Welcome to GDPR Staff Training

The General Data Protection Regulation (GDPR) is a European Union Regulation that has been designed to strengthen and unify Data Protection within the EU. The GDPR will come into effect on 25 May 2018 and will replace the existing Irish Data Protection Acts.

This course consists of important information on the new rules and what is required of the new Data Protection Regulations. There are some videos within the training to help your awareness and also some quick fire questions to test your understanding. There is the option to take a break and come back to the training if required but you should give yourself at least 40 minutes to complete the training.

Course outcomes

 

GDPR at a glance - What does it really mean

Key Message and Concepts

What is GDPR?

GDPR is a new EU regulation which has been designed to update the existing Data Protection Directive enacted in 1995. The existing directive was established before the days of widespread internet use, which has fundamentally changed the way we create, use, share, and store information. Alongside the aim of updating data protection, GDPR is also levelled at unifying approaches to data privacy and security. At the core of GDPR is the aim to simplify, unify and update the protection of personal data.

Changes under GDPR are aimed at moving companies away from a tick-box compliance attitude to the security and privacy of personal information, and towards a company-wide approach to managing the lifecycle of personal data.

WHAT DATA DOES GDPR COVER?

  • Identity information such as name and address
  • Health and genetic data
  • Biometric data
  • Web data such as IP address and cookies
  • Racial or ethnic data
  • Political opinions
  • Sexual orientation

KEY CONCEPTS OF GDPR

Personal data

This is any information related to an identified or identifiable data subject (e.g. name, address, age, IP address, location.. This list is not exhaustive)

Special category data

These are categories of data that require additional protections. An organisation will require stronger grounds to process this type of data (e.g. Racial or ethnic origin, political opinions, religious beliefs, trade-union membership and data concerning health or sex life, and also criminal history)

Consent

The consent of the data subject means any freely given, specific, informed and unambiguous indication of wishes by which the data subject, either by a statement or by a clear affirmative action, proclaims agreement to the processing of their personal data. For organizations that rely on consent for their business activities, the processes through which they obtain consent will need to be reviewed and revised to meet the requirements of the GDPR.

Pseudonymization

This refers to a privacy-enhancing technique where personal data is processed without the ability to link it to a specific person.

Key Definitions Explained

Definitions Explained

Data Subject

This is the individual who has particular personal data about them held by a company.

Data Controller

This is a person/group/company who determines the purpose for which and the manner in which any personal data are, or to be, processed.

Data Processor

This is any entity (3rd party) that processes personal data under the controller’s instructions.

Data Protection Notice (DPN)

This is the policy used by a company to set out all of  their procedures for the fair collection and processing of personal data.

Data Protection Officer (DPO)

This is an essential role as this person acts as an intermediaries between relevant stakeholders (e.g. authorities, data subjects and teams within a company)

Data Protection Impact Assessment (DPIA) 

This is a process that should be carried out to help manage the risks to “the rights to freedoms” of a data subject resulting from the processing of personal data. This should also be integrated into the creation, upgrading or changing of a project.

Data Access Requests (DAR) 

This is when a data subject requests access to their personal data.

Fines, Penalties and Compensation

  • The GDPR has a tiered penalty structure that will take a large bite out of the offenders funds. More serious infringements can merit GDPR penalties of up to 4% of a company’s global revenue. The incursion of GDPR fines can include violations of basic principles related to data security.
  • Any person who has suffered material or non-material damage as a result of an infringement of this regulation shall have the right to receive compensation from the controller or processor for the damage suffered.

GDPR Simply Explained - 3 min Video

Which information is regarded as personal data according to the GDPR?

  • information, regarding an identifiable natural person, which is digitalized
  • information about a person, which might harm the privacy of that person, even when untrue
  • any information regarding an identifiable natural person

How much could a company be fined under the General Data Protection Regulation (GDPR)?

  • 10% of a company's annual profit
  • up to €40,000
  • Up to 4% of a companies global turnover

GDPR and You

Your Rights Video

Your Rights Explained

With the introduction of GDPR, many of the data subjects rights have been enhanced to ensure complete privacy of the data they provide. The Data Protection Officer (DPO) of an organization will be able to uphold these rights for you through a data access request (DAR).

Right to be informed

This emphasizes the need for transparency. A company must be very clear on how a data subject's data is used. It is also very important that a company has their privacy policies in place.

Right to access

The data subject has the right to access their information that a company holds on them. With GDPR, this request must be dealt with within 30 days and is free of charge (unless a large amount of effort is required to get this data, then a reasonable fee will be charged).

Right to rectification

Data subjects must be provided with a means to rectify any incorrect data that a company holds on them. Once a data subject notifies a company of an error, the company must rectify the error in a timely manner.

Right to erasure

The data subject has the right to have data held on them deleted when there is no longer a compelling reason for the company to hold their data.

Right to restrict processing

The data subject has the right to request the processing to be restricted.

Right to data portability

This allows individuals to transfer/port information from one IT environment to another once it is done in a safe and secure method e.g. this is very popular amongst banks.

Right to object

The data subject is allowed to object to the processing of their data. The data subject must be informed of this right at the first point of communication.

Rights in relation to automated decision making

This refers to any form of automated processing intended to evaluate personal aspects of an individual. Individuals have a right to obtain human intervention, have a right to express their own view point and a right to an explanation of the decision and challenge it.

What is the GDPR mainly intended for?

  • To secure privacy as a fundamental human right for everyone
  • To be a common ground upon which the member states can build their own laws
  • To make non-EU countries respect the right to privacy of individuals within the EU
  • To strengthen and unify data protection for individuals within the EU

Which right of Data Subjects is explicitly defined by the GDPR?

  • Access to personal data without any cost for the Data Subject
  • Personal data must be erased at all times if a Data Subject requests this
  • Personal data must be always changed at the request of the Data Subject
  • A copy of personal data must be provided in the format requested by the Data Subject

GDPR Principles

Principles

Lets look at the principles prescribed by the GDPR for collecting, storing and using personal data.

1.   Lawfulness, Fairness and transparency

Data must only be processed for a specific, explicit and lawful purpose. A data subject has the right to ask why you’re keeping their data, so data controllers must have identified the purpose of processing for all personal data they hold and confirmed that it matches the above criteria. Therefore it is necessary to determine the lawful basis for data processing before collecting personal data, document this basis,  and be transparent about it.

2.   Purpose limitation

Processing personal data is only permissible if and to the extent that it is compliant with the original purpose for which data was collected. Processing “for another purpose” later on requires further legal permission or consent. This principle requires clarity about why you are collecting the data and what you plan to do with it.

3.   Data minimization

Data controllers should ensure that only personal data which is necessary for each specific purpose is processed. Under the GDPR, data must be "adequate, relevant and limited" to what is necessary in relation to the purposes for which they are processed. Don't collect personal information "just in case it turns out to be useful". Similarly, when appraising customers or employees, don't record comments or opinions beyond what's relevant.

4.   Accuracy

Personal data must be accurate and kept up to date. Inaccurate or outdated data should be deleted or amended and data controllers are required to take "every reasonable step" to comply with this principle. It's important to exercise due care and diligence when collecting data and not make any unjustified assumptions.

5.   Storage Limitation

Once you no longer need personal data for the purpose for which it was collected, you should delete it unless you have other grounds for retaining it (Different types of data legally have to be retained for different periods of time). This means there should be a regular review process in place with methodical cleansing of databases.

6.   Integrity and confidentiality

Under the GDPR, like the DPD, personal data must be protected against unauthorized access using appropriate organisational and technical measures. This goes to the heart of protecting the privacy of individuals. Data controllers and processors need to assess risk, implement appropriate security measures for the data concerned and, crucially, check on a regular basis that it is up to date and working effectively.  Every organisation is legally required to have adequate security measures to stop personal and special category data being corrupted, stolen, or viewed by or disclosed to others.

Demonstrating Accountability

While data controllers and processors no longer need to register their activities with a supervisory authority, they are now required to be able to demonstrate, on request, their compliance with GDPR regulations. This can be done by:

  • Maintaining details of how data is acquired and processed
  • Being able to provide such details to the supervisory authority on request
  • Being able to demonstrate that consent was requested and received
  • Maintaining records of measures taken to address non-compliance
  • Reviewing your data protection policies to ensure that they clearly demonstrate compliance

Routematch's data protection policies, procedures and controls are all designed to fulfill this obligation.

You must comply with these at all times, and report any knowledge or suspicion of a data breach to our DPO without delay.


What BEST describes the principle of data minimization?

  • Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
  • Care must be taken to collect as little data as possible to protect the privacy and interests of the data subjects
  • In order to keep data manageable it must be stored in such a manner that it requires a minimal amount of storage
  • The number of items that is collected per data subject may not exceed the upper limit stated by the Data Protection Authority

GDPR Application

Privacy by Design, Privacy by Default

Privacy by design and default is a new concept that data controllers and processors are required to embed into their organisational processes, projects and changes.

  • Organisations should embed data privacy into their operational processes
  • Use appropriate technical and organisational measures to ensure privacy
  • Employ pseudonymisation – the renaming of identifying data fields in databases
  • Implement data minimisation – by default collecting only directly relevant data
  • Security should be fundamental to database design and data processing
  • Data should only be processed for the specific purpose it was obtained
  • Access to the data should be controlled and limited
  • Retrieval, erasure and portability measures should be included in data processing design

In this regard, the organisation should take into account:

  • The state of the art – the current best practices and technologies
  • The cost of implementation
  • The nature, scope, context and purpose of processing
  • The risk to individuals’ rights from processing

Consent

Changes to consent for data collection

Consent to collection and processing of data must now involve affirmative action. Automatic opt-in, pre-ticked boxes or inactivity are no longer acceptable means of acquiring consent from data subjects.

Consent is defined as:

“Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her"

In addition to specifically opting-in to processing, the data subject must be advised of the reasons their data will be processed, including ‘legitimate interests’ processing. Legitimate interests include:

  • Prevention of fraud
  • Direct marketing
  • Ensuring security
  • Reporting possible criminal acts
  • Necessary transmission of data within an organisation


Childrens consent

The GDPR contains specific rules designed to boost the protection of children’s personal data. It restricts the age at which data subjects can lawfully give consent, introduces rules for the language used in consent requests targeted at children and regulates the way online services obtain children’s consent. Under the GDPR, the default age at which a person is no longer considered a child is 16, but it allows member states to adjust that limit to anywhere between 13 and 16.

Data controllers therefore must know the age of consent in particular member states, and cannot seek consent from anyone under that age. Instead, they must obtain consent from a person holding “parental responsibility”. They must also make “reasonable efforts” to verify that the person providing that consent is indeed a parental figure.



Data Breach Reporting

What is a Personal Data Security Breach?

  • Disclosure of confidential data to unauthorised individuals
  • Loss or theft of data or equipment on which data is stored
  • Hacking, viruses or other security attacks on IT equipment/ systems/networks 
  • Inappropriate access controls allowing unauthorised use of information
  • Emails containing personal data sent in error to wrong recipient
  • Applies to paper and electronic records 
  • Consequences: Financial, Reputational, Legal


Breaches are managed by the assigned Data Protection Officer of your Company

What to do if you discover a breach (or potential breach)? 

–  Don’t delay

 – Act immediately

–  Report incident

This enables your company to assess, contain and respond to incident (including notifying affected parties and the Data Protection Commissioner). The Law requires mandatory breach notifications be sent: 

–  to Data Protection Commissioner within 72 hours 

–  to data subjects without undue delay

Data Privacy Impact Assessments

DPIAs are obligatory impact assessments that must be undertaken at the early stages of any organisational changes involving ‘high risk’ to the data rights of individuals, but only where the organisation or change involves:

  • Large-scale processing of sensitive data
  • Large-scale monitoring of a public area
  • Processing of data related to criminal convictions

The Data Protection Commissioner is to produce guidelines for the requirements surrounding PIAs.

International Data Transfers

  • Data transfers outside the EEA are prohibited unless the receiving country ensures appropriate safeguards. GDPR now also prohibits any non EEA court from ordering the disclosure of personal data unless under an international agreement. Existing mechanisms for data transfers have been retained and expanded upon:
  • BCRs (Binding Corporate Rules) are internal organisational codes of conduct the organisation agrees to be bound by in their processing of data across borders.
  • Model Contracts are contracts with specific provisions for data protection that has been approved by the relevant supervisory authority. Organisations can voluntarily enter into such contracts to satisfy GDPR provisions.
  • Approved Codes of Conduct are similar to BCRs, approved by the relevant supervisory authority.
  • Approved certification mechanisms – industry specific programs that would be used to satisfy GDPR data transfer requirements. The concept is still in development, with a preference for a common EU GDPR baseline certification for all contexts and sectors, which can be differentiated in its application by different certification bodies during the certification process.

What is the term used in the General Data Protection Regulation (GDPR) for unauthorized disclosure of, or access to, personal data?

  • Data Breach
  • Confidentiality Violation
  • Incident
  • Security Incident

If we as a business identify a data breach, we should report this to the regulatory authority within what time frame?

  • 72 hours
  • 1 working week
  • 24 hours
  • 7 days

Summary

Your Responsibilities

  • Do not use personal data for any other purpose than the purpose for which it was collected, ensure it is kept up to date and only for as long as necessary
  • Give individuals ample opportunity to check what personal data we hold and don't keep it for any longer than it is required
  • Don't collect special categories of personal data without first checking with your supervisor of your DPO
  • If you receive any subject access requests (SAR), inform your supervisor and escalate it promptly
  • Protect personal data against unauthorized access, and accidental loss, corruption or destruction
  • Password-protect or encrypt all personal data before sending it by electronic transfer
  • If a document containing personal data is not required , shred it or place it in secure confidential waste bins - don't put it in ordinary waste or recycling bins
  • Don't share personal data with third parties without checking that they have a valid need to know and a GDPR- compliance contract in place
  • Don't transfer data outside the EEA without first checking with Legal or Compliance
  • Don't conceal or cover up data losses or breaches - report mistakes and violations promptly, so that we can limit the damage to the subject, us and YOU!