the
conditions under ART 9 are satisfied.

Processing of these categories is prohibited, unless one of the
conditions under ART 9 are satisfied:
• Explicit consent (where the data subject gives their consent);
• Processing is necessary for the purpose of carrying out obligations
or rights of the controller or data subject in the field of employment,
social security and social protection law (not based on consent);
• Processing is necessary to protect the vital interests of the data
subject or another (not based on consent).
There are other conditions in the area of public health or defence of
legal claims, but generally one of the above grounds must be satisfied
before the others will apply.

Processing of other categories of personal data (name, address, phone
number, email, financial details) must satisfy ART 6:
• The data subject has given consent (where consent is given);
• Processing is necessary for the performance of a contract to which
the data subject is party or in order to take steps at the request of
the data subject prior to entering a contract;
• Processing is necessary for compliance with a legal obligation to
which the controller is subject;
• Processing is necessary to protect vital interests of data subject;
• Processing is necessary for the performance of a task carried out in
the public interest or exercise of official authority;
• Legitimate interest of the controller.

Data controller controls the contents and use of personal data
‘Controller’ means the natural or legal person, public authority, agency
or other body which, alone or jointly with others, determines the
purposes and means of the processing of personal data; where the
purposes and means of such processing are determined by Union or
Member State law, the controller or the specific criteria for its
nomination may be provided for by Union or Member State law;
‘Processor’ means a natural or legal person, public authority, agency or
other body which processes personal data on behalf of the controller;

• Where is data stored?
• Hard drives (“C” drives (local), shared network drives)
• Databases (excel etc)
• Email
• Laptops / USBs
• Smart phones / other devices
• Cloud applications
• Paper files / relevant filing systems
• Stand alone systems
• Archive
• Social media whatsApp, Facebook / Instagram*
• *June 2018 – admins are data controllers for Facebook accounts
and data collected there.
Data Protection and GDPR - storage

• GDPR requires “technical and organisational” measures to keep data
secure when stored– implement policies and purge duplicate data
• Record all categories of data (including sensitive) on a register and
draft a data retention schedule
• Assign access privilege to databases and network drives containing
personal or sensitive data – need to access only if handling
personal data on a need to know basis
• Check Cloud Service Provider’s contract to ensure it delivers the
same level of availability, security and confidentiality (data centres
should be listed and transfers prohibited outside EEA unless specific
measures in place to allow that transfer)
Data Protection and GDPR - Storage

• Personal and Sensitive information should only be used for the
purpose it was collected for
• Any new or further use must be consented to by the data subject,
whether consent was obtained originally or not for the data
• Data subjects have rights: to access, object to processing,
rectification, erasure, porting and to withdraw consent – during use
of data. Staff generally have a right to their HR file and its contents
subject to reasonable considerations.
• Ensure you have DSAR procedure in place where changes to data
use occurs
• Review use of data sets regularly to make sure they’re not outdated
or inaccurate
Data Protection and GDPR - Usage

• Know how your data subject’s personal information is shared:
– Within the organisation
– With 3rd parties
• Who has access within the organisation? Ensure you know what
they are doing with it (copying it / using emails for other purposes /
storing it?).
• Data subjects are entitled to know with whom their data is disclosed
to in particular, 3rd parties processing on your behalf.
• You must have a contract in place with 3rd parties who process
data on your behalf – employee, users and supplier data.
• For example: cloud services, payroll (staff data).
• They must follow your instructions and never share personal data
with others or use it for their own purposes.
• Statutory obligations and sharing of data e.g. department of social
protection, revenue, other gov agencies.
Data Protection and GDPR - Sharing

• Data must only be kept for the purpose it was collected for and
disposed of when it is not needed.
• Have a retention and disposal period for different categories of data.
• Be careful of archiving personal data as it is amenable to the GDPR
and the Data Protection Act 2018
• Have retention periods for client and staff personal data
• Choose a disposal method: shredding for paper files (secure) and
purging of systems for electronic / networks; destruction of hard
drives.
• If you use third parties to process data make sure they have your
retention and disposal rules in place
Data Protection and GDPR - Disposal

• Name
• National identifiers (e.g., passport I.D) sensitive
• Personal e-mail address / work email
• Personal identification numbers (PIN) or passwords
• Personal interests derived from tracking use of internet web sites
• Sexual life, marriage status, political opinions sensitive
• Personal telephone number
• Photograph or video identifiable to a natural person sensitive
• Product and service preferences
• Racial or ethnic origin Religious or philosophical beliefs Sexual
orientation Trade-union membership sensitive
• Utility bills
Data Protection and GDPR – Types of personal data

• Age or special needs of vulnerable natural persons sensitive
• Allegations of criminal conduct sensitive
• Any information collected during health services sensitive
• Bank account or credit card number
• Biometric identifier and fingerprint data sensitive
• Credit card statements
• Criminal convictions or committed offences sensitive
• Criminal investigation reports sensitive
• Customer number
• Date of birth
• Diagnostic health information sensitive
• Disabilities sensitive

• Doctor bills
• Employees’ salaries and human resources files (sensitive when
containing medical data or other sensitive categories)
• Financial profile
• Gender sensitive
• GPS position
• GPS trajectories
• Home address
• IP address Location derived from telecommunications systems
• Medical history sensitive

• Privacy Website Notice Purpose:
• Your website is where people go to find details of your services
and GDPR requires data subjects know the following:
• A transparent description of:
• Who you are and contact details of person / email to deal with data
protection issues
• Types of data collected
• Legal basis for collection and processing
• Who it is disclosed to and how long you keep it
• How data subjects can exercise their rights
• Use of cookies and other tracking devices
• Transfer of data outside of the EEA
• Be in plain easy to understand language
Demonstrating Compliance - Policies and Procedures
Website Privacy Notice Public Facing

Data Breach Protocol
Data Breach Protocol and Form (log) purpose:
• Identify team members to co-ordinate breach response
• 72 hour window for notifiable breaches
• No automatic notification of data subject
• In general, a data breach will require notification to the DPC if the
data includes:
– the possibility of harm to the data subjects
– a large volume of personal data
– sensitive data (e.g. financial (loss of financial information can be detrimental) or
health information or other sensitive information
– If employee data is compromised, this must be included. It is not just service
user or supplier data
– DPC may advise if the data subject should be notified
• Identify weaknesses / risks in organisations leading to a breach
• Identify security risks and how they can be mitigated

Types of breaches include (most common):
• loss or theft of paperwork;
• data posted or sent to the wrong recipient;
• data sent by email to the wrong recipient;
• insecure webpage access (hacking);
• loss or theft of unencrypted device.
• If in doubt as to whether a situation involves a breach
consult with a member of the breach management Team.
Data Breach Log:
• Record of reportable and non reportable breaches
• Near misses
• https://dataprotection.ie/docs/Breach-Notification-Form/m/1726.htm
Data Breach Protocol

Data Subject Access Request and Form
Data Subject Access Protocol and Form purpose:
Service users, employees and suppliers have the right:
• to ask for details of their personal data held
• to ask for a copy of their personal data
• to have any inaccurate or misleading data rectified, corrected and
erased
• to restrict the processing of their personal data in certain
circumstances
• to object to the processing of their personal data
• to transfer their personal data to a third party
• a right not to be subject to automated decision making
• the right to receive notification of a data breach
• the right to lodge a complaint to the Data Protection Commissioner.

• Application made in writing
• Using a Data Subject Access Form – post or email it
• You cannot compel use of the Form but helps narrow down
information requested
• No charge (repeals 1988 and 2003 position)
• 2 working days to acknowledge receipt (not prescribed by
legislation)
• 30 days to respond (can be extended to 2 months)
• No third party information – only information relating to data
subject – disclosure of third party information is a breach
• Must verify identity of requester
• Begin processing the request but wait on verification
• Agents may apply on behalf of a data subject but verify their
identity
• Never allow anyone force you into revealing personal information
Data Subject Access Request and Form

Data Protection Policy - Staff
• Data Protection Policy (Staff) Purpose:
• Employees should be aware of both their rights and obligations
around data protection:
• A description of:
• contact details of person / email to deal with data protection issues
arising for staff
• Types of data collected relating to employment
• Reasons for collection and processing including sensitive data or
other data collected employees might not be aware of
• Who employee data is disclosed to and how long you keep it
• How employees can exercise their rights
• A statement of expectations for staff around data handling and
management of data.

Data Retention Policy
• Data Retention Policy Purpose:
• Set out the document management and retention schedule.
• A description of:
• protocol for the management of all records
• Storage, management and destruction methods
• Responsibility around management of soft copy and hard copy data
• Schedule of documents and retention periods relevant to each area:
Personnel Files (HR), Corporate Records, Client and Service user
records.
• Miscellaneous other records.
• Most have statutory time periods but others are kept where a
business need arises or where retention relies on other bodies /
statutory agencies to which you are affiliated.
• Justification of time periods should be made where possible.

Questions and Answers

Data Protection GDPR Basics

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à Data Protection GDPR Basics

Similaire à Data Protection GDPR Basics (20)

Dernier

Dernier (20)

Data Protection GDPR Basics