Presentation on data protection given at the Community Archives conference 2018 by Jon Elliott (Archives and Records Association) and Jack Latimer (Community Archives and Heritage Group)
Data Privacy and Data Protection: Rotary’s Compliance with GDPR HandoutRotary International
Rotary International has taken several steps to prepare for the new European Union General Data Protection Regulation (GDPR) which strengthens data protection rules for EU residents and applies to organizations that offer services to EU residents. Rotary conducted a readiness assessment and risk analysis which identified key areas of focus including updating processes and policies around lawful data processing, data breach response, records retention, and providing more transparency around how personal data is used. Rotary is applying these new standards globally and constituents will have new rights under GDPR such as access to their data, rectifying errors, and objecting to certain uses of their data. Clubs and districts located in or serving the EU must also comply with GDPR requirements.
GDPR - What you need to know about the General Data Protection RegulationLauren Olson
The General Data Protection Regulation (GDPR) regulates how personal data is collected and stored by organizations. It provides individuals several rights around their personal data, including rights to access, rectify, erase, and port their data. GDPR applies to any organization that does business in or markets to individuals in the EU. It requires organizations to obtain informed consent to collect personal data, securely store data, notify authorities of data breaches, and could result in fines of up to 4% of global annual turnover for noncompliance. GDPR goes into effect on May 25, 2018 for all EU member states.
Taras Kruts - You should delete Facebook now or how GDPR tries to save us allDrupalCamp Kyiv
This document discusses GDPR and its implementation in Open Social, a Drupal distribution. It begins with an overview of GDPR, including its goals of giving citizens control over personal data and simplifying regulations for international business. It then discusses key GDPR concepts like personal and sensitive data. Next, it outlines steps for GDPR compliance in Open Social, such as obtaining user consent for data policies and usage, and allowing users to correct, export or delete their personal data. It notes actors defined in GDPR and potential penalties for non-compliance. Finally, it suggests building a proper social network rather than just deleting Facebook accounts.
Facebook's terms and conditions are over 1400 words long and spread across multiple pages, making them difficult for users to fully read and understand. While users own the content they create, they grant Facebook licenses to use, copy, and distribute this content. The terms also state that Facebook can remove any content that violates copyrights, contains illegal material like spam or pornography, or bullies or harasses other users. Users can have their accounts suspended or terminated if they repeatedly break these policies.
Gdprplan.com affiliate huddle 10th may 2018Micky Khanna
The document provides 3 tips for implementing the GDPR by the deadline of May 25th, 2018. Tip 1 is to secure networks, assets, and people by ensuring websites and IT systems use HTTPS, implementing security procedures for premises, and establishing a BYOD policy. Tip 2 is to update contracts to clarify roles and responsibilities as controllers or processors of data. Tip 3 is to understand data protection laws outside of the EU to ensure compliance when transferring data internationally. The document also recommends training employees on security and GDPR requirements. It promotes an online GDPR training course to help organizations comply.
The six steps for complying with GDPR are:
1. Know your data - Conduct an audit to understand what personal data is collected and where it is stored.
2. Classify the data - Determine if the data is personal, sensitive or confidential.
3. Justify the data - Establish the lawful basis and purpose for collecting and processing the data.
4. Plan how the data will be handled - Outline the full data lifecycle and retention periods.
5. Control access to the data - Implement security measures and restrict access to authorized personnel only.
6. Be prepared for a data breach - Have response plans in place and know when to report breaches to
The six steps for complying with GDPR are: 1) Know your data - conduct an audit to understand what personal data is collected and where it is stored. 2) Classify the data - determine what is personal data, sensitive personal data, and confidential business information. 3) Justify the data - establish the lawful basis and purpose for collecting and processing each type of data. 4) Plan how the data will be handled - establish processes for collection, storage, processing, deletion and retention. 5) Control access to data and keep it secure. 6) Be prepared to respond to a data breach by notifying authorities and individuals whose data was involved within 72 hours.
Implementing and Auditing General Data Protection Regulation Jim Kaplan CIA CFE
Implementing and Auditing GDPR Series (1 of 10)
Protecting personal data has been an important issue for many years. The EU GDPR extends the data rights of individuals, and requires organizations to develop clear policies and procedures to protect personal data, and adopt appropriate technical and organizational measures. UK organizations have had to comply with the Regulation since 25 May 2018, or potentially face fines of up to 4% of annual turnover or €20 million – whichever is greater.
Learning Outcomes:
This 10 webinar series is intended to elicit a clear understanding of the core elements of the GDPR, with the ability to gain a deeper understanding by asking the trainer questions during the training.
It covers how each aspect of the Regulation can be translated into implementation actions in your organization and the auditor’s role.
Webinar 1 of 10
• Bands of penalties and range of awards for breaches
• Lawfulness of processing and consent
• The six data protection principles
Data Privacy and Data Protection: Rotary’s Compliance with GDPR HandoutRotary International
Rotary International has taken several steps to prepare for the new European Union General Data Protection Regulation (GDPR) which strengthens data protection rules for EU residents and applies to organizations that offer services to EU residents. Rotary conducted a readiness assessment and risk analysis which identified key areas of focus including updating processes and policies around lawful data processing, data breach response, records retention, and providing more transparency around how personal data is used. Rotary is applying these new standards globally and constituents will have new rights under GDPR such as access to their data, rectifying errors, and objecting to certain uses of their data. Clubs and districts located in or serving the EU must also comply with GDPR requirements.
GDPR - What you need to know about the General Data Protection RegulationLauren Olson
The General Data Protection Regulation (GDPR) regulates how personal data is collected and stored by organizations. It provides individuals several rights around their personal data, including rights to access, rectify, erase, and port their data. GDPR applies to any organization that does business in or markets to individuals in the EU. It requires organizations to obtain informed consent to collect personal data, securely store data, notify authorities of data breaches, and could result in fines of up to 4% of global annual turnover for noncompliance. GDPR goes into effect on May 25, 2018 for all EU member states.
Taras Kruts - You should delete Facebook now or how GDPR tries to save us allDrupalCamp Kyiv
This document discusses GDPR and its implementation in Open Social, a Drupal distribution. It begins with an overview of GDPR, including its goals of giving citizens control over personal data and simplifying regulations for international business. It then discusses key GDPR concepts like personal and sensitive data. Next, it outlines steps for GDPR compliance in Open Social, such as obtaining user consent for data policies and usage, and allowing users to correct, export or delete their personal data. It notes actors defined in GDPR and potential penalties for non-compliance. Finally, it suggests building a proper social network rather than just deleting Facebook accounts.
Facebook's terms and conditions are over 1400 words long and spread across multiple pages, making them difficult for users to fully read and understand. While users own the content they create, they grant Facebook licenses to use, copy, and distribute this content. The terms also state that Facebook can remove any content that violates copyrights, contains illegal material like spam or pornography, or bullies or harasses other users. Users can have their accounts suspended or terminated if they repeatedly break these policies.
Gdprplan.com affiliate huddle 10th may 2018Micky Khanna
The document provides 3 tips for implementing the GDPR by the deadline of May 25th, 2018. Tip 1 is to secure networks, assets, and people by ensuring websites and IT systems use HTTPS, implementing security procedures for premises, and establishing a BYOD policy. Tip 2 is to update contracts to clarify roles and responsibilities as controllers or processors of data. Tip 3 is to understand data protection laws outside of the EU to ensure compliance when transferring data internationally. The document also recommends training employees on security and GDPR requirements. It promotes an online GDPR training course to help organizations comply.
The six steps for complying with GDPR are:
1. Know your data - Conduct an audit to understand what personal data is collected and where it is stored.
2. Classify the data - Determine if the data is personal, sensitive or confidential.
3. Justify the data - Establish the lawful basis and purpose for collecting and processing the data.
4. Plan how the data will be handled - Outline the full data lifecycle and retention periods.
5. Control access to the data - Implement security measures and restrict access to authorized personnel only.
6. Be prepared for a data breach - Have response plans in place and know when to report breaches to
The six steps for complying with GDPR are: 1) Know your data - conduct an audit to understand what personal data is collected and where it is stored. 2) Classify the data - determine what is personal data, sensitive personal data, and confidential business information. 3) Justify the data - establish the lawful basis and purpose for collecting and processing each type of data. 4) Plan how the data will be handled - establish processes for collection, storage, processing, deletion and retention. 5) Control access to data and keep it secure. 6) Be prepared to respond to a data breach by notifying authorities and individuals whose data was involved within 72 hours.
Implementing and Auditing General Data Protection Regulation Jim Kaplan CIA CFE
Implementing and Auditing GDPR Series (1 of 10)
Protecting personal data has been an important issue for many years. The EU GDPR extends the data rights of individuals, and requires organizations to develop clear policies and procedures to protect personal data, and adopt appropriate technical and organizational measures. UK organizations have had to comply with the Regulation since 25 May 2018, or potentially face fines of up to 4% of annual turnover or €20 million – whichever is greater.
Learning Outcomes:
This 10 webinar series is intended to elicit a clear understanding of the core elements of the GDPR, with the ability to gain a deeper understanding by asking the trainer questions during the training.
It covers how each aspect of the Regulation can be translated into implementation actions in your organization and the auditor’s role.
Webinar 1 of 10
• Bands of penalties and range of awards for breaches
• Lawfulness of processing and consent
• The six data protection principles
How will GDPR affect your business - Marketing Fox & Birkett LongLouise Owens
This document summarizes a seminar on post-GDPR marketing. It began with an overview of creating a marketing strategy, including evaluating current efforts, setting objectives, developing a strategy, implementing a plan, and measuring results. Building an audience was discussed, emphasizing growing a database organically and using a CRM. Marketing automation was introduced as a way to automate marketing actions like email workflows. The seminar concluded by offering attendees a discounted marketing strategy workshop.
What does GDPR actually mean to you as a business, what are the rights of individuals and how do you have to apply them, around Subject Access Request, Right to Erasure / be Forgotten, Consent and Opt In and Out and Personally Identifiable Information and Personal Data
On 25 May 2018 the new General Data Protection Regulation (GDPR) will come into force, replacing all existing data protection regulations.
Payroll bureaus process large amounts of personal data in relation to their customers, their customers’ employees, and their own employees. Consequently, the GDPR will impact most if not all areas of the business and the impact it will have cannot be overstated.
BrightPay hosted a free CPD accredited webinar alongside Bright Contracts where we discussed everything that accountants, bookkeepers and payroll bureaus need to know about GDPR.
For more information visit https://www.brightpay.co.uk
This webinar from Deeson with digital law specialist Heather Burns offers actionable guidance for business leaders to kick-start the GDPR compliance process.
This document discusses data ethics and provides 5 key principles of data ethics for business professionals:
1) Ownership - individuals own their personal data and must provide consent for it to be collected
2) Transparency - individuals have a right to know how their data will be collected, stored, and used
3) Privacy - personal data must be securely stored and protected from unauthorized access
4) Intention - the intention behind collecting data must be considered to avoid potential harm
5) Outcomes - while intentions may be good, data analysis could inadvertently cause disparate impacts
Upholding data ethics helps businesses earn customer trust, which is essential to their success. Failure to do so can damage reputations and result
22% of employees visit social networking sites 5 or more times per week, yet only 54% of employers have a policy dealing with social media inside and outside the workplace. During this presentation, participants will learn about potential legal issues involved in adopting a policy and how to avoid those issues. Sample provisions will be discussed and recommended actions addressed.
Presented by Jackson Lewis.
This document provides guidance on protecting personal privacy. It discusses how personal information is increasingly shared online through devices, accounts and transactions. Canadian privacy laws give individuals rights over how their personal data is collected and used by governments and businesses. The presentation outlines steps people can take to know their privacy rights, access their personal information, read organization privacy policies critically, raise concerns with how their data is handled, and use privacy settings to control what is shared. Protecting privacy involves understanding obligations on how information can be collected and used, consenting only to necessary data practices, and speaking up when rights may be violated.
Presentation from IAPP Canada 2011 Conference.
Presented by Shaun Brown - (http://nnovation.com), and Matthew Vernhout (http://www.transcontinental-interactive.com).
Social media & data protection policy v1.0 141112 Dave Shannon
Presentation presented to employees in a previous role. Unfortunately corporate identity has had to be removed, however content is still relevant to policies and legislation
Protecting personal data has been an important issue for many years. The EU GDPR extends the data rights of individuals, and requires organizations to develop clear policies and procedures to protect personal data, and adopt appropriate technical and organizational measures. UK organizations have had to comply with the Regulation since 25 May 2018, or potentially face fines of up to 4% of annual turnover or €20 million – whichever is greater.
Learning Outcomes:
This 10 webinar series is intended to elicit a clear understanding of the core elements of the GDPR, with the ability to gain a deeper understanding by asking the trainer questions during the training.
It covers how each aspect of the Regulation can be translated into implementation actions in your organization and the auditor’s role.
Webinar 6
• The role of the data protection officer (DPO).
• What constitutes personal data.
• Accountability, the privacy compliance framework and a personal information management system (PIMS).
This document provides an overview of the General Data Protection Regulation (GDPR) and recommendations for businesses to prepare for its implementation. Some key points:
- GDPR applies to any business established in the EU or offering goods/services to EU residents and takes full effect on May 25, 2018. Non-compliance could result in fines up to 20 million euros.
- Businesses need to designate a data protection officer, map their data flows, determine the legal basis for processing personal data, and update processes for responding to access and erasure requests.
- Preparing for GDPR involves training staff, being transparent about data use, implementing privacy by design, and having processes to address data breaches. Proper preparation will
This document summarizes a workshop on data protection compliance based on the UK Data Protection Act of 1998. It introduces the key concepts of data controllers, data processors, and the eight principles of the Act, including obtaining consent, keeping data accurate and up-to-date, retaining data only as long as necessary, and protecting individuals' rights. The document also discusses issues around direct marketing, sensitive personal data, individuals' rights to access their data, and implications for handling children's personal data.
Full GDPR toolkit: https://quality.eqms.co.uk/gdpr-general-data-protection-regulation-eu-toolkit
This free online training presentation provides you with information about how to comply with the General Data Protection Regulation, managing breaches, engaging employees, key requirements and more.
EMMA’s EMEA Regional Director Joseph Yammine explains how the EU’s General Data Protection Regulation applies to the Health Care Industry and how you can prepare your team to follow the regulation and avoid any data breaches.
The document provides an overview of key areas of data protection law relevant for charities, including definitions, the data protection principles, fair and lawful processing, data security, subject's rights, direct marketing, and recent European developments. It discusses requirements around obtaining and retaining personal data, sharing data with third parties, responding to subject access requests, and obtaining consent for electronic marketing. Recent cases involving security breaches and retaining data longer than necessary are also summarized.
The document discusses new regulations under the General Data Protection Regulation (GDPR) that will take effect in May 2018. It summarizes guidance available from various data protection authorities on GDPR compliance. Key areas discussed include obtaining valid consent, conducting legitimate interest assessments, ensuring proper documentation, and using different channels like direct mail and email for marketing communications in light of the new consent requirements. Many businesses have yet to fully prepare for the major changes required to comply with GDPR.
How will GDPR affect your business - Marketing Fox & Birkett LongLouise Owens
This document summarizes a seminar on post-GDPR marketing. It began with an overview of creating a marketing strategy, including evaluating current efforts, setting objectives, developing a strategy, implementing a plan, and measuring results. Building an audience was discussed, emphasizing growing a database organically and using a CRM. Marketing automation was introduced as a way to automate marketing actions like email workflows. The seminar concluded by offering attendees a discounted marketing strategy workshop.
What does GDPR actually mean to you as a business, what are the rights of individuals and how do you have to apply them, around Subject Access Request, Right to Erasure / be Forgotten, Consent and Opt In and Out and Personally Identifiable Information and Personal Data
On 25 May 2018 the new General Data Protection Regulation (GDPR) will come into force, replacing all existing data protection regulations.
Payroll bureaus process large amounts of personal data in relation to their customers, their customers’ employees, and their own employees. Consequently, the GDPR will impact most if not all areas of the business and the impact it will have cannot be overstated.
BrightPay hosted a free CPD accredited webinar alongside Bright Contracts where we discussed everything that accountants, bookkeepers and payroll bureaus need to know about GDPR.
For more information visit https://www.brightpay.co.uk
This webinar from Deeson with digital law specialist Heather Burns offers actionable guidance for business leaders to kick-start the GDPR compliance process.
This document discusses data ethics and provides 5 key principles of data ethics for business professionals:
1) Ownership - individuals own their personal data and must provide consent for it to be collected
2) Transparency - individuals have a right to know how their data will be collected, stored, and used
3) Privacy - personal data must be securely stored and protected from unauthorized access
4) Intention - the intention behind collecting data must be considered to avoid potential harm
5) Outcomes - while intentions may be good, data analysis could inadvertently cause disparate impacts
Upholding data ethics helps businesses earn customer trust, which is essential to their success. Failure to do so can damage reputations and result
22% of employees visit social networking sites 5 or more times per week, yet only 54% of employers have a policy dealing with social media inside and outside the workplace. During this presentation, participants will learn about potential legal issues involved in adopting a policy and how to avoid those issues. Sample provisions will be discussed and recommended actions addressed.
Presented by Jackson Lewis.
This document provides guidance on protecting personal privacy. It discusses how personal information is increasingly shared online through devices, accounts and transactions. Canadian privacy laws give individuals rights over how their personal data is collected and used by governments and businesses. The presentation outlines steps people can take to know their privacy rights, access their personal information, read organization privacy policies critically, raise concerns with how their data is handled, and use privacy settings to control what is shared. Protecting privacy involves understanding obligations on how information can be collected and used, consenting only to necessary data practices, and speaking up when rights may be violated.
Presentation from IAPP Canada 2011 Conference.
Presented by Shaun Brown - (http://nnovation.com), and Matthew Vernhout (http://www.transcontinental-interactive.com).
Social media & data protection policy v1.0 141112 Dave Shannon
Presentation presented to employees in a previous role. Unfortunately corporate identity has had to be removed, however content is still relevant to policies and legislation
Protecting personal data has been an important issue for many years. The EU GDPR extends the data rights of individuals, and requires organizations to develop clear policies and procedures to protect personal data, and adopt appropriate technical and organizational measures. UK organizations have had to comply with the Regulation since 25 May 2018, or potentially face fines of up to 4% of annual turnover or €20 million – whichever is greater.
Learning Outcomes:
This 10 webinar series is intended to elicit a clear understanding of the core elements of the GDPR, with the ability to gain a deeper understanding by asking the trainer questions during the training.
It covers how each aspect of the Regulation can be translated into implementation actions in your organization and the auditor’s role.
Webinar 6
• The role of the data protection officer (DPO).
• What constitutes personal data.
• Accountability, the privacy compliance framework and a personal information management system (PIMS).
This document provides an overview of the General Data Protection Regulation (GDPR) and recommendations for businesses to prepare for its implementation. Some key points:
- GDPR applies to any business established in the EU or offering goods/services to EU residents and takes full effect on May 25, 2018. Non-compliance could result in fines up to 20 million euros.
- Businesses need to designate a data protection officer, map their data flows, determine the legal basis for processing personal data, and update processes for responding to access and erasure requests.
- Preparing for GDPR involves training staff, being transparent about data use, implementing privacy by design, and having processes to address data breaches. Proper preparation will
This document summarizes a workshop on data protection compliance based on the UK Data Protection Act of 1998. It introduces the key concepts of data controllers, data processors, and the eight principles of the Act, including obtaining consent, keeping data accurate and up-to-date, retaining data only as long as necessary, and protecting individuals' rights. The document also discusses issues around direct marketing, sensitive personal data, individuals' rights to access their data, and implications for handling children's personal data.
Full GDPR toolkit: https://quality.eqms.co.uk/gdpr-general-data-protection-regulation-eu-toolkit
This free online training presentation provides you with information about how to comply with the General Data Protection Regulation, managing breaches, engaging employees, key requirements and more.
EMMA’s EMEA Regional Director Joseph Yammine explains how the EU’s General Data Protection Regulation applies to the Health Care Industry and how you can prepare your team to follow the regulation and avoid any data breaches.
The document provides an overview of key areas of data protection law relevant for charities, including definitions, the data protection principles, fair and lawful processing, data security, subject's rights, direct marketing, and recent European developments. It discusses requirements around obtaining and retaining personal data, sharing data with third parties, responding to subject access requests, and obtaining consent for electronic marketing. Recent cases involving security breaches and retaining data longer than necessary are also summarized.
The document discusses new regulations under the General Data Protection Regulation (GDPR) that will take effect in May 2018. It summarizes guidance available from various data protection authorities on GDPR compliance. Key areas discussed include obtaining valid consent, conducting legitimate interest assessments, ensuring proper documentation, and using different channels like direct mail and email for marketing communications in light of the new consent requirements. Many businesses have yet to fully prepare for the major changes required to comply with GDPR.
Similar to GDPR - Basics for Community Archives (20)
Jennifer Schaus and Associates hosts a complimentary webinar series on The FAR in 2024. Join the webinars on Wednesdays and Fridays at noon, eastern.
Recordings are on YouTube and the company website.
https://www.youtube.com/@jenniferschaus/videos
Working with data is a challenge for many organizations. Nonprofits in particular may need to collect and analyze sensitive, incomplete, and/or biased historical data about people. In this talk, Dr. Cori Faklaris of UNC Charlotte provides an overview of current AI capabilities and weaknesses to consider when integrating current AI technologies into the data workflow. The talk is organized around three takeaways: (1) For better or sometimes worse, AI provides you with “infinite interns.” (2) Give people permission & guardrails to learn what works with these “interns” and what doesn’t. (3) Create a roadmap for adding in more AI to assist nonprofit work, along with strategies for bias mitigation.
Monitoring Health for the SDGs - Global Health Statistics 2024 - WHOChristina Parmionova
The 2024 World Health Statistics edition reviews more than 50 health-related indicators from the Sustainable Development Goals and WHO’s Thirteenth General Programme of Work. It also highlights the findings from the Global health estimates 2021, notably the impact of the COVID-19 pandemic on life expectancy and healthy life expectancy.
Donate to charity during this holiday seasonSERUDS INDIA
For people who have money and are philanthropic, there are infinite opportunities to gift a needy person or child a Merry Christmas. Even if you are living on a shoestring budget, you will be surprised at how much you can do.
Donate Us
https://serudsindia.org/how-to-donate-to-charity-during-this-holiday-season/
#charityforchildren, #donateforchildren, #donateclothesforchildren, #donatebooksforchildren, #donatetoysforchildren, #sponsorforchildren, #sponsorclothesforchildren, #sponsorbooksforchildren, #sponsortoysforchildren, #seruds, #kurnool
Preliminary findings _OECD field visits to ten regions in the TSI EU mining r...OECDregions
Preliminary findings from OECD field visits for the project: Enhancing EU Mining Regional Ecosystems to Support the Green Transition and Secure Mineral Raw Materials Supply.
About Potato, The scientific name of the plant is Solanum tuberosum (L).Christina Parmionova
The potato is a starchy root vegetable native to the Americas that is consumed as a staple food in many parts of the world. Potatoes are tubers of the plant Solanum tuberosum, a perennial in the nightshade family Solanaceae. Wild potato species can be found from the southern United States to southern Chile
Synopsis (short abstract) In December 2023, the UN General Assembly proclaimed 30 May as the International Day of Potato.
1. EU GENERAL DATA PROTECTION REGULATION
GDPR
BASICS FOR COMMUNITY ARCHIVES
J O N E L L I O T T ( AR A)
J AC K L AT I M E R ( C AH G )
2. Starting Point – Differentiate between personal
data in archives and data used operationally
‘Archiving Purposes in the Public Interest’
- Personal data in archives is largely exempted from GDPR so
long it doesn’t fail the ‘substantial damage and distress’ test.
- Virtually all community archives will be able to use this
derogation.
- So DO NOT AMEND, DELETE, HAND OVER, DESTROY OR
REDACT ORIGINAL ARCHIVAL MATERIAL unless a court tells
you to.
3. The exemption does not apply to personal data
you ‘process’ in running your organisation
For example:
- staff and membership lists, with phone numbers, email addresses, etc.
- data subjects in partner organisations, suppliers, clients, etc.
- photos, bank details, health, family or other identifying information
- Signing-in books
- IT’S NOT YOUR DATA
Other common questions:
- GDPR doesn’t cover dead people or those you can assume reasonably are
dead (eg, photo of a woman in 1970 who looks at least 60 years old).
- If people want access to personal data in your archive, offer them a copy.
- if something causes distress (right to erase), close it to public access.
- If something is ‘inaccurate’ (right to correction), put a note in the file.
- If documents contain ‘sensitive personal data’, close them to public access.
- A form that researchers sign accepting their data protection obligations.
- Unsubscribe option on newsletters, etc.
4. GDPR – First Priority – Avoid
Breaches
Tackle The Most Common Problems
- Operational failure: eg, mass copying of emails and not ‘bcc-ing’
emails, attaching documents containing personal data, sending a data
subject’s personal data to someone else by mistake, not having basic anti-
hacking software, sending and receiving ‘work’ personal data from home
emails and home servers, etc.
- Bad records management practice: not password-protecting
documents containing personal data; mixing sensitive data files in with
regular files, not having clear record of what you own and what you don’t.
- Weakest links: giving access to personal data to people, colleagues,
volunteers, etc. who don’t need it: the weakest link in the chain. Limit access.
5. Second Priority – Get organised
• Record, record, record…
• Do you have a website? If so, what and where are
your Privacy Policy, Take-down Policy and Contact
Details?
• Have clear, written retention policies for data
you hold: can be simple, eg how long you are
keeping the five main uses for personal data you hold
and when/what you destroy or keep. And why.
• Implement your policies….
6. Third Priority
• Tell your trustees (if you have them) what you
are doing. Get their approval, eg by
- Defining the simple legal basis you are using to process
personal data
- Doing and recording a simple information audit: what
personal data you hold, why, in what form, where you send it,
how long kept, and physical location?
- Showing how you record consent, ie ‘explicit’; ‘positive
indication of agreement.’ Cannot infer from silence/tick-box.
7. Subject Access Requests (SARs)
• You are unlikely to be able to charge for SARs
• Response timescale: down from 40 days to 1 month
• New option: can refuse a request if clearly excessive
(BUT: you must have credible policies/processes in
place for making such judgements and RECORD
individual decisions)
• New obligation: provide info to data subjects, eg data
retention periods and the right to ‘correction’.
• Think through operational impact.
8. Reporting Breaches
New, universal duty of breach notification
- obligatory to have processes to detect, report and investigate
breaches
- Not all breaches must be reported to ICO: the ‘damage’ test
- But you only have 72 hours for those that must… (won’t
include community archives unless, eg a serious breach of
sensitive personal data)
- Fines: €20 million or 4% of global turnover. BUT ICO have said
that only major breaches by major companies will fall into this
bracket
9. International Transfers
• Unwitting?
- Do you use mailchimp, Facebook, Eventbrite or other sites for
your activities?
- Have you read their privacy statements, eg will data you use
be exported to US servers and thereby out of GDPR
jurisdiction and protection?
- Very important that you cover this
10. Next steps?
• We are working with partners on a Code of Practice: Hope it
will be available end 2018. Aim to cover community archives
• Need to also consider cross-border implications in Ireland
• Training/briefing: ARA will continue to offer briefing sessions
• ARA will keep advocating improvements/interpretations with
governments and regulators.
• Wider impact: new ARA Code of Ethics (2018)
• A hunch: stand by for court cases after 2018…
11. A working example:
what we’ve done about
GDPR
1. We have carried out an audit of the personal data we hold.
We made a list of all the ways in which we collect or store personal data
2. We have updated and documented our personal data policy.
We asked: Do we need each type of data on our list? How long should we keep it?
3. We have deleted unnecessary personal data.
For example: we deleted old booking forms and copies of newsletter subscriptions
4. We have reviewed each process by which we collect personal data to be
sure we are obtaining the right permissions.
For example: we added a checkbox to all website forms, to ensure explicit consent
5. We have provided a method for people to find out what personal data we
hold about them or request to have it deleted.
Our privacy page now has a link to a form for requesting/deleting personal data
6. We have updated our privacy policy and published it on the website.
13. 1. Do we need to get in touch with all our members/website
contributors to get their consent to keep their contact details
on record?
2. What do we do about the details of dead or living people that
we hold in our archive? For example, in minutes of parish
meetings?
3. If somebody sends us a research request, does that person
need to give consent to us using their personal details in order
to reply?
Three common queries from community archives
14. Further Reading
• ARA advocacy papers to date (hand-outs)
• European Data Protection Supervisor’s blog: dry, but…
https://secure.edps.europa.eu/EDPSWEB/edps/lang/de/EDPS/P
ublications/Blog_1
• The Guardian’s ‘51 Useful Data Protection Resources’:
https://digitalguardian.com/blog/51-useful-data-protection-
resources-blogs-videos-guides-infographics-tools-more
• ICO (UK) blog and ICO guidance notes:
https://ico.org.uk/about-the-ico/news-and-events/news-and-
blogs/?facet_type=Blog&facet_date=&date_from=&date_to=
Editor's Notes
It wasn’t ‘more people through the door’ (though it could be that)
It wasn’t ‘more people through the door’ (though it could be that)
It wasn’t ‘more people through the door’ (though it could be that)