Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Imo's common sense guide to GDPR
1. Imo’s common sense guide to GDPR
How to use this document
This is an accumulation of information from different sources (see references at
end), and some advice (such as the age of consent for data protection in Ireland)
may change before the GDPR law comes into effect in May 2018.
Of course you should consult an appropriate professional such as a lawyer rather
than relying on this document. This one’s been created by someone who is just a
small business owner that’s dealt with the practical effects of data protection
regulation for 25 years and has simply read the publicly available material for the
UK and Ireland… but if you don’t have time or funds, then it may help!
What is GDPR?
The new EU general data protection law coming into force in May 2018. It gives
more rights to individuals which will mean charities, clubs and small businesses
need to review their procedures and make some changes. However, it’s not
actually that big a change compared to the data protection you should already
be performing. Which you probably aren’t.
GDPR gives the following rights to individuals:
• The right to be informed that data is held on them.
• The right of access to data held, free of charge, without delay and within one
month.
• The right to rectification of information held.
• The right to erasure of information held on them.
• The right to restrict processing of their information.
• The right to data portability (ie to obtain their own information and take it
“away”).
• The right to object
• Rights in relation to automated decision making and profiling.
What sort of thing will GDPR mean in practice?
Some practical examples of why you need to plan this
• If you send out an email to a group of people, do not put all the email
addresses into the cc: field. Use the bcc (blind copy) field to enter in the list of
emails, unless you can show that all those people have given you explicit
consent to reveal their email addresses to all the other people.
• Data has to be kept safe. Is yours backed up, encrypted? Do you have those
details listed somewhere in a data security policy or procedure? Is one of
your backups held offsite in case of fire, theft or flood?
• Is there a data privacy policy on your website? And a cookies agreement?
2. • Do you have a form for new customers or users? It must request explicit
consent for their data to be held, explain what it’s held for, who by and for
how long, and who people contact if they don’t agree.
• Do you ever text customers notifications or reminders? You must inform
customers or users that you are going to do this, and give an opt-out option
whenever you use it.
• If your premises were broken into and a computer stolen that holds personal
data, you would need to inform the data protection commissioner within 72
hours unless it is anonymized OR encrypted. Do you know what’s on each
computer, and whether it’s encrypted?
• If you receive a request from a data subject who wants to get a copy of all the
data you hold on them and then have it deleted, could you do this within 30
days and free of charge? How would you be sure you’d found all their data?
That’s the law from May.
• What do you know about your Internet security? Do you have a firewall and
malware protection? Is access to data protected eg by passworded accounts?
• How can you be sure all your staff are using strong computer passwords?
• If you sell or pass on an old computer no longer in use, what is your
procedure to ensure there is no personal data accessible from that computer
in future?
• Do you use Paypal to receive payments? This company has restrictive data
policies as part of its terms and conditions that imply customer information
may be passed to third parties in a jurisdiction beyond the EU in a way which
may not comply with GDPR.
Where do you start?
Inventory
Make a list of all the personal data held. Donors, staff, volunteers, members,
customers, users, suppliers, marketing lists, accident book, employment contracts,
Garda vetting, HR records?
• Where did the data come from? Make a list.
• Who do you share it with? Make a list.
• Is it really needed? No? Delete it.
• Is it relevant? If you’re a sports club you may need to know if a member has
asthma but not their PPS number.
• Is it more than two years old? How do you know?
• How do you know you have permission to hold it?
• Is any of the data sensitive eg health-related? Extra rules may apply.
• Is any of the date from underage subjects? How are you verifying ages and
obtaining consent from a parent or guardian when necessary?
3. Access and security
• Who currently has access and under what conditions? How are you limiting
access? Lock and key, password?
• Is the existing data held securely?
• Do you share it with anyone for any reason?
• Is it used only for the purposes that it was originally collected for?
• Where is it held (Cloud? Hard drive?)
• Is it encrypted?
• Is it backed up and is there an offsite backup?
• Who can get access to your internal computer network? What defences
against unauthorized access are in place?
Permission and consent
So now you’ve probably realized a lot of your data is out of date, you don’t know
how you got permission to use it and you can’t show that individuals consented.
This probably means you need to re-permission all the people on your texting
list, for example, before May 2018.
There are important changes to consent with GDPR.
DP Directive (old) definition:
“any freely given specific and informed indication of his wishes by which the data
subject signifies his agreement to personal data relating to him being processed”
GDPR (new) definition:
“any freely given, specific, informed and unambiguous indication of the data
subject's wishes by which he or she, by a statement or by a clear affirmative action,
signifies agreement to the processing of personal data relating to him or her”
In practice, how you request consent (your forms, whether paper or online) now has
to meet these points:
• the name of your organisation and the names of any third parties who will
rely on the consent – consent for categories of third-party organisations will
not be specific enough;
• Why you want the data (the purposes of the processing);
• What you will do with the data (the processing activities); and
• Make the request for consent prominent and separate from your terms and
conditions.
• Explain why you want the data (the purposes of the processing)
• Ask people to positively opt in – don’t use pre-ticked boxes, or any other type
of consent by default.
• If it’s for more than one purpose offer more than one opt-in (granularity).
4. • Let people know they can withdraw their consent at any time without
detriment, and how. It must also be as easy to withdraw consent as it was to
give it.
• Don’t make consent a precondition of a service.
• Where children are involved, verify age and get parental consent as needed.
• Keep a dated record of how you received consent and what the person was
told at the time.
• Clearly inform them of the complaints channel open to anybody unhappy
with how their data has been processed.
• It’s good practice to let people know how long their data will be held for.
WRONG…
Company A provides the following information to individuals:
“Email address (optional):
“We will use this to send you emails about our products and special offers.”
Company A keeps a spreadsheet with ‘consent provided’ against a customer’s name.
They keep the time and date of consent linked to an IP address, with a web link to
your current data-capture form and privacy policy
RIGHT…
Company B uses the following statement instead:
I consent to receive emails about your products and special offers
If the individual ticks the box, they will have explicitly consented to the processing.
They keep a copy of the customer’s signed and dated form that shows they ticked to
provide their consent to the specific processing.
They keep records that include an ID and the data submitted online together with a
timestamp. You also keep a copy of the version of the data-capture form and any
other relevant documents in use at that date.
Under GDPR, consent is not the only legal basis for holding data though it is the most
common. In all cases holding the data must be shown to be necessary. Other legal
bases include:
• Contract - eg if a car insurer needed your make and model of car to give a
quotation.
• Legal obligation - to comply with common law or statutory obligation
• Vital interests - to protect a life
• Public task - in the exercise of official authority or for a task in the public
interest set uot in law
• Legitimate interests - commercia, individual or broader societal interests
balancing the individual's interests
• Special category data - eg health
• Criminal offence data - must have a lawful basis
5. Direct marketing
Some of this is not new to GDPR, but as a lot of people aren’t aware…
https://www.dataprotection.ie/docs/DIRECT_MARKETING_–
%20_A_GENERAL_GUIDE_FOR_DATA_CONTROLLERS/905.htm
Where you have obtained contact details in the context of the sale of a product or
service, you may only use these details for direct marketing by electronic mail if the
following conditions are met:
• the product or service you are marketing is of a kind similar to that which
you sold to the customer at the time you obtained their contact details
• At the time you collected the details, you gave the customer the opportunity
to object, in an easy manner and without charge, to their use for marketing
purposes
• Each time you send a marketing message, you give the customer the right to
object to receipt of further messages
• The sale of the product or service occurred not more than twelve months
prior to the sending of the electronic marketing communication or, where
applicable, the contact details were used for the sending of an electronic
marketing communication in that twelve month period.
NOTE: In relation to 4 above, if the subscriber fails to unsubscribe using the cost free
means provided to them by the direct marketer, they will be deemed to have
remained opted-in to the receipt of such electronic mail for a twelve month period
from the date of issue to them of the most recent marketing electronic mail.
Website privacy policy
https://fortprivacy.ie/gdpr-privacynotices/
Article 13 requires that the privacy notice should include the following information:
• the identity and the contact details of the controller
• the contact details of the data protection officer
• the purposes and legal basis for the processing
• where the processing is based on legitimate interests, details of what these
are
• the recipients or categories of recipients of the personal data
• details of any transfer to a third country and details of the safeguards and the
means by which to obtain a copy of them or where they have been made
available
• the retention periods or the criteria used to determine that period
• details on rights of access to and rectification/deletion of personal data.
Rights to object to processing and the right to data portability
• if processing is based on consent, the right to withdraw consent
• the right to lodge a complaint with the supervisory authority
• details on whether the data subject is obliged to provide the personal data
and the consequences of failure to provide it
6. • details of any automated decision making, including details of the logic used
and potential consequences for the individual
Website privacy policy and cookies template
https://www.nibusinessinfo.co.uk/content/sample-privacy-policy
This privacy policy sets out how [business name] uses and protects any information
that you give [business name] when you use this website.
[business name] is committed to ensuring that your privacy is protected. Should we
ask you to provide certain information by which you can be identified when using
this website, then you can be assured that it will only be used in accordance with
this privacy statement.
[business name] may change this policy from time to time by updating this page.
You should check this page from time to time to ensure that you are happy with any
changes. This policy is effective from [date].
What we collect
We may collect the following information:
name and job title
contact information including email address
demographic information such as postcode, preferences and interests
other information relevant to customer surveys and/or offers
What we do with the information we gather
We require this information to understand your needs and provide you with a
better service, and in particular for the following reasons:
Internal record keeping.
We may use the information to improve our products and services.
We may periodically send promotional emails about new products, special offers or
other information which we think you may find interesting using the email address
which you have provided.
From time to time, we may also use your information to contact you for market
research purposes. We may contact you by email, phone, fax or mail. We may use
the information to customise the website according to your interests.
Security
We are committed to ensuring that your information is secure. In order to prevent
unauthorised access or disclosure, we have put in place suitable physical, electronic
and managerial procedures to safeguard and secure the information we collect
online.
How we use cookies
A cookie is a small file which asks permission to be placed on your computer's hard
drive. Once you agree, the file is added and the cookie helps analyse web traffic or
8. If you believe that any information we are holding on you is incorrect or incomplete,
please write to or email us as soon as possible at the above address. We will
promptly correct any information found to be incorrect.
Another example to adapt
https://www.lawsociety.ie/About-this-Website/Privacy-Policy/
Privacy Policy
This statement relates to our privacy practices in connection with this website.
We are not responsible for the content or privacy practices of other websites. Any
external links to other websites are clearly identifiable as such. Some technical
terms used in this statement are explained at the end of this page.
General statement
The Law Society of Ireland fully respects your right to privacy, and will not collect or
publish any personal information about you through this website without your clear
permission. Any personal information which you volunteer to the Society will be
treated with the highest standards of security and confidentiality, strictly in
accordance with the Data Protection Acts, 1988 - 2003.
Collection and use of personal information
The Law Society of Ireland does not collect any personal data about you on this
website, apart from information which you volunteer (for example by e-mailing us,
by using our online feedback form or by making a credit card booking). Any
information which you provide in this way is not made available to any third parties,
and is used by the Law Society only in line with the purpose for which you provided
it.
Collection and use of technical information
This website uses temporary "session" cookies which enable a visitor’s web browser
to remember which pages on this website have already been visited. If you use the
'Remember me' option when logging in to the Law Society website, a cookie is
placed on your computer with an encrypted id to remember your credentials. No
other information is stored in this cookie. Visitors can use this website with no loss
of functionality if cookies are disabled from the web browser. Technical details in
connection with visits to this website are logged by our internet service provider for
our statistical purposes. No information is collected that could be used by us to
personally identify website visitors. The technical details logged are confined to the
following items:
the IP address of the visitor’s web server
the top-level domain name used (for example .ie, .com, .org, .net)
the previous website address from which the visitor reached us, including any
search terms used
Google analytics which shows the traffic of visitors around this web site (for
example pages accessed and documents downloaded)
11. The policy applies to all personal data processed by the organisation, including
customer data, third party data and employee data.
Draw up policies and procedures to cover:
• Dealing with data breaches
• Requests for data access (eg recording the date that the request is received)
• Requests for data correction
• Requests to have information erased
• Requests to prevent direct marketing contacts
• How you decided you didn’t need to appoint a Data Protection Officer (not
usually necessary but you should specify who in your organization handles
data protection queries).
• Specify retention periods for different types of data held.
• Specify whether any data is being exported to third countries (example: use
of Paypal to receive payments).
• Specify the period for auditing checks and reviews of the policy.
• Review any other existing policites and procedures that may be impacted by
GDPR such as HR, Health and Safety, employment contracts, fundraising,
financial records, Garda vetting, children and vulnerable adults.
• Consider the either data protection rules in the following section.
• Recording how people in your organization have been made aware of the
data protection policy, and of how they may get involved with reviews or
changes to the policies and procedures.
The eight data protection rules (from the previous legislation)
Keep an eye out for updates on the GDPR sites…
Rule 1: Fair obtaining:
At the time when we collect information about individuals, are they made aware of
the uses for that information?
Are people made aware of any disclosures of their data to third parties?
Have we obtained people's consent for any secondary uses of their personal data,
which might not be obvious to them
Can we describe our data-collection practices as open, transparent and up-front?
Rule 2: Purpose specification
Are we clear about the purpose (or purposes) for which we keep personal
information?
Are the individuals on our database also clear about this purpose?
If we are required to register with the Data Protection Commissioner, does our
register entry include a proper, comprehensive statement of our purpose?
[Remember, if you are using personal data for a purpose not listed on your register
entry, you may be committing an offence.]
Has responsibility been assigned for maintaining a list of all data sets and the
purpose associated with each?
13. Are there clear procedures in place for dealing with such requests?
Do these procedures guarantee compliance with the Act's requirements?
Checklist
• Inventory your data
• Record who has access (online and paper) to the data
• Check your data security – backups, online, network
• Figure out who you need to “repermission” regarding their data by May 2018
• Do you need to appoint a data protection officer? (Probably not.)
• Who is going to be responsible for data protection in the organization?
• Revise direct marketing procedures
• Revise website privacy and cookies policy
• Revise your data protection procedures, including subject data access
requests
• Make everyone in the organization aware of the changes and how they can
contribute
• Keep checking for any changes coming up to May 2018 such as age for
parental consent where children are involved.
References
GDPR - http://gdprandyou.ie/gdpr-12-steps/#becoming-aware
https://www.dataprotection.ie/docs/GDPR/1623.htm
https://www.nibusinessinfo.co.uk/content/sample-privacy-policy
https://www.charitiesinstituteireland.ie/our-blog/2016/12/6/general-data-
protection-regulation
https://www.dataprotection.ie/documents/guidance/Charity_Guidance.pdf
http://www.charitytaxreform.com/files/R2.%20Guiding%20Principles%20of%20F
undraisin g%20-%20Feb%202008.pdf
https://www.dataprotection.ie/docs/DIRECT_MARKETING_–
%20_A_GENERAL_GUIDE_FOR_DATA_CONTROLLERS/905.htm
https://www.krestonreeves.com/news-and-events/30/11/2017/general-data-
protection-regulation-gdpr
https://fortprivacy.ie/gdpr-privacynotices/
https://www.dataprotection.ie/documents/guidance/Charity_Guidance.pdf
http://gdprcoalition.ie/infographics/
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-
regulation-gdpr/
Collated and edited by Imogen Bertin 24 February 2018
If you found it helpful, maybe give me a review on Google My Business?
TechAbility https://search.google.com/local/writereview?placeid=ChIJYQ0z_oGHR
EgRMcT8jqT_RUY
Or Facebook page: https://www.facebook.com/TechAbilityIRL/