1. Imo’s common sense guide to GDPR
How to use this document
This is an accumulation of information from different sources (see references at
end), and some advice (such as the age of consent for data protection in Ireland)
may change before the GDPR law comes into effect in May 2018.
Of course you should consult an appropriate professional such as a lawyer rather
than relying on this document. This one’s been created by someone who is just a
small business owner that’s dealt with the practical effects of data protection
regulation for 25 years and has simply read the publicly available material for the
UK and Ireland… but if you don’t have time or funds, then it might help!
What is GDPR?
The new EU general data protection law coming into force in May 2018. It gives
more rights to individuals which will mean charities, clubs and small businesses
need to review their procedures and make some changes. However, it’s not
actually that big a change compared to the data protection you should already
be performing. Which you probably aren’t.
GDPR gives the following rights to individuals:
• The right to be informed that data is held on them.
• The right of access to data held, free of charge, without delay and within one
month.
• The right to rectification of information held.
• The right to erasure of information held on them.
• The right to restrict processing of their information.
• The right to data portability (ie to obtain their own information and take it
“away”).
• The right to object
• Rights in relation to automated decision making and profiling.
What sort of thing will GDPR mean in practice?
Some practical examples of why you need to plan this
• If you send out an email to a group of people, do not put all the email
addresses into the cc: field. Use the bcc (blind copy) field to enter in the list of
emails, unless you can show that all those people have given you explicit
consent to reveal their email addresses to all the other people.
• Data has to be kept safe. Is yours backed up, encrypted? Do you have those
details listed somewhere in a data security policy or procedure? Is one of
your backups held offsite in case of fire, theft or flood?
• Is there a data privacy policy on your website? And a cookies agreement?
2. • Do you have a form for new customers or users? It must request explicit
consent for their data to be held, explain what it’s held for, who by and for
how long, and who people contact if they don’t agree.
• Do you ever text customers notifications or reminders? You must inform
customers or users that you are going to do this, and give an opt-out option
whenever you use it.
• If your premises were broken into and a computer stolen that holds personal
data, you would need to inform the data protection commissioner within 72
hours unless it is anonymized OR encrypted. Do you know what’s on each
computer, and whether it’s encrypted?
• If you receive a request from a data subject who wants to get a copy of all the
data you hold on them and then have it deleted, could you do this within 30
days and free of charge? How would you be sure you’d found all their data?
That’s the law from May.
• What do you know about your Internet security? Do you have a firewall and
malware protection? Is access to data protected eg by passworded accounts?
• How can you be sure all your staff are using strong computer passwords?
• If you sell or pass on an old computer no longer in use, what is your
procedure to ensure there is no personal data accessible from that computer
in future?
• Do you use Paypal to receive payments? This company has restrictive data
policies as part of its terms and conditions that imply customer information
may be passed to third parties in a jurisdiction beyond the EU in a way which
may not comply with GDPR.
Where do you start?
The 12 steps to be taken which must be started in May 2018:
• Awareness
• Information you hold
• Communicate privacy information
• Individuals rights
• Subject Access Requests
• Lawful basis for processing personal data
• Consent
• Children
• Data Breaches
• Privacy by design and Data Protection Impact Assessments (DPIA)
• Data protection officers
• International
3. 1. Awareness
The law is changing in May 2018 – you need to tell all key people in your
organization and make everyone aware how you plan to make your organization
compliant.
2. Inventory of information you hold
Make a list of all the personal data held. Donors, staff, volunteers, members,
customers, users, suppliers, marketing lists, accident book, employment contracts,
Garda vetting, HR records?
• Where did the data come from? Make a list.
• Who do you share it with? Make a list.
• Is it really needed? No? Delete it.
• Is it relevant? If you’re a sports club you may need to know if a member has
asthma but not their PPS number.
• Is it more than two years old? How do you know?
• How do you know you have permission to hold it?
• Is any of the data sensitive eg health-related? Extra rules may apply.
[Sensitive data means issues like ethnic background or religion or criminal
convictions or health. Non-sensitive data means eg Name, address, PPSN.]
• Is any of the date from underage subjects? How are you verifying ages and
obtaining consent from a parent or guardian when necessary?
• Have you informed them in easy, clear language of the legal basis for
processing their data, the data retention periods and how to object? Eg it may
be they have given consent in past 2 years. Or it could be that you have a
commercial relationship such as invoicing where consent is assumed.
3. Communicating permission and consent – privacy information
So now you’ve probably realized a lot of your data is out of date, you don’t know
how you got permission to use it and you can’t show that individuals consented. You
have to be able to show how consent was given.
This probably means you need to re-permission all the people on your texting
list, for example, before May 25 2018.
There are important changes to consent with GDPR.
DP Directive (old) definition:
“any freely given specific and informed indication of his wishes by which the data
subject signifies his agreement to personal data relating to him being processed”
GDPR (new) definition:
“any freely given, specific, informed and unambiguous indication of the data
subject's wishes by which he or she, by a statement or by a clear affirmative action,
signifies agreement to the processing of personal data relating to him or her”
4. In practice, how you request consent (your forms, whether paper or online) now has
to meet these points:
• the name of your organisation and the names of any third parties who will
rely on the consent – consent for categories of third-party organisations will
not be specific enough;
• Why you want the data (the purposes of the processing);
• What you will do with the data (the processing activities); and
• Make the request for consent prominent and separate from your terms and
conditions.
• Explain why you want the data (the purposes of the processing)
• Ask people to positively opt in – don’t use pre-ticked boxes, or any other type
of consent by default.
• If it’s for more than one purpose offer more than one opt-in (granularity).
• Let people know they can withdraw their consent at any time without
detriment, and how. It must also be as easy to withdraw consent as it was to
give it.
• Don’t make consent a precondition of a service.
• Where children are involved, verify age and get parental consent as needed.
Parental consent is necessary to the processing of a child’s data, where the
child is below the age of 16 years old. Ireland may choose to lower this age
but not below 13 years old.
• Keep a dated record of how you received consent and what the person was
told at the time.
• Clearly inform them of the complaints channel open to anybody unhappy
with how their data has been processed.
• It’s good practice to let people know how long their data will be held for.
WRONG…
Company A provides the following information to individuals:
“Email address (optional):
“We will use this to send you emails about our products and special offers.”
Company A keeps a spreadsheet with ‘consent provided’ against a customer’s name.
They keep the time and date of consent linked to an IP address, with a web link to
your current data-capture form and privacy policy
RIGHT…
Company B uses the following statement instead:
I consent to receive emails about your products and special offers
If the individual ticks the box, they will have explicitly consented to the processing.
They keep a copy of the customer’s signed and dated form that shows they ticked to
provide their consent to the specific processing.
6. 5. Subject Access and security (timescale one month)
• Who currently has access to what data, and under what conditions? How are
you limiting access? Lock and key, password?
• Is the existing data held securely?
• Do you share it with anyone for any reason?
• Is it used only for the purposes that it was originally collected for?
• Where is it held (Cloud? Hard drive?)
• Is it encrypted?
• Is it backed up and is there an offsite backup?
• Who can get access to your internal computer network? What defences
against unauthorized access are in place?
The only changes here are it needs to be quicker (30 days) and free. There must be
systems in place to remove data, deal with complaints and correct any errors that
arise. Where a request is deemed manifestly unfounded or excessive, it can be
refused. However, organisations need to have clear refusal policies and procedures
in place, and demonstrate why the request meets these criteria.
1. Appoint a Co-ordinator who will be responsible for the response to the
access request. A description of the functions and responsibilities of the Co-
ordinator should be circulated within the organisation and staff should be
advised of the necessity for co-operation with the Co-ordinator. If the
organization is a public sector organization and subject to the Freedom of
Information Acts, there should be co-ordination between the FOI and DP
processes.
2. All subject access matters should be submitted to the Co-ordinator.
3. Check the validity of the access request.
4. Check that sufficient material has been supplied to definitively identify the
individual. This is most important. You should set down criteria on what is
sufficient to prove identity for your organisation. This may be the signature,
an ID number in combination with name and address or date of birth. It
should not be possible for a third party to provide the material to lodge a
false access request.
5. Check that sufficient information to locate the data has been supplied. If it is
not clear what kind of data is being requested you should ask the data subject
for more information. This could involve identifying the databases, locations
or files to be searched or giving a description of the interactions the
individual has had with the organisation.
6. Log the date of receipt of the valid request.
7. Keep note of all steps taken to locate and collate data – if different divisions
of the organisation are involved, have the steps "signed off" by the
appropriate person.
8. Check each item of data to establish if any of the modifications in respect of
health or social work data (section 4(8)) or any of the restrictions on access
provided by section 5 apply.
7. 9. If data relating to a third party is involved, do not disclose without the
consent of the third party or anonymise such data if this would conceal the
identity of the third party. An opinion given by a third party may be disclosed
unless it is an opinion which was given in confidence on the clear
understanding that it would be treated as confidential.
10. Monitor process of responding to the request – observing time limit of 30
days.
11. Supply the data in an intelligible form (include an explanation of terms if
necessary). Also provide description of purposes, disclosees and source of
data (unless revealing the source would be contrary to the public interest).
Number the documents supplied. Have the response "signed-off" by an
appropriate person.
12. Regularly review your procedures and processes.
6. Lawful basis for processing personal data
Under GDPR, consent is not the only legal basis for holding data though it is the most
common. In all cases holding the data must be shown to be necessary. Other legal
bases include:
• Contract - eg if a car insurer needed your make and model of car to give a
quotation.
• Legal obligation - to comply with common law or statutory obligation
• Vital interests - to protect a life
• Public task - in the exercise of official authority or for a task in the public
interest set uot in law
• Legitimate interests - commercial, individual or broader societal interests
balancing the individual's interests
• Special category data - eg health
• Criminal offence data - must have a lawful basis
7. 8. And 9. Consent, children and data breaches
The best way to handle these elements is by having and implementing a data
protection privacy policy.
Data protection privacy policy
A Privacy Policy documents an organisation’s application of the eight data
protection principles to the manner in which it processes data organisation-wide.
The policy applies to all personal data processed by the organisation, including
customer data, third party data and employee data.
Draw up policies and procedures to cover:
• Dealing with data breaches
• Requests for data access (eg recording the date that the request is received)
• Requests for data correction
• Requests to have information erased
• Requests to prevent direct marketing contacts
8. • How you decided you didn’t need to appoint a Data Protection Officer (not
usually necessary but you should specify who in your organization handles
data protection queries).
• Specify retention periods for different types of data held.
• Specify whether any data is being exported to third countries (example: use
of Paypal to receive payments).
• Specify the period for auditing checks and reviews of the policy.
• Review any other existing policites and procedures that may be impacted by
GDPR such as HR, Health and Safety, employment contracts, fundraising,
financial records, Garda vetting, children and vulnerable adults.
• Consider the eight data protection rules in the following section.
• Record how people in your organization have been made aware of the data
protection policy, and of how they may get involved with reviews or changes
to the policies and procedures.
The eight data protection rules (from the previous legislation)
Keep an eye out for any updates to these eight rules on the GDPR sites…
Rule 1: Fair obtaining:
At the time when we collect information about individuals, are they made aware of
the uses for that information?
Are people made aware of any disclosures of their data to third parties?
Have we obtained people's consent for any secondary uses of their personal data,
which might not be obvious to them
Can we describe our data-collection practices as open, transparent and up-front?
Rule 2: Purpose specification
Are we clear about the purpose (or purposes) for which we keep personal
information?
Are the individuals on our database also clear about this purpose?
If we are required to register with the Data Protection Commissioner, does our
register entry include a proper, comprehensive statement of our purpose?
[Remember, if you are using personal data for a purpose not listed on your register
entry, you may be committing an offence.]
Has responsibility been assigned for maintaining a list of all data sets and the
purpose associated with each?
Rule 3: Use and disclosure of information
Are there defined rules about the use and disclosure of information?
Are all staff aware of these rules?
Are the individuals aware of the uses and disclosures of their personal data? Would
they be surprised if they learned about them? Consider whether the consent of the
individuals should be obtained for these uses and disclosures.
If we are required to register with the Data Protection Commissioner, does our
register entry include a full list of persons to whom we may need to disclose
10. Under the Regulation, businesses will be obliged to conduct Data Protection Impact
Assessments (“DPIA”) where the processing, particularly where it utilises any new
technologies, “is likely to result in a high risk” for the rights of individuals, having
regard to the “nature, scope, context and purposes of the processing”.
So DPIA does not apply to most data operations unless you are handling sensitive
information. If you do handle such information, get specialist advice!
11. Data protection officers (DPO)
DPO appointment will be mandatory only for those controllers and processors
whose core activities consist of processing operations which require regular and
systematic monitoring of data subjects on a large scale or of special categories of
data or data relating to criminal convictions and offences.
Again, this will not apply to most data operations but a named person within the
organization responsible for data protection is normal.
12 International
GDPR applies to non-EU bodies that offer goods or services to EU citizens. Non-EU
businesses processing the data of EU citizens will also have to appoint a
representative in the EU. If you are dealing with a complex international situation,
you need to get professional, specialist advice.
Checklist
• Inventory your data
• Record who has access (online and paper) to the data
• Check your data security – backups, online, network
• Figure out who you need to “repermission” regarding their data by May 2018
• Do you need to appoint a data protection officer? (Probably not.)
• Who is going to be responsible for data protection in the organization?
• Revise direct marketing procedures
• Revise website privacy and cookies policy
• Revise your data protection procedures, including subject data access
requests
• Make everyone in the organization aware of the changes and how they can
contribute
• Keep checking for any changes coming up to May 2018 such as age for
parental consent where children are involved.
• Think about data protection implications in future when creating new
products, services or internal procedures.
Examples
Website privacy policy example
https://fortprivacy.ie/gdpr-privacynotices/
Article 13 requires that the privacy notice should include the following information:
11. • the identity and the contact details of the controller
• the contact details of the data protection officer
• the purposes and legal basis for the processing
• where the processing is based on legitimate interests, details of what these
are
• the recipients or categories of recipients of the personal data
• details of any transfer to a third country and details of the safeguards and the
means by which to obtain a copy of them or where they have been made
available
• the retention periods or the criteria used to determine that period
• details on rights of access to and rectification/deletion of personal data.
Rights to object to processing and the right to data portability
• if processing is based on consent, the right to withdraw consent
• the right to lodge a complaint with the supervisory authority
• details on whether the data subject is obliged to provide the personal data
and the consequences of failure to provide it
• details of any automated decision making, including details of the logic used
and potential consequences for the individual
Website privacy policy and cookies template
https://www.nibusinessinfo.co.uk/content/sample-privacy-policy
This privacy policy sets out how [business name] uses and protects any information
that you give [business name] when you use this website.
[business name] is committed to ensuring that your privacy is protected. Should we
ask you to provide certain information by which you can be identified when using
this website, then you can be assured that it will only be used in accordance with
this privacy statement.
[business name] may change this policy from time to time by updating this page.
You should check this page from time to time to ensure that you are happy with any
changes. This policy is effective from [date].
What we collect
We may collect the following information:
name and job title
contact information including email address
demographic information such as postcode, preferences and interests
other information relevant to customer surveys and/or offers
What we do with the information we gather
We require this information to understand your needs and provide you with a
better service, and in particular for the following reasons: