Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Gdpr for business full


Published on

Everything you need to know about the GDPR

  • Be the first to comment

  • Be the first to like this

Gdpr for business full

  1. 1. Secure Helping Hand GDPR FOR BUSINESS
  2. 2. The principles of GDPR (Article 5) Personal data shall be processed under the following principles: • 1) Lawfulness, fairness and transparency • 2) Purpose limitation • 3) Data minimization • 4) Accuracy • 5) Storage limitation • 6) Integrity and confidentiality
  3. 3. Who does it apply to? • Businesses and organisations that process personal data on behalf of individuals known as data subjects. • GDPR compliance applies to Data Controllers and Data Processors
  4. 4. What is data processing? Processing of personal data includes the following: • collecting, recording, storing, adapting, using, disclosing and deleting data • If you process data on behalf of employees or customers, GDPR applies GDPR is technology neutral. This means it protects the personal data of data subjects regardless of the technology used or how the personal data is stored. • It applies to electronic and paper-based files
  5. 5. What is personal data? Any information that identifies a data subject. • Name • Address • Telephone number • Email address • Date of birth • online identifiers such as an IP address and location data & & &
  6. 6. What is sensitive personal data? Sensitive data is personal data that relates to a person’s profile including their: • Race or ethnicity • Political, religious or philosophical beliefs • Sexual life or sexual orientation • Health Physical and Mental • Genetic or bio-metric data • Criminal record • Trade union membership There are additional requirements for processing sensitive data
  7. 7. Legal Bases for processing personal data • Consent • Legal obligation • Contractual obligation • Vital interests • Public interests • Legitimate interests
  8. 8. The legal bases for processing sensitive data Legal bases for processing sensitive data include • Explicit consent • Comply with EU, national law or collective agreements in relation to employment, social security and social protection law • The vital interests of a person • A foundation, association or other not-for-profit body with a political, philosophical, religious or trade union aim that processes data for its members or people who regularly contact the organisation • If the personal data was manifestly made public by the individual • If the data is required for the establishment, exercise or defence of legal claims
  9. 9. The legal bases for processing sensitive data – cont. • For reasons of substantial public interest • For the purposes of preventive or occupational medicine, assessing the working capacity of an employee, medical diagnosis, the provision of health or social care/treatment, the management of health or social care systems and its services or on the basis of a contract as a health professional • Is processed for reasons of public interest in the field of public health • Is processed for archiving, scientific or historical research purposes or statistical purpose
  10. 10. What data do you process? Do you process personal or sensitive data on behalf of: • Employees? • Customers? • Suppliers? • Stakeholders? If the answer is yes to any of the above then GDPR applies
  11. 11. Assess your risk level Under GDPR, businesses that process personal data should account for “the nature, scope, context and purposes of the processing.” You need to assess what is the risk level of your data processing activities and what harm could be caused to individuals if the data
  12. 12. Assess your Processing Activities GDPR is particularly concerned with processing activities that could pose the following risks to data subjects: • Discrimination • Identity theft or fraud • Financial loss • Damage to reputation • Loss of confidentiality • Unauthorized reversal of pseudonymisation
  13. 13. Assign your legal basis Businesses must assign a legal bases to the personal data they process. Consider if • This is the most appropriate legal basis for this data processing activity? • If I choose legitimate interests as a legal basis can I demonstrate it is a legitimate business interest? Can I show that it is necessary? Can it be balanced against the individual’s interests, rights and freedoms. • Take time to consider what legal bases is best suited to a particular processing activity as you cannot change it halfway through.
  14. 14. Data Inventory Make an inventory of all the personal data that you process. • Types of data? • How did you obtain it? • Why was it originally gathered? • How long will you retain it? • How secure is it, both in terms of encryption and accessibility? • Do you ever share it with third parties and on what basis might you do so?
  15. 15. Manage consent Consent can be an effective legal basis for direct marketing activities, in particular for electronic communications. However there are stricter requirements when relying on consent. Under GDPR consent must be: • Freely given • Specific • Informed • Unambiguous - the data subject has indicated consent by a clear affirmative action such as an opt in. Revisit old consent and ensure it meets GDPR standards
  16. 16. Manage consent cont.. In addition consent relies on four conditions: • Businesses must demonstrate that the data subject has given their consent • Written consent notices must be separate from other notices, be in an easily accessible form using clear and plain language • The data subject has the right to withdraw consent at any time. It must be as easy to withdraw consent as it was to grant it and they must be informed of this before their data is processed • Care is needed to ensure that any consent freely given is not conditional or tied to the performance of a contract or the provision of a service
  17. 17. Communicate Privacy Information Update privacy notices by May 25th • Name and contact details of the business • The purpose for using the data • The use(s) that the data will be put to • The legal basis for processing data • Retention periods or criteria for holding data • Processing for legal or statutory requirements
  18. 18. Communicate Privacy Information cont... • The rights of the individual • Who the data will be disclosed to • Any legitimate interests of the business or its third parties • Any automated decision making processes (if applicable) • Details of data that is transferred outside of the EU and how it is safeguarded (if applicable) • The right to complain to the Data Protection Commission
  19. 19. Review contracts with 3rd party suppliers If you outsource the processing of personal data to a data processor such as a cloud services company, credit card supplier or other service provider you must ensure the following: • That they comply with GDPR • They do not engage another data processer without your knowledge and authorisation • They only process the personal data that is in the written agreement • You have sought and been given assurances regarding their appropriate security and organisational measures
  20. 20. Manage data access requests Access requests by data subjects must be processed within one month and are free of charge. An administrative fee can be applied for excessive data requests. Businesses should put in a process for managing data access requests • Staff recognise and pass data access request to the appropriate person • Ensure that the data access request is processed within one month • Manage excessive or multiple data access requests • Documented reasons for refusing data access requests that are unfounded or excessive
  21. 21. Information to provide to Data Subjects • The reason/s for processing their data • The categories of personal data that relates to them • If any 3rd parties including third countries have access to their data and how it is protected and safeguarded • The length of time that the personal data will be held for • The right to have personal data to be updated, erased or restricted • How to lodge a complaint with the Data Protection Commissioner • How you obtained their personal data • Any automatic profiling and the significance of it on their personal
  22. 22. Data Security Businesses need to ensure that both their organizational and technical measures safeguard and protect personal data. This applies to: • IT security • Physical Security • Organizational Security
  23. 23. Train your staff All staff should be trained on: • What is GDPR • Policies and procedures for GDPR • Dealing with data access requests • Keeping personal data secure • Following organizational procedures and guidelines • Following the correct procedure in relation to a data breach
  24. 24. Data Breaches GDPR requires that businesses must notify the Data Protection Commission within 72 hours of becoming aware of a data breach if it poses a risk to the rights and freedoms of a data subject. Data breaches that could bring harm to an individual – such as identity theft or breach of confidentiality must also be reported to the individuals concerned.
  25. 25. Respond to Data Breach A response plan should include the following : • The key individuals that will form an incident response team • Contact details of key experts including a forensic IT expert, legal counsel with data protection expertise • How to communicate with the DPC within the 72 hour time-frame • A contingency plan for a dedicated customer service line in the case of significant breaches • How to respond to material and non-material claims if they arise Logging of Personal Data Breaches
  26. 26. Review Regularly and update GDPR does not stop once 25 May arrives. Businesses will need to review and refresh as it changes or grows and should factor in the following on a regular basis: • Check and refresh consent where necessary • Review personal data on an annual basis – remove outdated / unnecessary data & Train staff annually • Review your internal policies and procedures in relation to data processing • Review security and organizational methods of data processors • For new data processing projects that could pose a high risk to the privacy rights of individuals consider if Data Protection Impact Assessment is needed
  27. 27. Use the SHH app to start your GDPR journey today!