This document provides an overview of the key aspects of the General Data Protection Regulation (GDPR) that will take effect in May 2018 and practical steps organizations should take to comply. It notes that GDPR strengthens individuals' data privacy rights and outlines rights like access, erasure, and consent. The document advises creating an inventory of personal data held, reviewing data security and access controls, and obtaining renewed explicit consent from individuals. It also covers topics like direct marketing, data sharing, record keeping, and legal bases for processing data other than consent. The overall message is that organizations need to review their data practices and put new procedures in place to comply with GDPR's strengthened privacy requirements.

1. Imo’s common sense guide to GDPR
How to use this document
This is an accumulation of information from different sources (see references at
end), and some advice (such as the age of consent for data protection in Ireland)
may change before the GDPR law comes into effect in May 2018.
Of course you should consult an appropriate professional such as a lawyer rather
than relying on this document. This one’s been created by someone who is just a
small business owner that’s dealt with the practical effects of data protection
regulation for 25 years and has simply read the publicly available material for the
UK and Ireland… but if you don’t have time or funds, then it may help!
What is GDPR?
The new EU general data protection law coming into force in May 2018. It gives
more rights to individuals which will mean charities, clubs and small businesses
need to review their procedures and make some changes. However, it’s not
actually that big a change compared to the data protection you should already
be performing. Which you probably aren’t.
GDPR gives the following rights to individuals:
• The right to be informed that data is held on them.
• The right of access to data held, free of charge, without delay and within one
month.
• The right to rectification of information held.
• The right to erasure of information held on them.
• The right to restrict processing of their information.
• The right to data portability (ie to obtain their own information and take it
“away”).
• The right to object
• Rights in relation to automated decision making and profiling.
What sort of thing will GDPR mean in practice?
Some practical examples of why you need to plan this
• If you send out an email to a group of people, do not put all the email
addresses into the cc: field. Use the bcc (blind copy) field to enter in the list of
emails, unless you can show that all those people have given you explicit
consent to reveal their email addresses to all the other people.
• Data has to be kept safe. Is yours backed up, encrypted? Do you have those
details listed somewhere in a data security policy or procedure? Is one of
your backups held offsite in case of fire, theft or flood?
• Is there a data privacy policy on your website? And a cookies agreement?

2. • Do you have a form for new customers or users? It must request explicit
consent for their data to be held, explain what it’s held for, who by and for
how long, and who people contact if they don’t agree.
• Do you ever text customers notifications or reminders? You must inform
customers or users that you are going to do this, and give an opt-out option
whenever you use it.
• If your premises were broken into and a computer stolen that holds personal
data, you would need to inform the data protection commissioner within 72
hours unless it is anonymized OR encrypted. Do you know what’s on each
computer, and whether it’s encrypted?
• If you receive a request from a data subject who wants to get a copy of all the
data you hold on them and then have it deleted, could you do this within 30
days and free of charge? How would you be sure you’d found all their data?
That’s the law from May.
• What do you know about your Internet security? Do you have a firewall and
malware protection? Is access to data protected eg by passworded accounts?
• How can you be sure all your staff are using strong computer passwords?
• If you sell or pass on an old computer no longer in use, what is your
procedure to ensure there is no personal data accessible from that computer
in future?
• Do you use Paypal to receive payments? This company has restrictive data
policies as part of its terms and conditions that imply customer information
may be passed to third parties in a jurisdiction beyond the EU in a way which
may not comply with GDPR.
Where do you start?
Inventory
Make a list of all the personal data held. Donors, staff, volunteers, members,
customers, users, suppliers, marketing lists, accident book, employment contracts,
Garda vetting, HR records?
• Where did the data come from? Make a list.
• Who do you share it with? Make a list.
• Is it really needed? No? Delete it.
• Is it relevant? If you’re a sports club you may need to know if a member has
asthma but not their PPS number.
• Is it more than two years old? How do you know?
• How do you know you have permission to hold it?
• Is any of the data sensitive eg health-related? Extra rules may apply.
• Is any of the date from underage subjects? How are you verifying ages and
obtaining consent from a parent or guardian when necessary?

3. Access and security
• Who currently has access and under what conditions? How are you limiting
access? Lock and key, password?
• Is the existing data held securely?
• Do you share it with anyone for any reason?
• Is it used only for the purposes that it was originally collected for?
• Where is it held (Cloud? Hard drive?)
• Is it encrypted?
• Is it backed up and is there an offsite backup?
• Who can get access to your internal computer network? What defences
against unauthorized access are in place?
Permission and consent
So now you’ve probably realized a lot of your data is out of date, you don’t know
how you got permission to use it and you can’t show that individuals consented.
This probably means you need to re-permission all the people on your texting
list, for example, before May 2018.
There are important changes to consent with GDPR.
DP Directive (old) definition:
“any freely given specific and informed indication of his wishes by which the data
subject signifies his agreement to personal data relating to him being processed”
GDPR (new) definition:
“any freely given, specific, informed and unambiguous indication of the data
subject's wishes by which he or she, by a statement or by a clear affirmative action,
signifies agreement to the processing of personal data relating to him or her”
In practice, how you request consent (your forms, whether paper or online) now has
to meet these points:
• the name of your organisation and the names of any third parties who will
rely on the consent – consent for categories of third-party organisations will
not be specific enough;
• Why you want the data (the purposes of the processing);
• What you will do with the data (the processing activities); and
• Make the request for consent prominent and separate from your terms and
conditions.
• Explain why you want the data (the purposes of the processing)
• Ask people to positively opt in – don’t use pre-ticked boxes, or any other type
of consent by default.
• If it’s for more than one purpose offer more than one opt-in (granularity).

4. • Let people know they can withdraw their consent at any time without
detriment, and how. It must also be as easy to withdraw consent as it was to
give it.
• Don’t make consent a precondition of a service.
• Where children are involved, verify age and get parental consent as needed.
• Keep a dated record of how you received consent and what the person was
told at the time.
• Clearly inform them of the complaints channel open to anybody unhappy
with how their data has been processed.
• It’s good practice to let people know how long their data will be held for.
WRONG…
Company A provides the following information to individuals:
“Email address (optional):
“We will use this to send you emails about our products and special offers.”
Company A keeps a spreadsheet with ‘consent provided’ against a customer’s name.
They keep the time and date of consent linked to an IP address, with a web link to
your current data-capture form and privacy policy
RIGHT…
Company B uses the following statement instead:
I consent to receive emails about your products and special offers
If the individual ticks the box, they will have explicitly consented to the processing.
They keep a copy of the customer’s signed and dated form that shows they ticked to
provide their consent to the specific processing.
They keep records that include an ID and the data submitted online together with a
timestamp. You also keep a copy of the version of the data-capture form and any
other relevant documents in use at that date.
Under GDPR, consent is not the only legal basis for holding data though it is the most
common. In all cases holding the data must be shown to be necessary. Other legal
bases include:
• Contract - eg if a car insurer needed your make and model of car to give a
quotation.
• Legal obligation - to comply with common law or statutory obligation
• Vital interests - to protect a life
• Public task - in the exercise of official authority or for a task in the public
interest set uot in law
• Legitimate interests - commercia, individual or broader societal interests
balancing the individual's interests
• Special category data - eg health
• Criminal offence data - must have a lawful basis

5. Direct marketing
Some of this is not new to GDPR, but as a lot of people aren’t aware…
https://www.dataprotection.ie/docs/DIRECT_MARKETING_–
%20_A_GENERAL_GUIDE_FOR_DATA_CONTROLLERS/905.htm
Where you have obtained contact details in the context of the sale of a product or
service, you may only use these details for direct marketing by electronic mail if the
following conditions are met:
• the product or service you are marketing is of a kind similar to that which
you sold to the customer at the time you obtained their contact details
• At the time you collected the details, you gave the customer the opportunity
to object, in an easy manner and without charge, to their use for marketing
purposes
• Each time you send a marketing message, you give the customer the right to
object to receipt of further messages
• The sale of the product or service occurred not more than twelve months
prior to the sending of the electronic marketing communication or, where
applicable, the contact details were used for the sending of an electronic
marketing communication in that twelve month period.
NOTE: In relation to 4 above, if the subscriber fails to unsubscribe using the cost free
means provided to them by the direct marketer, they will be deemed to have
remained opted-in to the receipt of such electronic mail for a twelve month period
from the date of issue to them of the most recent marketing electronic mail.
Website privacy policy
https://fortprivacy.ie/gdpr-privacynotices/
Article 13 requires that the privacy notice should include the following information:
• the identity and the contact details of the controller
• the contact details of the data protection officer
• the purposes and legal basis for the processing
• where the processing is based on legitimate interests, details of what these
are
• the recipients or categories of recipients of the personal data
• details of any transfer to a third country and details of the safeguards and the
means by which to obtain a copy of them or where they have been made
available
• the retention periods or the criteria used to determine that period
• details on rights of access to and rectification/deletion of personal data.
Rights to object to processing and the right to data portability
• if processing is based on consent, the right to withdraw consent
• the right to lodge a complaint with the supervisory authority
• details on whether the data subject is obliged to provide the personal data
and the consequences of failure to provide it

6. • details of any automated decision making, including details of the logic used
and potential consequences for the individual
Website privacy policy and cookies template
https://www.nibusinessinfo.co.uk/content/sample-privacy-policy
This privacy policy sets out how [business name] uses and protects any information
that you give [business name] when you use this website.
[business name] is committed to ensuring that your privacy is protected. Should we
ask you to provide certain information by which you can be identified when using
this website, then you can be assured that it will only be used in accordance with
this privacy statement.
[business name] may change this policy from time to time by updating this page.
You should check this page from time to time to ensure that you are happy with any
changes. This policy is effective from [date].
What we collect
We may collect the following information:
name and job title
contact information including email address
demographic information such as postcode, preferences and interests
other information relevant to customer surveys and/or offers
What we do with the information we gather
We require this information to understand your needs and provide you with a
better service, and in particular for the following reasons:
Internal record keeping.
We may use the information to improve our products and services.
We may periodically send promotional emails about new products, special offers or
other information which we think you may find interesting using the email address
which you have provided.
From time to time, we may also use your information to contact you for market
research purposes. We may contact you by email, phone, fax or mail. We may use
the information to customise the website according to your interests.
Security
We are committed to ensuring that your information is secure. In order to prevent
unauthorised access or disclosure, we have put in place suitable physical, electronic
and managerial procedures to safeguard and secure the information we collect
online.
How we use cookies
A cookie is a small file which asks permission to be placed on your computer's hard
drive. Once you agree, the file is added and the cookie helps analyse web traffic or

7. lets you know when you visit a particular site. Cookies allow web applications to
respond to you as an individual. The web application can tailor its operations to
your needs, likes and dislikes by gathering and remembering information about
your preferences.
We use traffic log cookies to identify which pages are being used. This helps us
analyse data about webpage traffic and improve our website in order to tailor it to
customer needs. We only use this information for statistical analysis purposes and
then the data is removed from the system.
Overall, cookies help us provide you with a better website by enabling us to monitor
which pages you find useful and which you do not. A cookie in no way gives us
access to your computer or any information about you, other than the data you
choose to share with us.
You can choose to accept or decline cookies. Most web browsers automatically
accept cookies, but you can usually modify your browser setting to decline cookies if
you prefer. This may prevent you from taking full advantage of the website.
Links to other websites
Our website may contain links to other websites of interest. However, once you have
used these links to leave our site, you should note that we do not have any control
over that other website. Therefore, we cannot be responsible for the protection and
privacy of any information which you provide whilst visiting such sites and such
sites are not governed by this privacy statement. You should exercise caution and
look at the privacy statement applicable to the website in question.
Controlling your personal information
You may choose to restrict the collection or use of your personal information in the
following ways:
whenever you are asked to fill in a form on the website, look for the box that you can
click to indicate that you do not want the information to be used by anybody for
direct marketing purposes
if you have previously agreed to us using your personal information for direct
marketing purposes, you may change your mind at any time by writing to or
emailing us at [email address]
We will not sell, distribute or lease your personal information to third parties unless
we have your permission or are required by law to do so. We may use your personal
information to send you promotional information about third parties which we
think you may find interesting if you tell us that you wish this to happen.
You may request details of personal information which we hold about you under the
(insert name of GDPR law enacted in Ireland May 2018]. If you would like a copy of
the information held on you please contact [address].

8. If you believe that any information we are holding on you is incorrect or incomplete,
please write to or email us as soon as possible at the above address. We will
promptly correct any information found to be incorrect.
Another example to adapt
https://www.lawsociety.ie/About-this-Website/Privacy-Policy/
Privacy Policy
This statement relates to our privacy practices in connection with this website.
We are not responsible for the content or privacy practices of other websites. Any
external links to other websites are clearly identifiable as such. Some technical
terms used in this statement are explained at the end of this page.
General statement
The Law Society of Ireland fully respects your right to privacy, and will not collect or
publish any personal information about you through this website without your clear
permission. Any personal information which you volunteer to the Society will be
treated with the highest standards of security and confidentiality, strictly in
accordance with the Data Protection Acts, 1988 - 2003.
Collection and use of personal information
The Law Society of Ireland does not collect any personal data about you on this
website, apart from information which you volunteer (for example by e-mailing us,
by using our online feedback form or by making a credit card booking). Any
information which you provide in this way is not made available to any third parties,
and is used by the Law Society only in line with the purpose for which you provided
it.
Collection and use of technical information
This website uses temporary "session" cookies which enable a visitor’s web browser
to remember which pages on this website have already been visited. If you use the
'Remember me' option when logging in to the Law Society website, a cookie is
placed on your computer with an encrypted id to remember your credentials. No
other information is stored in this cookie. Visitors can use this website with no loss
of functionality if cookies are disabled from the web browser. Technical details in
connection with visits to this website are logged by our internet service provider for
our statistical purposes. No information is collected that could be used by us to
personally identify website visitors. The technical details logged are confined to the
following items:
the IP address of the visitor’s web server
the top-level domain name used (for example .ie, .com, .org, .net)
the previous website address from which the visitor reached us, including any
search terms used
Google analytics which shows the traffic of visitors around this web site (for
example pages accessed and documents downloaded)

9. the type of web browser and operating system used by the website visitor.
The Law Society of Ireland will make no attempt to identify individual visitors, or to
associate the technical details listed above with any individual. It is the policy of the
Law Society never to disclose such technical information in respect of individual
website visitors to any third party (apart from our internet service provider, which
records such data on our behalf and which is bound by confidentiality provisions in
this regard), unless obliged to disclose such information by law. The technical
information will be used only by the Law Society of Ireland, and only for statistical
and other administrative purposes. You should note that technical details, which we
cannot associate with any identifiable individual, do not constitute "personal data"
for the purposes of the Data Protection Acts, 1988 – 2003.
Complaints about data processed via the website
If you are concerned about how personal data is processed via this website, please
do not hesitate to bring such concerns to the Law Society by contacting us using the
appropriate details on our Contact Us page.
Third Party Websites
This privacy policy does not address, and we are not responsible for, the privacy,
information or other practices of any third parties, including any third party
operating any website to which this website contains a link. The inclusion of a link
on the website does not imply endorsement of the linked website by us.
Additionally, we may provide you with access to third-party functionality that
permits you to post content to your social media account(s). Please note that any
information that you provide through use of this functionality is governed by the
applicable third party’s privacy policy, and not by this privacy policy, and we do not
accept any responsibility or liability for these policies. Please check these policies
before you submit any personal data to these websites.
Glossary of technical terms used
Web browser: The piece of software you use to read web pages. Examples are
Google Chrome, Microsoft Internet Explorer, Firefox, Safari and Opera.
IP address: The identifying details for your computer, or your internet company’s
computer, expressed in "internet protocol" code (for example 192.168.72.34). Every
computer connected to the web has a unique IP address, although the address may
not be the same every time a connection is made.
Cookies: Small pieces of information, stored in simple text files, placed on your
computer by a web site. Cookies can be read by the web site on your subsequent
visits. The information stored in a cookie may relate to your browsing habits on the
web page, or a unique identification number so that the web site can "remember"
you on your return visit. Generally speaking, cookies do not contain personal
information from which you can be identified, unless you have furnished such
information to the web site.

10. Subject access requests
The only changes here are it needs to be quicker (30 days) and free. Thee must be
systems in place to remove data, deal with complaints and correct any errors that
arise. Where a request is deemed manifestly unfounded or excessive, it can be
refused. However, organisations need to have clear refusal policies and procedures
in place, and demonstrate why the request meets these criteria.
1. Appoint a Co-ordinator who will be responsible for the response to the access
request. A description of the functions and responsibilities of the Co-ordinator
should be circulated within the organisation and staff should be advised of the
necessity for co-operation with the Co-ordinator. If the organization is a public
sector organization and subject to the Freedom of Information Acts, there should be
co-ordination between the FOI and DP processes.
2. All subject access matters should be submitted to the Co-ordinator.
3. Check the validity of the access request.
4. Check that sufficient material has been supplied to definitively identify the
individual. This is most important. You should set down criteria on what is sufficient
to prove identity for your organisation. This may be the signature, an ID number in
combination with name and address or date of birth. It should not be possible for a
third party to provide the material to lodge a false access request.
5. Check that sufficient information to locate the data has been supplied. If it is not
clear what kind of data is being requested you should ask the data subject for more
information. This could involve identifying the databases, locations or files to be
searched or giving a description of the interactions the individual has had with the
organisation.
6. Log the date of receipt of the valid request.
7. Keep note of all steps taken to locate and collate data – if different divisions of the
organisation are involved, have the steps "signed off" by the appropriate person.
8. Check each item of data to establish if any of the modifications in respect of health
or social work data (section 4(8)) or any of the restrictions on access provided by
section 5 apply.
9. If data relating to a third party is involved, do not disclose without the consent of
the third party or anonymise such data if this would conceal the identity of the third
party. An opinion given by a third party may be disclosed unless it is an opinion
which was given in confidence on the clear understanding that it would be treated
as confidential.
10. Monitor process of responding to the request – observing time limit of 30 days.
11. Supply the data in an intelligible form (include an explanation of terms if
necessary). Also provide description of purposes, disclosees and source of data
(unless revealing the source would be contrary to the public interest). Number the
documents supplied. Have the response "signed-off" by an appropriate person.
12. Regularly review your procedures and processes.
Data protection privacy policy
A Privacy Policy documents an organisation’s application of the eight data
protection principles to the manner in which it processes data organisation-wide.

11. The policy applies to all personal data processed by the organisation, including
customer data, third party data and employee data.
Draw up policies and procedures to cover:
• Dealing with data breaches
• Requests for data access (eg recording the date that the request is received)
• Requests for data correction
• Requests to have information erased
• Requests to prevent direct marketing contacts
• How you decided you didn’t need to appoint a Data Protection Officer (not
usually necessary but you should specify who in your organization handles
data protection queries).
• Specify retention periods for different types of data held.
• Specify whether any data is being exported to third countries (example: use
of Paypal to receive payments).
• Specify the period for auditing checks and reviews of the policy.
• Review any other existing policites and procedures that may be impacted by
GDPR such as HR, Health and Safety, employment contracts, fundraising,
financial records, Garda vetting, children and vulnerable adults.
• Consider the either data protection rules in the following section.
• Recording how people in your organization have been made aware of the
data protection policy, and of how they may get involved with reviews or
changes to the policies and procedures.
The eight data protection rules (from the previous legislation)
Keep an eye out for updates on the GDPR sites…
Rule 1: Fair obtaining:
At the time when we collect information about individuals, are they made aware of
the uses for that information?
Are people made aware of any disclosures of their data to third parties?
Have we obtained people's consent for any secondary uses of their personal data,
which might not be obvious to them
Can we describe our data-collection practices as open, transparent and up-front?
Rule 2: Purpose specification
Are we clear about the purpose (or purposes) for which we keep personal
information?
Are the individuals on our database also clear about this purpose?
If we are required to register with the Data Protection Commissioner, does our
register entry include a proper, comprehensive statement of our purpose?
[Remember, if you are using personal data for a purpose not listed on your register
entry, you may be committing an offence.]
Has responsibility been assigned for maintaining a list of all data sets and the
purpose associated with each?

12. Rule 3: Use and disclosure of information
Are there defined rules about the use and disclosure of information?
Are all staff aware of these rules?
Are the individuals aware of the uses and disclosures of their personal data? Would
they be surprised if they learned about them? Consider whether the consent of the
individuals should be obtained for these uses and disclosures.
If we are required to register with the Data Protection Commissioner, does our
register entry include a full list of persons to whom we may need to disclose
personal data? [Remember, if you disclose personal data to someone not listed on
your register entry, you may be committing an offence.]
Rule 4: Security
Is there a list of security provisions in place for each data set?
Is someone responsible for the development and review of these provisions?
Are these provisions appropriate to the sensitivity of the personal data we keep?
Are our computers and our databases password-protected, and encrypted if
appropriate?
Are our computers, servers, and files securely locked away from unauthorised
people?
Rule 5: Adequate, relevant and not excessive
Do we collect all the information we need to serve our purpose effectively, and to
deal with individuals in a fair and comprehensive manner?
Have we checked to make sure that all the information we collect is relevant, and
not excessive, for our specified purpose?
If an individual asked us to justify every piece of information we hold about him or
her, could we do so?
Does a policy exist in this regard?
Rule 6: Accurate and up-to-date
Do we check our data for accuracy?
Do we know how much of our personal data is time-sensitive, i.e. likely to become
inaccurate over time unless it is updated?
Do we take steps to ensure our databases are kept up-to-date?
Rule 7: Retention time
Is there a clear statement on how long items of information are to be retained?
Are we clear about any legal requirements on us to retain data for a certain period?
Do we regularly purge our databases of data which we no longer need, such as data
relating to former customers or staff members?
Do we have a policy on deleting personal data as soon as the purpose for which we
obtained the data has been completed?
Rule 8: The Right of Access
Is a named individual responsible for handling access requests?

13. Are there clear procedures in place for dealing with such requests?
Do these procedures guarantee compliance with the Act's requirements?
Checklist
• Inventory your data
• Record who has access (online and paper) to the data
• Check your data security – backups, online, network
• Figure out who you need to “repermission” regarding their data by May 2018
• Do you need to appoint a data protection officer? (Probably not.)
• Who is going to be responsible for data protection in the organization?
• Revise direct marketing procedures
• Revise website privacy and cookies policy
• Revise your data protection procedures, including subject data access
requests
• Make everyone in the organization aware of the changes and how they can
contribute
• Keep checking for any changes coming up to May 2018 such as age for
parental consent where children are involved.
References
GDPR - http://gdprandyou.ie/gdpr-12-steps/#becoming-aware
https://www.dataprotection.ie/docs/GDPR/1623.htm
https://www.nibusinessinfo.co.uk/content/sample-privacy-policy
https://www.charitiesinstituteireland.ie/our-blog/2016/12/6/general-data-
protection-regulation
https://www.dataprotection.ie/documents/guidance/Charity_Guidance.pdf
http://www.charitytaxreform.com/files/R2.%20Guiding%20Principles%20of%20F
undraisin g%20-%20Feb%202008.pdf
https://www.dataprotection.ie/docs/DIRECT_MARKETING_–
%20_A_GENERAL_GUIDE_FOR_DATA_CONTROLLERS/905.htm
https://www.krestonreeves.com/news-and-events/30/11/2017/general-data-
protection-regulation-gdpr
https://fortprivacy.ie/gdpr-privacynotices/
https://www.dataprotection.ie/documents/guidance/Charity_Guidance.pdf
http://gdprcoalition.ie/infographics/
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-
regulation-gdpr/
Collated and edited by Imogen Bertin 24 February 2018
If you found it helpful, maybe give me a review on Google My Business?
TechAbility https://search.google.com/local/writereview?placeid=ChIJYQ0z_oGHR
EgRMcT8jqT_RUY
Or Facebook page: https://www.facebook.com/TechAbilityIRL/