Don’t ignore GDPR…

With technology having transformed our lives in a manner that no one could have envisaged, a complete review was required on how to protect people’s personal data. GDPR replaces the 1995 Directive, which was adopted at a time when Social Media and The Internet were only developing. GDPR is now recognised as law across the European Union and every member state has to have documented policies and procedures in place so as to be compliant with GDPR’s Six Personal Data Principles, where personal data must be:

Businesses & SME’s need to meet these personal data protection and data privacy documentation obligations and verify their requirements and needs ensuring that they are compliant with the new mandatory regulations and be compliant against GDPR that was proposed on 1st January 2012, adopted on 27th April 2016 and became law in May of 2018 as The Data Protection Act 2018.

Business’s needs, products and services for GDPR include:

  • Initial Consultations
  • Personal Data Information/Category Inventory
  • Existing Data Protection Systems Analysis
  • Guidance Consultations (working towards GDPR Compliance)
  • Inspections
  • Audits
  • Data Privacy Impact Assessments (DPIA)

Responsiveness to GDPR customer issues should be a core and important part of any business. Being able to respond to GDPR enquiries through your Data Protection Controller or GDPR Champions is critical to being compliant. Businesses need to work with internal / external Certified Data Protection Officers who are trained, have experience and understand your business.

GDPR is now alive and kicking, and part of our working day!

Don’t ignore it…

Differences between General Data Protection Regulation (GDPR) and E-Privacy Regulation

Each regulation was drawn up to reflect different segments of EU law. The GDPR was created to enshrine Article 8 of the European Charter of Human Rights in terms of protecting personal data, while the E-Privacy regulation was created to enshrine Article 7 of the Charter in respect to a person’s private life. The private sphere of the end user is covered under the E-Privacy regulation, making it a requirement for a user’s privacy to be protected at every stage of every online interaction. It is important to remember that the E-Privacy regulation was created to complement and particularize the GDPR, so the rules of the GDPR are always relevant and an overall part of the legislative aspects of the E-Privacy. The E-Privacy directive takes the broad online retail sector into account in terms of how personal information might be used and in this sense is what it adds to the overall regulations that make up the GDRP. (Source

GDPR was created to align the data privacy laws across all EU countries. It replaces the Data Protection Directive 95/46/EC. The processing of any EU citizens’ personal data is now protected by GDPR, regardless of whether the personal data is processed inside or outside the EU and regardless of where the Data Subject comes from. Every person globally who sells to an EU citizen is bound by law to protect the personal data of their customers.

The new E-Privacy Regulation on Privacy & Electronic Communications is a proposal from the EU Commission designed to help protect EU citizens’ private lives. The topics addressed in the new E-Privacy Regulation deal with cookies, confidentiality as well as a marketing opt-in requirements i.e. unsolicited marketing.

The new E-Privacy Regulation is still in draft format and is not yet finalised. When it is launched it will replace the existing E-Privacy Directive, and more importantly will align with the General Data Protection Regulation. The New E-Privacy Regulations will include all communications mediums i.e. e-mails and text messages, which will need to be consented to before use. Marketing personnel and professionals will not be able to send e-mails or text a message without permission from each account holders.

Cookies will be tracked within the software and the user’s browser within settings that each user can change according to their needs. It is envisaged that this will eliminate banner pop ups that request consent on websites, unlike the previous regulation that made website requests use cookies from each.

Platforms like Gmail, Skype, Facebook and WhatsApp are now required to provide the same level of personal data safety as other providers. Providers of electronic communication services are required to ‘keep safe’ all communications through the best available methods. Therefore, websites need to stay technologically and technically up-to-date with the best personal data safety methods available on the market. Metadata will be treated the same as the actual content of the communication that it is facilitating. It stops the interception of any such communication except where authorized by the EU under law i.e. a criminal investigation.

Data Subjects Rights…

GDPR provides the following rights for Data Subjects i.e. individuals:

  1. The right to be informed about what data is being held about them
  2. The right of access to their personal data
  3. The right to rectify their personal data
  4. The right to erase their personal data
  5. The right to restrict the processing of their personal data
  6. The right to data portability i.e. transferral between Data Protection Controllers
  7. The right to object to their personal data being used
  8. Rights in relation to automated decision making and profiling of their personal data

Data Subjects have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR. As an organisation, you must provide individuals with information such as your purposes for processing their personal data; your retention periods for that personal data, and who it will be shared with. This is called ‘privacy information’.

You must provide this privacy information to Data Subjects at the time you collect their personal data from them. If you obtain personal data from other sources, you must provide Data Subjects with privacy information within a reasonable period of obtaining the data and within one month.

There are a few circumstances when you do not need to provide Data Subjects with privacy information, such as if a Data Subject already has the information or if it would involve a disproportionate effort to provide it to them. The information you provide to Data Subjects must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language.

You must regularly review, and where necessary, update your privacy information. You must bring any new uses of a Data Subject’s personal data to their attention before you start processing it.

Getting the right to be informed correctly can help you to comply with other aspects of the GDPR and build trust with Data Subjects, but getting it wrong can leave you open to possible fines and reputational damage.

GDPR General Data Protection Regulation Business Internet Technology Concept.

GDPR – do you think you are compliant yet…?

The General Data Protection Regulation (GDPR) came into force on 25th May 2018 last, and you’re probably sick of hearing about it, with all the ‘health warnings’ and now that the date has come and gone, you’re probably saying, ‘What was that all about?’. Fair point, however if you are one of the many organisations in any sector; public, private, business, academia, hospitality, manufacturing, sales, services, trade (the list is endless) who have not or indeed ignored the new data protection laws, you will eventually need to and will really have to become GDPR complaint.

At the very least you should / need to do the following:

  • Understand your data and data protection business environment and attitudes
  • Appoint a Data Protection Controller / GDPR Champion
  • Identify Data Processors (if any)
  • Identify Data Subjects and recipients of personal data
  • Confirm what data protection policies / procedures are in place (if any)
  • Identify and list the personal data / categories that the organisation holds, both manually and automatically i.e. on IT systems / computers, servers or website (this is an inventory of what personal data you have)
  • Confirm if / that it is personal data
  • Ask how was / is this personal data collected / gathered / received
  • Confirm basis for holding this personal data
  • Confirm how long is this personal data in place
  • What is / are the processing operation(s) and are there any exemptions that apply to the processing
  • Identify and list current and existing personal data processing / processes (manual and automated)
  • Confirm basis for processing this personal data
  • Ask who has access to this personal data
  • Is this ‘High Risk’ to the rights and freedoms of natural persons
  • Identify and list current and existing personal data processing security practices
  • Is there need to consult with / report any past / current breaches to the Data Protection Commissioner
  • Review employment contracts
  • Identify commonalities between personal data & the processing of this personal data with respect to GDPR
  • Does the processing of this data comply with GDPR Principles
  • Do any specific rules apply i.e. is any of the personal data sensitive data
  • Are Data Subjects rights being respected and their wishes granted under GDPR
  • Publish a list of personal data processing operations which are / may be subject to the requirement of Data Privacy Impact Assessment(s) (DPIA’s)


A GDPR Audit target…it could be you…!

General Data Protection Regulation

Data Privacy Impact Statement (DPIA)

A Data Privacy Impact Statement (DPIA) is required where a type of processing in particular using new technologies, while considering the nature, scope, context and purpose of the data processing is likely to result in a high risk to the rights and freedoms of natural persons i.e. data subjects. When this happens, the Data Process Controller or person responsible for data protection i.e. GDPR will, before processing of the personal data, carry out an assessment of the impact that they envisage the processing operation may / will have on the protection / non-protection of this personal data. A single assessment may address a set of similar processing operations that may / will present similar high risks.

There are six key parts or stages to a DPIA namely:

  1. Description
  2. Analysis
  3. Consultation
  4. Conclusion
  5. Prior Consultation
  6. Repetition

In the Description Stage, the Data Process Controller describes in detail the overall context of the process and the data processing operation that is taking place therein.

In the Analysis Stage, they provide a systematic description of the processing operation, the purposes of processing and their legitimate interest in it.

In the Consultation Stage, they seek the advices of the Data Protection Officer and seek the views of the people effected by this processing i.e. data subjects.

In the Conclusion Stage, they will carry out an assessment of the ‘Necessity & Proportionately’ of the processing operation in relation to the purpose and a ‘Risk Assessment’ in relation to the rights and freedoms of data subjects.

In the Prior Consultation Stage, they will consult with the Data Protection Commissioner prior to processing, if the DPIA indicates that the processing of the data will be high risk in the absence of measures taken by them to mitigate the risk.

In the final stage, Repetition, a review will be carried out on a regular basis to confirm that the measures implemented are still protecting the personal data of the data subjects.

General Data Protection Regulation

General Data Protection Regulation (GDPR) by 25th May 2018 for Organisations

In the website, they talk generally about what individuals and organisations need to go through and know with respect to the new data protection regulation that is due to go live in May this year.

This article summarises the 12 steps that organisations need to consider to try to be somewhat compliant by this date.

  1. Become aware – It is important that key personnel in your organisation are aware that the law is changing to the GDPR, and start to factor this into their future project planning
  2. Become accountable and responsible – Make an inventory of all personal data that you hold and examine it i.e. Why are you holding it; How did you obtain it; Why was it originally gathered; How long will you retain it; How secure is it both in terms of encryption and accessibility; do you ever share it with third parties and on what basis might you do so?
  3. Communicate GDPR with your staff – Review all current data privacy notices alerting individuals to the collection of their data
  4. Know about Personal Privacy Rights – You should review your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
  5. How will personal data access requests change – You should review and update your procedures and plan how you will handle requests within the new timescales. There should be no undue delay in processing an access request within one month
  6. What does a ‘Legal Basis’ mean – You should look at the various types of data processing you carry out, identify your legal basis for carrying it out and document it. This is particularly important where consent is relied upon as the sole legal basis for processing data
  7. Customer consent as a reason to process personal data – If you do use customer consent when you record personal data, you should review how you seek, obtain and record that consent, and whether you need to make any changes. Consent must be ‘freely given, specific, informed and unambiguous’
  8. Processing children’s personal data – If the work of your organisation involves the processing of data from underage subjects, you must ensure that you have adequate systems in place to verify individual ages and gather consent from guardians
  9. Data Protection Impact Assessments (DPIA) – DPIA is the process of systematically considering the potential impact that a project or initiative might have on the privacy of individuals. It will allow organisations to identify potential privacy issues before they arise, and come up with a way to mitigate them
  10. Reporting data breaches – You should make sure you have the right procedures in place to detect, report and investigate a personal data breach
  11. Data Protection Officers (DPOs) – GDPR will require some organisations to designate a Data Protection Officer (DPO). Organisations requiring DPOs include public authorities, organisations whose activities involve the regular and systematic monitoring of data subjects on a large scale, or organisations who process what is currently known as sensitive personal data on a large scale
  12. Cross-border data processing and the one stop shop – GDPR includes the one stop shop (OSS) mechanism, which will be in place for data controllers and data processors that are engaged in cross-border processing of personal data.



General Data Protection Regulation

General Data Protection Regulation (GDPR) by 25th May 2018 for Individuals

In the website, they talk generally about what individuals and organisations need to go through and know with respect to the new data protection regulation that is due to go live in May this year.

This article summarises what individuals i.e. data subjects need to be aware of.

The new law will give individuals greater control over their data by setting out additional and more clearly defined rights for individuals whose personal data is collected and processed by organisations.

Personal data is any information that can identify an individual person. This includes a name, an ID number, location data or an address, online browsing history, images or anything relating to the physical, physiological, genetic, mental, economic, cultural or social identity of a person.

Under the GDPR individuals have the significantly strengthened rights to do the following:

  • Obtain details about how their data is processed by an organisation or business
  • Obtain copies of personal data that an organisation holds on them
  • Have incorrect or incomplete data corrected
  • Have their data erased by an organisation, where, for example, the organisation has no legitimate reason for retaining the data
  • Obtain their data from an organisation and to have that data transmitted to another organisation
  • Object to the processing of their data by an organisation
  • Not to be subject to automated decision making
  • Not to be subject to profiling

Organisations must always be fully transparent to individuals about how they are using and safeguarding personal data, including by providing this information in easily accessible, concise, easy to understand and in clear language.

For organisations and businesses who breach the law, the Data Protection Commissioner (DPC) is being given more robust powers to impose very substantial sanctions including the power to impose fines. Under the new law, the DPC will be able to fine organisations up to € 10 and €20 million (2% or 4% of total global turnover) for serious infringements.

The GDPR will also permit individuals to seek compensation through the courts for breaches of their data privacy rights, including in circumstances where no material damage or financial loss has been suffered.