This document provides an overview of the General Data Protection Regulation (GDPR) and outlines steps organizations need to take to comply with it. Some key points:
- GDPR gives individuals more control over their personal data and strengthens data protection. It takes effect in May 2018.
- Organizations must inventory all personal data held, ensure lawful basis for processing, and obtain explicit consent when needed. Individuals have rights like access, rectification, erasure of their data.
- Consent must be freely given, specific, informed and unambiguous. Forms requesting consent must meet new standards.
- Organizations should review data security, staff training, response procedures for individual rights requests and data breaches
This presentation covers what you as a business owner need to do in order to be ready and compliant for GDPR. It shows you all of the different lawful basis that you can use for processing personal data, so that you do not have to rely on consent.
If you are in the UK and need to check that you will comply with the General Data Protection Regulations when they come into force in May 2018, this checklist might help. Developed for use in my own business it is shared without liability. Please use it wisely to start the process of complying.
For more information on making your processes and your legal documents simple, especially if you are in the UK construction industry, go to http://500words.co.uk/
For small businesses who feel overwhelmed with all the attention and threatening articles, here is a very easy GDPR-compliance checklist you can go through.
The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years. This policy directive was adopted in May 2016 to make Europe fit for the digital age. How does it affect small businesses?
The GDPR brings a lot of extra work for organizations that are considered to process Personal Data. For small businesses who feel overwhelmed with all the attention and threatening articles, here is a very easy GDPR-compliance checklist you can go through.
Bridging the Gap Between Privacy and RetentionInfoGoTo
This slideshare explores the vital connection between privacy and retention and explores some tools and approaches that can help organizations successfully manage them in tandem.
Preparing for the General Data Protection Regulation - 12 steps to take now - from the ICO - more info and resources at https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment-toolkit/
201705
This presentation covers what you as a business owner need to do in order to be ready and compliant for GDPR. It shows you all of the different lawful basis that you can use for processing personal data, so that you do not have to rely on consent.
If you are in the UK and need to check that you will comply with the General Data Protection Regulations when they come into force in May 2018, this checklist might help. Developed for use in my own business it is shared without liability. Please use it wisely to start the process of complying.
For more information on making your processes and your legal documents simple, especially if you are in the UK construction industry, go to http://500words.co.uk/
For small businesses who feel overwhelmed with all the attention and threatening articles, here is a very easy GDPR-compliance checklist you can go through.
The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years. This policy directive was adopted in May 2016 to make Europe fit for the digital age. How does it affect small businesses?
The GDPR brings a lot of extra work for organizations that are considered to process Personal Data. For small businesses who feel overwhelmed with all the attention and threatening articles, here is a very easy GDPR-compliance checklist you can go through.
Bridging the Gap Between Privacy and RetentionInfoGoTo
This slideshare explores the vital connection between privacy and retention and explores some tools and approaches that can help organizations successfully manage them in tandem.
Preparing for the General Data Protection Regulation - 12 steps to take now - from the ICO - more info and resources at https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment-toolkit/
201705
Getting to grips with General Data Protection Regulation (GDPR)Zoodikers
Leading employment lawyer Pam Loch, and digital expert Katie King share their advice on how to get to grips with the topic of the moment - GDPR.
They look at who is liable, the impact of Brexit, how it affects marketing and what steps you can take to prepare.
Where are you in in your GDPR journey? Europe's data protection regulation will undergo the greatest change since its creation over 20 years ago. The GDPR is Europe's new framework for data protection laws, replacing the Data Protection Act (DPA).
GDPR ASAP: A Seven-Step Guide to Prepare for the General Data Protection Regu...ObservePoint
This guide will educate you on what GDPR is, who it applies to and what you should do about it in seven steps. As you read through, make some notes about who you feel should be responsible for each step so you can get the ball rolling with each team member.
GDPR Explained - A Quick Guide for US BusinessesJessica Clark
The US has many different privacy laws. But now there is another law to wade through: GDPR. Although the GDPR mainly affects those living within the European Union (EU), it is important that US businesses pay attention too.
General Data Protection Regulation (GDPR) - Moving from confusion to readinessOmo Osagiede
This GDPR primer highlights key aspects of the new EU regulation regarding the protection of EU citizens data. It also presents a basic approach and key activities for GDPR preparedness. Useful as a discussion starter with senior management.
Data Privacy and Data Protection: Rotary’s Compliance with GDPRRotary International
As stewards of personal data for more than 1.2 million Rotarians and friends of Rotary worldwide, Rotary takes data privacy and protection seriously. To ensure compliance with the European Union's new privacy law, the General Data Protection Regulation (GDPR), we will apply these standards globally. Find out more about these efforts and how they affect data privacy and protection for Rotary.
GDPR: Is Your Organization Ready for the General Data Protection Regulation?DATUM LLC
The new European GDPR privacy regulations will significantly impact data governance for multinational companies worldwide. This presentation introduces GDPR, its implications, and a six step process for compliance. In May of 2018 the European Union’s General Data Protection Regulation (GDPR) will go into effect and the fines associated with non-compliance are significant with as much as 4% of global sales.
GDPR Guide: The ICO's 12 Recommended Steps To Take NowHackerOne
Recommendations from The United Kingdom's Information Commissioner's Office (ICO) to Prepare for May 2018.
The European General Data Protection Regulation, better known as GDPR, will take effect on May 25, 2018. When it does, every business, organization, or government agency that collects information on European Union (EU) citizens (in other words, just about everyone) will be forced to radically change how it manages customer data and security. If you don’t, the cost of noncompliance is significant: fines can reach up to €20M ($23.5M) or 4 percent of annual sales, whichever is higher.
What's Next - General Data Protection Regulation (GDPR) ChangesOgilvy Consulting
The General Data Protection Regulation is the biggest change to the law on data in years. This webinar features Vicky Brown, Deputy General Counsel at WPP, and Paul King, Head of Data at OgilvyOne discussing what it is, why it matters and what companies are doing.
Do You Have a Roadmap for EU GDPR Compliance?Ulf Mattsson
Do You Have a Roadmap for EU GDPR Compliance?
Description : The General Data Protection Regulation (GDPR) goes into effect in 2018 and it will affect any business that handles data, even if it's not based in the European Union.
Are you looking to move and host data for EU citizens? Do you have a roadmap and associated estimated costs for EU GDPR compliance?
Webcast URL : https://www.brighttalk.com/webcast/14723/259741
Cognizant business consulting the impacts of gdpraudrey miguel
In May 2018, GDPR (Global Data Protection Regulation) will come into force in Europe. Conventional wisdom is that GDPR will cause significant legal changes for many organizations and result in yet another regulatory-driven upheaval in technology. But is this an accurate assessment of the likely impact?
Data Protection Officer Dashboard | GDPRCorporater
Data Protection Officers (DPOs) have a very critical role to play in today's organizations, especially with the implementation of GDPR. Data Protection Officer dashboards are an essential aid to DPOs to stay on top of GDPR compliance activities, and to implement and monitor GDPR projects.
The presentation gives insight into the essentials of a DPO dashboard.
Disclosure, Exposure and the "Right to be Forgotten" After Google SpainDavid Erdos
*** N.B. For full working paper see https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3505921 ***
This paper argues that Google’s essentially blanket and unsafeguarded dissemination to webmasters of URLs deindexed under the Google Spain judgment involves the disclosure of the claimant’s personal data, cannot be justified either on the purported basis of their consent or that this is legally required but instead seriously infringes European data protection standards. Disclosure of this data would only be compatible with the initially contextually sensitive context of collection where it was (i) reasonably necessary and explicitly limited to the purposes of checking the legality of the initial decision and/or bona fide research and (ii) was subject to effective safeguards that prevented any unauthorised repurposing or other use. Strict necessity thresholds would need to apply where disclosure involved special category data or was subject to reasoned objection by a data subject and international transfers would require appropriate safeguards as provided by the European Commission’s standard contractual clauses. Disclosing identifiable data on removals to end users would directly and fundamentally undermine a data subject’s rights and, therefore, ipso facto violate purpose limitation and legality, irrespective of a data subject claims rights in data protection, defamation or civil privacy. The public’s legitimate interests in receiving information on personal data removals should be secured through safeguarded scientific research that the search engines should facilitate and promote.
the European Union has introduced a new law, the General Data Protection Regulation or GDPR. This law will include all rules and regulations that govern the use of personal data within the EU.
Getting to grips with General Data Protection Regulation (GDPR)Zoodikers
Leading employment lawyer Pam Loch, and digital expert Katie King share their advice on how to get to grips with the topic of the moment - GDPR.
They look at who is liable, the impact of Brexit, how it affects marketing and what steps you can take to prepare.
Where are you in in your GDPR journey? Europe's data protection regulation will undergo the greatest change since its creation over 20 years ago. The GDPR is Europe's new framework for data protection laws, replacing the Data Protection Act (DPA).
GDPR ASAP: A Seven-Step Guide to Prepare for the General Data Protection Regu...ObservePoint
This guide will educate you on what GDPR is, who it applies to and what you should do about it in seven steps. As you read through, make some notes about who you feel should be responsible for each step so you can get the ball rolling with each team member.
GDPR Explained - A Quick Guide for US BusinessesJessica Clark
The US has many different privacy laws. But now there is another law to wade through: GDPR. Although the GDPR mainly affects those living within the European Union (EU), it is important that US businesses pay attention too.
General Data Protection Regulation (GDPR) - Moving from confusion to readinessOmo Osagiede
This GDPR primer highlights key aspects of the new EU regulation regarding the protection of EU citizens data. It also presents a basic approach and key activities for GDPR preparedness. Useful as a discussion starter with senior management.
Data Privacy and Data Protection: Rotary’s Compliance with GDPRRotary International
As stewards of personal data for more than 1.2 million Rotarians and friends of Rotary worldwide, Rotary takes data privacy and protection seriously. To ensure compliance with the European Union's new privacy law, the General Data Protection Regulation (GDPR), we will apply these standards globally. Find out more about these efforts and how they affect data privacy and protection for Rotary.
GDPR: Is Your Organization Ready for the General Data Protection Regulation?DATUM LLC
The new European GDPR privacy regulations will significantly impact data governance for multinational companies worldwide. This presentation introduces GDPR, its implications, and a six step process for compliance. In May of 2018 the European Union’s General Data Protection Regulation (GDPR) will go into effect and the fines associated with non-compliance are significant with as much as 4% of global sales.
GDPR Guide: The ICO's 12 Recommended Steps To Take NowHackerOne
Recommendations from The United Kingdom's Information Commissioner's Office (ICO) to Prepare for May 2018.
The European General Data Protection Regulation, better known as GDPR, will take effect on May 25, 2018. When it does, every business, organization, or government agency that collects information on European Union (EU) citizens (in other words, just about everyone) will be forced to radically change how it manages customer data and security. If you don’t, the cost of noncompliance is significant: fines can reach up to €20M ($23.5M) or 4 percent of annual sales, whichever is higher.
What's Next - General Data Protection Regulation (GDPR) ChangesOgilvy Consulting
The General Data Protection Regulation is the biggest change to the law on data in years. This webinar features Vicky Brown, Deputy General Counsel at WPP, and Paul King, Head of Data at OgilvyOne discussing what it is, why it matters and what companies are doing.
Do You Have a Roadmap for EU GDPR Compliance?Ulf Mattsson
Do You Have a Roadmap for EU GDPR Compliance?
Description : The General Data Protection Regulation (GDPR) goes into effect in 2018 and it will affect any business that handles data, even if it's not based in the European Union.
Are you looking to move and host data for EU citizens? Do you have a roadmap and associated estimated costs for EU GDPR compliance?
Webcast URL : https://www.brighttalk.com/webcast/14723/259741
Cognizant business consulting the impacts of gdpraudrey miguel
In May 2018, GDPR (Global Data Protection Regulation) will come into force in Europe. Conventional wisdom is that GDPR will cause significant legal changes for many organizations and result in yet another regulatory-driven upheaval in technology. But is this an accurate assessment of the likely impact?
Data Protection Officer Dashboard | GDPRCorporater
Data Protection Officers (DPOs) have a very critical role to play in today's organizations, especially with the implementation of GDPR. Data Protection Officer dashboards are an essential aid to DPOs to stay on top of GDPR compliance activities, and to implement and monitor GDPR projects.
The presentation gives insight into the essentials of a DPO dashboard.
Disclosure, Exposure and the "Right to be Forgotten" After Google SpainDavid Erdos
*** N.B. For full working paper see https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3505921 ***
This paper argues that Google’s essentially blanket and unsafeguarded dissemination to webmasters of URLs deindexed under the Google Spain judgment involves the disclosure of the claimant’s personal data, cannot be justified either on the purported basis of their consent or that this is legally required but instead seriously infringes European data protection standards. Disclosure of this data would only be compatible with the initially contextually sensitive context of collection where it was (i) reasonably necessary and explicitly limited to the purposes of checking the legality of the initial decision and/or bona fide research and (ii) was subject to effective safeguards that prevented any unauthorised repurposing or other use. Strict necessity thresholds would need to apply where disclosure involved special category data or was subject to reasoned objection by a data subject and international transfers would require appropriate safeguards as provided by the European Commission’s standard contractual clauses. Disclosing identifiable data on removals to end users would directly and fundamentally undermine a data subject’s rights and, therefore, ipso facto violate purpose limitation and legality, irrespective of a data subject claims rights in data protection, defamation or civil privacy. The public’s legitimate interests in receiving information on personal data removals should be secured through safeguarded scientific research that the search engines should facilitate and promote.
the European Union has introduced a new law, the General Data Protection Regulation or GDPR. This law will include all rules and regulations that govern the use of personal data within the EU.
The European Union will introduce the new General Data Protection Regulation for implementation May 2018. This makes it a legal requirement on all businesses owners to comply with the new regulations or face heavy fines. This will still apply to UK companies after Brexit.
Marketing data management | The new way to think about your dataLaurence
Organisations are at a place where opportunity beckons but, all too often, the gesture is obscured by the confusion that surrounds data compliance. Instead of seeing the benefits that can be found in the regulations, such as the General Data Protection Regulation (GDPR), that are being introduced, companies take a retracted view that turns inward, seeing only where these policies cause hindrance rather than the value they can add.
Wherever your business is located in the world, the GDPR will apply if you:
Offer products/services to EU citizens and/or:
Collect personal information from EU citizens
"The EU General Data Protection Regulation: GDPR" - workshop held by Beatrice Masserini (Studio Cassinis, Italy) at the TRA Annual Meeting 2018 in Athens
EU GDPR Lesson 1 - What is the GDPR? Why do we need it?
EU GDPR Lesson 2 - Data Protection by Design and by Default
EU GDPR Lesson 3 - The Right To Be Forgotten
EU GDPR Lesson 4 - Who Does the EU GDPR Apply?
EU GDPR Lesson 5 - What Happens if I Don’t Comply with the EU GDPR?
EU GDPR Lesson 6 - Next Steps - How to Get There?
Over the past few years of monitoring the development of the EU General Data Protection Regulation (GDPR) and its effects on technology, we’ve distilled the parts of the regulation that most affect your business into this practical guide.
The EU General Data Protection Regulation (GDPR) is the most important update in data privacy regulation in 20 years. Having added more responsibilities to the Data Protection Act 1998, on the 25th May 2018, it is mandatory that all businesses that handle personal data must be aware of the new rules, so that they are in compliance with the law.
See Details: http://bit.ly/2W3Isnw
The engaging white paper delivers the core facts you need to understand the fundamental nature of the GDPR regulations and what it means for your business and the management of its data.
Are you ready for the General Data Protection Regulation?
VILT has compiled this Frequently Asked Questions document. Read about what it is and how we can help.
What does GDPR laws mean for Australian businessesiFactory Digital
Chances are that you’ve noticed a deluge of emails and app updates all centred around privacy updates. It’s not that every company on Earth has simultaneously grown very concerned about the issue. Instead, it’s to make sure that they meet the requirements for GDPR compliance.
https://ifactory.com.au/news/what-does-gdpr-laws-mean-australian-businesses
A Strategic Approach: GenAI in EducationPeter Windle
Artificial Intelligence (AI) technologies such as Generative AI, Image Generators and Large Language Models have had a dramatic impact on teaching, learning and assessment over the past 18 months. The most immediate threat AI posed was to Academic Integrity with Higher Education Institutes (HEIs) focusing their efforts on combating the use of GenAI in assessment. Guidelines were developed for staff and students, policies put in place too. Innovative educators have forged paths in the use of Generative AI for teaching, learning and assessments leading to pockets of transformation springing up across HEIs, often with little or no top-down guidance, support or direction.
This Gasta posits a strategic approach to integrating AI into HEIs to prepare staff, students and the curriculum for an evolving world and workplace. We will highlight the advantages of working with these technologies beyond the realm of teaching, learning and assessment by considering prompt engineering skills, industry impact, curriculum changes, and the need for staff upskilling. In contrast, not engaging strategically with Generative AI poses risks, including falling behind peers, missed opportunities and failing to ensure our graduates remain employable. The rapid evolution of AI technologies necessitates a proactive and strategic approach if we are to remain relevant.
Read| The latest issue of The Challenger is here! We are thrilled to announce that our school paper has qualified for the NATIONAL SCHOOLS PRESS CONFERENCE (NSPC) 2024. Thank you for your unwavering support and trust. Dive into the stories that made us stand out!
Unit 8 - Information and Communication Technology (Paper I).pdfThiyagu K
This slides describes the basic concepts of ICT, basics of Email, Emerging Technology and Digital Initiatives in Education. This presentations aligns with the UGC Paper I syllabus.
The Roman Empire A Historical Colossus.pdfkaushalkr1407
The Roman Empire, a vast and enduring power, stands as one of history's most remarkable civilizations, leaving an indelible imprint on the world. It emerged from the Roman Republic, transitioning into an imperial powerhouse under the leadership of Augustus Caesar in 27 BCE. This transformation marked the beginning of an era defined by unprecedented territorial expansion, architectural marvels, and profound cultural influence.
The empire's roots lie in the city of Rome, founded, according to legend, by Romulus in 753 BCE. Over centuries, Rome evolved from a small settlement to a formidable republic, characterized by a complex political system with elected officials and checks on power. However, internal strife, class conflicts, and military ambitions paved the way for the end of the Republic. Julius Caesar’s dictatorship and subsequent assassination in 44 BCE created a power vacuum, leading to a civil war. Octavian, later Augustus, emerged victorious, heralding the Roman Empire’s birth.
Under Augustus, the empire experienced the Pax Romana, a 200-year period of relative peace and stability. Augustus reformed the military, established efficient administrative systems, and initiated grand construction projects. The empire's borders expanded, encompassing territories from Britain to Egypt and from Spain to the Euphrates. Roman legions, renowned for their discipline and engineering prowess, secured and maintained these vast territories, building roads, fortifications, and cities that facilitated control and integration.
The Roman Empire’s society was hierarchical, with a rigid class system. At the top were the patricians, wealthy elites who held significant political power. Below them were the plebeians, free citizens with limited political influence, and the vast numbers of slaves who formed the backbone of the economy. The family unit was central, governed by the paterfamilias, the male head who held absolute authority.
Culturally, the Romans were eclectic, absorbing and adapting elements from the civilizations they encountered, particularly the Greeks. Roman art, literature, and philosophy reflected this synthesis, creating a rich cultural tapestry. Latin, the Roman language, became the lingua franca of the Western world, influencing numerous modern languages.
Roman architecture and engineering achievements were monumental. They perfected the arch, vault, and dome, constructing enduring structures like the Colosseum, Pantheon, and aqueducts. These engineering marvels not only showcased Roman ingenuity but also served practical purposes, from public entertainment to water supply.
Introduction to AI for Nonprofits with Tapp NetworkTechSoup
Dive into the world of AI! Experts Jon Hill and Tareq Monaur will guide you through AI's role in enhancing nonprofit websites and basic marketing strategies, making it easy to understand and apply.
Model Attribute Check Company Auto PropertyCeline George
In Odoo, the multi-company feature allows you to manage multiple companies within a single Odoo database instance. Each company can have its own configurations while still sharing common resources such as products, customers, and suppliers.
Acetabularia Information For Class 9 .docxvaibhavrinwa19
Acetabularia acetabulum is a single-celled green alga that in its vegetative state is morphologically differentiated into a basal rhizoid and an axially elongated stalk, which bears whorls of branching hairs. The single diploid nucleus resides in the rhizoid.
Macroeconomics- Movie Location
This will be used as part of your Personal Professional Portfolio once graded.
Objective:
Prepare a presentation or a paper using research, basic comparative analysis, data organization and application of economic information. You will make an informed assessment of an economic climate outside of the United States to accomplish an entertainment industry objective.
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...Levi Shapiro
Letter from the Congress of the United States regarding Anti-Semitism sent June 3rd to MIT President Sally Kornbluth, MIT Corp Chair, Mark Gorenberg
Dear Dr. Kornbluth and Mr. Gorenberg,
The US House of Representatives is deeply concerned by ongoing and pervasive acts of antisemitic
harassment and intimidation at the Massachusetts Institute of Technology (MIT). Failing to act decisively to ensure a safe learning environment for all students would be a grave dereliction of your responsibilities as President of MIT and Chair of the MIT Corporation.
This Congress will not stand idly by and allow an environment hostile to Jewish students to persist. The House believes that your institution is in violation of Title VI of the Civil Rights Act, and the inability or
unwillingness to rectify this violation through action requires accountability.
Postsecondary education is a unique opportunity for students to learn and have their ideas and beliefs challenged. However, universities receiving hundreds of millions of federal funds annually have denied
students that opportunity and have been hijacked to become venues for the promotion of terrorism, antisemitic harassment and intimidation, unlawful encampments, and in some cases, assaults and riots.
The House of Representatives will not countenance the use of federal funds to indoctrinate students into hateful, antisemitic, anti-American supporters of terrorism. Investigations into campus antisemitism by the Committee on Education and the Workforce and the Committee on Ways and Means have been expanded into a Congress-wide probe across all relevant jurisdictions to address this national crisis. The undersigned Committees will conduct oversight into the use of federal funds at MIT and its learning environment under authorities granted to each Committee.
• The Committee on Education and the Workforce has been investigating your institution since December 7, 2023. The Committee has broad jurisdiction over postsecondary education, including its compliance with Title VI of the Civil Rights Act, campus safety concerns over disruptions to the learning environment, and the awarding of federal student aid under the Higher Education Act.
• The Committee on Oversight and Accountability is investigating the sources of funding and other support flowing to groups espousing pro-Hamas propaganda and engaged in antisemitic harassment and intimidation of students. The Committee on Oversight and Accountability is the principal oversight committee of the US House of Representatives and has broad authority to investigate “any matter” at “any time” under House Rule X.
• The Committee on Ways and Means has been investigating several universities since November 15, 2023, when the Committee held a hearing entitled From Ivory Towers to Dark Corners: Investigating the Nexus Between Antisemitism, Tax-Exempt Universities, and Terror Financing. The Committee followed the hearing with letters to those institutions on January 10, 202
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
Gdpr the imo guide draft 2
1. Imo’s common sense guide to GDPR
How to use this document
This is an accumulation of information from different sources (see references at
end), and some advice (such as the age of consent for data protection in Ireland)
may change before the GDPR law comes into effect in May 2018.
Of course you should consult an appropriate professional such as a lawyer rather
than relying on this document. This one’s been created by someone who is just a
small business owner that’s dealt with the practical effects of data protection
regulation for 25 years and has simply read the publicly available material for the
UK and Ireland… but if you don’t have time or funds, then it might help!
What is GDPR?
The new EU general data protection law coming into force in May 2018. It gives
more rights to individuals which will mean charities, clubs and small businesses
need to review their procedures and make some changes. However, it’s not
actually that big a change compared to the data protection you should already
be performing. Which you probably aren’t.
GDPR gives the following rights to individuals:
• The right to be informed that data is held on them.
• The right of access to data held, free of charge, without delay and within one
month.
• The right to rectification of information held.
• The right to erasure of information held on them.
• The right to restrict processing of their information.
• The right to data portability (ie to obtain their own information and take it
“away”).
• The right to object
• Rights in relation to automated decision making and profiling.
What sort of thing will GDPR mean in practice?
Some practical examples of why you need to plan this
• If you send out an email to a group of people, do not put all the email
addresses into the cc: field. Use the bcc (blind copy) field to enter in the list of
emails, unless you can show that all those people have given you explicit
consent to reveal their email addresses to all the other people.
• Data has to be kept safe. Is yours backed up, encrypted? Do you have those
details listed somewhere in a data security policy or procedure? Is one of
your backups held offsite in case of fire, theft or flood?
• Is there a data privacy policy on your website? And a cookies agreement?
2. • Do you have a form for new customers or users? It must request explicit
consent for their data to be held, explain what it’s held for, who by and for
how long, and who people contact if they don’t agree.
• Do you ever text customers notifications or reminders? You must inform
customers or users that you are going to do this, and give an opt-out option
whenever you use it.
• If your premises were broken into and a computer stolen that holds personal
data, you would need to inform the data protection commissioner within 72
hours unless it is anonymized OR encrypted. Do you know what’s on each
computer, and whether it’s encrypted?
• If you receive a request from a data subject who wants to get a copy of all the
data you hold on them and then have it deleted, could you do this within 30
days and free of charge? How would you be sure you’d found all their data?
That’s the law from May.
• What do you know about your Internet security? Do you have a firewall and
malware protection? Is access to data protected eg by passworded accounts?
• How can you be sure all your staff are using strong computer passwords?
• If you sell or pass on an old computer no longer in use, what is your
procedure to ensure there is no personal data accessible from that computer
in future?
• Do you use Paypal to receive payments? This company has restrictive data
policies as part of its terms and conditions that imply customer information
may be passed to third parties in a jurisdiction beyond the EU in a way which
may not comply with GDPR.
Where do you start?
The 12 steps to be taken which must be started in May 2018:
• Awareness
• Information you hold
• Communicate privacy information
• Individuals rights
• Subject Access Requests
• Lawful basis for processing personal data
• Consent
• Children
• Data Breaches
• Privacy by design and Data Protection Impact Assessments (DPIA)
• Data protection officers
• International
3. 1. Awareness
The law is changing in May 2018 – you need to tell all key people in your
organization and make everyone aware how you plan to make your organization
compliant.
2. Inventory of information you hold
Make a list of all the personal data held. Donors, staff, volunteers, members,
customers, users, suppliers, marketing lists, accident book, employment contracts,
Garda vetting, HR records?
• Where did the data come from? Make a list.
• Who do you share it with? Make a list.
• Is it really needed? No? Delete it.
• Is it relevant? If you’re a sports club you may need to know if a member has
asthma but not their PPS number.
• Is it more than two years old? How do you know?
• How do you know you have permission to hold it?
• Is any of the data sensitive eg health-related? Extra rules may apply.
[Sensitive data means issues like ethnic background or religion or criminal
convictions or health. Non-sensitive data means eg Name, address, PPSN.]
• Is any of the date from underage subjects? How are you verifying ages and
obtaining consent from a parent or guardian when necessary?
• Have you informed them in easy, clear language of the legal basis for
processing their data, the data retention periods and how to object? Eg it may
be they have given consent in past 2 years. Or it could be that you have a
commercial relationship such as invoicing where consent is assumed.
3. Communicating permission and consent – privacy information
So now you’ve probably realized a lot of your data is out of date, you don’t know
how you got permission to use it and you can’t show that individuals consented. You
have to be able to show how consent was given.
This probably means you need to re-permission all the people on your texting
list, for example, before May 25 2018.
There are important changes to consent with GDPR.
DP Directive (old) definition:
“any freely given specific and informed indication of his wishes by which the data
subject signifies his agreement to personal data relating to him being processed”
GDPR (new) definition:
“any freely given, specific, informed and unambiguous indication of the data
subject's wishes by which he or she, by a statement or by a clear affirmative action,
signifies agreement to the processing of personal data relating to him or her”
4. In practice, how you request consent (your forms, whether paper or online) now has
to meet these points:
• the name of your organisation and the names of any third parties who will
rely on the consent – consent for categories of third-party organisations will
not be specific enough;
• Why you want the data (the purposes of the processing);
• What you will do with the data (the processing activities); and
• Make the request for consent prominent and separate from your terms and
conditions.
• Explain why you want the data (the purposes of the processing)
• Ask people to positively opt in – don’t use pre-ticked boxes, or any other type
of consent by default.
• If it’s for more than one purpose offer more than one opt-in (granularity).
• Let people know they can withdraw their consent at any time without
detriment, and how. It must also be as easy to withdraw consent as it was to
give it.
• Don’t make consent a precondition of a service.
• Where children are involved, verify age and get parental consent as needed.
Parental consent is necessary to the processing of a child’s data, where the
child is below the age of 16 years old. Ireland may choose to lower this age
but not below 13 years old.
• Keep a dated record of how you received consent and what the person was
told at the time.
• Clearly inform them of the complaints channel open to anybody unhappy
with how their data has been processed.
• It’s good practice to let people know how long their data will be held for.
WRONG…
Company A provides the following information to individuals:
“Email address (optional):
“We will use this to send you emails about our products and special offers.”
Company A keeps a spreadsheet with ‘consent provided’ against a customer’s name.
They keep the time and date of consent linked to an IP address, with a web link to
your current data-capture form and privacy policy
RIGHT…
Company B uses the following statement instead:
I consent to receive emails about your products and special offers
If the individual ticks the box, they will have explicitly consented to the processing.
They keep a copy of the customer’s signed and dated form that shows they ticked to
provide their consent to the specific processing.
6. 5. Subject Access and security (timescale one month)
• Who currently has access to what data, and under what conditions? How are
you limiting access? Lock and key, password?
• Is the existing data held securely?
• Do you share it with anyone for any reason?
• Is it used only for the purposes that it was originally collected for?
• Where is it held (Cloud? Hard drive?)
• Is it encrypted?
• Is it backed up and is there an offsite backup?
• Who can get access to your internal computer network? What defences
against unauthorized access are in place?
The only changes here are it needs to be quicker (30 days) and free. There must be
systems in place to remove data, deal with complaints and correct any errors that
arise. Where a request is deemed manifestly unfounded or excessive, it can be
refused. However, organisations need to have clear refusal policies and procedures
in place, and demonstrate why the request meets these criteria.
1. Appoint a Co-ordinator who will be responsible for the response to the
access request. A description of the functions and responsibilities of the Co-
ordinator should be circulated within the organisation and staff should be
advised of the necessity for co-operation with the Co-ordinator. If the
organization is a public sector organization and subject to the Freedom of
Information Acts, there should be co-ordination between the FOI and DP
processes.
2. All subject access matters should be submitted to the Co-ordinator.
3. Check the validity of the access request.
4. Check that sufficient material has been supplied to definitively identify the
individual. This is most important. You should set down criteria on what is
sufficient to prove identity for your organisation. This may be the signature,
an ID number in combination with name and address or date of birth. It
should not be possible for a third party to provide the material to lodge a
false access request.
5. Check that sufficient information to locate the data has been supplied. If it is
not clear what kind of data is being requested you should ask the data subject
for more information. This could involve identifying the databases, locations
or files to be searched or giving a description of the interactions the
individual has had with the organisation.
6. Log the date of receipt of the valid request.
7. Keep note of all steps taken to locate and collate data – if different divisions
of the organisation are involved, have the steps "signed off" by the
appropriate person.
8. Check each item of data to establish if any of the modifications in respect of
health or social work data (section 4(8)) or any of the restrictions on access
provided by section 5 apply.
7. 9. If data relating to a third party is involved, do not disclose without the
consent of the third party or anonymise such data if this would conceal the
identity of the third party. An opinion given by a third party may be disclosed
unless it is an opinion which was given in confidence on the clear
understanding that it would be treated as confidential.
10. Monitor process of responding to the request – observing time limit of 30
days.
11. Supply the data in an intelligible form (include an explanation of terms if
necessary). Also provide description of purposes, disclosees and source of
data (unless revealing the source would be contrary to the public interest).
Number the documents supplied. Have the response "signed-off" by an
appropriate person.
12. Regularly review your procedures and processes.
6. Lawful basis for processing personal data
Under GDPR, consent is not the only legal basis for holding data though it is the most
common. In all cases holding the data must be shown to be necessary. Other legal
bases include:
• Contract - eg if a car insurer needed your make and model of car to give a
quotation.
• Legal obligation - to comply with common law or statutory obligation
• Vital interests - to protect a life
• Public task - in the exercise of official authority or for a task in the public
interest set uot in law
• Legitimate interests - commercial, individual or broader societal interests
balancing the individual's interests
• Special category data - eg health
• Criminal offence data - must have a lawful basis
7. 8. And 9. Consent, children and data breaches
The best way to handle these elements is by having and implementing a data
protection privacy policy.
Data protection privacy policy
A Privacy Policy documents an organisation’s application of the eight data
protection principles to the manner in which it processes data organisation-wide.
The policy applies to all personal data processed by the organisation, including
customer data, third party data and employee data.
Draw up policies and procedures to cover:
• Dealing with data breaches
• Requests for data access (eg recording the date that the request is received)
• Requests for data correction
• Requests to have information erased
• Requests to prevent direct marketing contacts
8. • How you decided you didn’t need to appoint a Data Protection Officer (not
usually necessary but you should specify who in your organization handles
data protection queries).
• Specify retention periods for different types of data held.
• Specify whether any data is being exported to third countries (example: use
of Paypal to receive payments).
• Specify the period for auditing checks and reviews of the policy.
• Review any other existing policites and procedures that may be impacted by
GDPR such as HR, Health and Safety, employment contracts, fundraising,
financial records, Garda vetting, children and vulnerable adults.
• Consider the eight data protection rules in the following section.
• Record how people in your organization have been made aware of the data
protection policy, and of how they may get involved with reviews or changes
to the policies and procedures.
The eight data protection rules (from the previous legislation)
Keep an eye out for any updates to these eight rules on the GDPR sites…
Rule 1: Fair obtaining:
At the time when we collect information about individuals, are they made aware of
the uses for that information?
Are people made aware of any disclosures of their data to third parties?
Have we obtained people's consent for any secondary uses of their personal data,
which might not be obvious to them
Can we describe our data-collection practices as open, transparent and up-front?
Rule 2: Purpose specification
Are we clear about the purpose (or purposes) for which we keep personal
information?
Are the individuals on our database also clear about this purpose?
If we are required to register with the Data Protection Commissioner, does our
register entry include a proper, comprehensive statement of our purpose?
[Remember, if you are using personal data for a purpose not listed on your register
entry, you may be committing an offence.]
Has responsibility been assigned for maintaining a list of all data sets and the
purpose associated with each?
Rule 3: Use and disclosure of information
Are there defined rules about the use and disclosure of information?
Are all staff aware of these rules?
Are the individuals aware of the uses and disclosures of their personal data? Would
they be surprised if they learned about them? Consider whether the consent of the
individuals should be obtained for these uses and disclosures.
If we are required to register with the Data Protection Commissioner, does our
register entry include a full list of persons to whom we may need to disclose
10. Under the Regulation, businesses will be obliged to conduct Data Protection Impact
Assessments (“DPIA”) where the processing, particularly where it utilises any new
technologies, “is likely to result in a high risk” for the rights of individuals, having
regard to the “nature, scope, context and purposes of the processing”.
So DPIA does not apply to most data operations unless you are handling sensitive
information. If you do handle such information, get specialist advice!
11. Data protection officers (DPO)
DPO appointment will be mandatory only for those controllers and processors
whose core activities consist of processing operations which require regular and
systematic monitoring of data subjects on a large scale or of special categories of
data or data relating to criminal convictions and offences.
Again, this will not apply to most data operations but a named person within the
organization responsible for data protection is normal.
12 International
GDPR applies to non-EU bodies that offer goods or services to EU citizens. Non-EU
businesses processing the data of EU citizens will also have to appoint a
representative in the EU. If you are dealing with a complex international situation,
you need to get professional, specialist advice.
Checklist
• Inventory your data
• Record who has access (online and paper) to the data
• Check your data security – backups, online, network
• Figure out who you need to “repermission” regarding their data by May 2018
• Do you need to appoint a data protection officer? (Probably not.)
• Who is going to be responsible for data protection in the organization?
• Revise direct marketing procedures
• Revise website privacy and cookies policy
• Revise your data protection procedures, including subject data access
requests
• Make everyone in the organization aware of the changes and how they can
contribute
• Keep checking for any changes coming up to May 2018 such as age for
parental consent where children are involved.
• Think about data protection implications in future when creating new
products, services or internal procedures.
Examples
Website privacy policy example
https://fortprivacy.ie/gdpr-privacynotices/
Article 13 requires that the privacy notice should include the following information:
11. • the identity and the contact details of the controller
• the contact details of the data protection officer
• the purposes and legal basis for the processing
• where the processing is based on legitimate interests, details of what these
are
• the recipients or categories of recipients of the personal data
• details of any transfer to a third country and details of the safeguards and the
means by which to obtain a copy of them or where they have been made
available
• the retention periods or the criteria used to determine that period
• details on rights of access to and rectification/deletion of personal data.
Rights to object to processing and the right to data portability
• if processing is based on consent, the right to withdraw consent
• the right to lodge a complaint with the supervisory authority
• details on whether the data subject is obliged to provide the personal data
and the consequences of failure to provide it
• details of any automated decision making, including details of the logic used
and potential consequences for the individual
Website privacy policy and cookies template
https://www.nibusinessinfo.co.uk/content/sample-privacy-policy
This privacy policy sets out how [business name] uses and protects any information
that you give [business name] when you use this website.
[business name] is committed to ensuring that your privacy is protected. Should we
ask you to provide certain information by which you can be identified when using
this website, then you can be assured that it will only be used in accordance with
this privacy statement.
[business name] may change this policy from time to time by updating this page.
You should check this page from time to time to ensure that you are happy with any
changes. This policy is effective from [date].
What we collect
We may collect the following information:
name and job title
contact information including email address
demographic information such as postcode, preferences and interests
other information relevant to customer surveys and/or offers
What we do with the information we gather
We require this information to understand your needs and provide you with a
better service, and in particular for the following reasons: