GDPR implementation is just a few days away; EU Companies and companies which deal with the personal data of the EU citizens are looking for every possible way which makes them GDPR compliant by May 25, 2018. Key employees of the firm, especially those who deal with the personal data of the clients have to double check the validity and authenticity of the already existing data protection facilities of the firm and make necessary changes to make themselves GDPR Compliant.
GDPR training must be given to those employees who are unaware of the law and the penalties if the firm fails to attain the GDPR compliance. Documentation of the available data in a proper way can also make the route much easier for the firm to be GDPR compliant. Designating a Data Protection officer is highly recommended while you are preparing for GDPR, a responsible officer will be well aware of the do’s and don’ts while dealing with the data of the clients. Companies should make necessary arrangements to detect and stop data breaches.
Consent or approval of the client is one of the most important aspects while dealing with the personal data. The client must be well aware of how the information is going to be used by the company and give his or her consent for the same. While using the information of children, the Company must make sure that they have the consent of the parents. By making a simple and short agreement the client will easily understand the policy of the company and it is always the perfect choice to get the consent.
Is your company GDPR Ready?
Having a great awareness of what GDPR is going to bring about, is a great start towards GDPR compliance. Apart from understanding GDPR, one should also focus on its data, structure, data flow and what information it actually carries.
Check out our free assessment test and measure your readiness in advance about the regulation coming into force and identify a specific area of non-compliance
Let's BeginThe General Data Protection Regulation (GDPR) will come into force on the 25th May 2018, replacing the existing data protection framework under the EU Data Protection Directive.
As a regulation, it will not generally require transposition into Irish law (regulations have ‘direct effect’), so organisations involved in data processing of any sort need to be aware the regulation addresses them directly in terms of the obligations it imposes. The GDPR emphasises transparency, security and accountability by data controllers, while at the same time standardising and strengthening the right of European citizens to data privacy.
The office of the Data Protection Commissioner (DPC) is aware that the increased obligations that the GDPR places on companies might cause some anxieties for business planners. This document is the first in a series that will issue in the run-up to the 25th May 2018 implementation date. The aim is to try to alleviate some of those concerns, and facilitate a smooth transition to future data privacy standards for data controllers and data subjects alike.
This section sets out the reasons that organisations should pay attention to the GDPR from the top down. It sets out the potential risks for getting it wrong (including the levels of fines), goes through some previous ICO enforcement decisions to give an idea of priorities, and talks about what factors are likely to affect how large a fine might be imposed.
This section helps to identify which areas of the organisation are likely to be the highest risk from a data protection perspective.
This section discusses some resourcing considerations, which is an important early step in any GDPR compliance project.
This section gives some suggestions on how to ensure that the whole organisation is aware of the GDPR and its requirements.
This section will test your knowledge on Module 1.
A very important initial step when preparing for the GDPR is to work out what personal data you process, how and why you process it, and in what capacity. This process is often referred to as a “data audit”. Unless you understand what personal data you have and how you use it, you will not be able to comply with the GDPR.
Most organisations will be a data controller of at least some personal data, for example of information about their employees and business contacts. If you are a joint controller or processor it is important to know this, as it will affect your obligations under the GDPR.
Record keeping requirements for sets of personal data processing vary depending on whether you are a data controller or a data processor.
There is no one way to conduct a data audit. The GDPR sets out a number of rules and reporting requirements but does not say, for example, how data subjects should be categorised, or what constitute different categories of processing.
The location of your organisation’s headquarters, branches and servers will affect how you prepare for the GDPR.
Once you have carried out your data audit, you can consider drafting and putting in place the following documents, policies and procedures, depending on its size and the type and scale of its processing.
This section will test your knowledge on Module 2.
The first principle of data protection is that data must be processed fairly and lawfully. Data subjects must be able to understand who has data about them, what this data is and how it will be used.
In order to assess the information you need to communicate to data subjects, you need to understand the data that you hold and how this will be used.
The way you choose to communicate privacy information will depend upon how you are collecting data, and how your organisation works.
In order to assess when it should be communicated, you need to think about the type of data you are collecting and how your data subjects are likely to expect you to be using their data.
The GDPR lists the information which must be provided to individuals.
You must remember that when you are communicating privacy information, you must do so in a clear and accessible way. This section gives guidance on how to communicate information, and what steps to take to ensure that it is effective.
This section will test your knowledge on Module 3.
This section explains what individuals need to be told about processing their data.
This section explains the right of access.
This section explains the right to rectification.
This section explains the right to erasure.
This section explains the right to restrict processing.
This section explains the right to data portability.
This section explains the right to object.
This section explains the right not to be subject to automated decision making including profiling.
This section will test your knowledge on Module 4.
How should your staff recognise a valid subject access request?
Guidance on how to respond to a subject access request.
This section discusses some practical considerations when responding to a subject access request.
How to deal with requests for a large amount of information.
What to do if the information involves other people’s personal data.
How to deal with unreasonable requests.
This section discusses some common exemptions from having to disclose data to the individual who is requesting it.
Practical steps to prepare your organisation for dealing with subject access requests.
This section will test your knowledge on Module 5.
This section discusses the GDPR principles, including the principle that data must be processed “lawfully”.
What makes processing lawful? This section sets out some key points to be considered when assessing whether your organisation is processing personal data lawfully.
Personal data can only be processed if one or more of the “conditions for processing” (also known as “lawful grounds”) are fulfilled. This section explains what these are for standard personal data and what they are for “sensitive” (“special category” in GDPR terms) personal data.
The GDPR has special rules on criminal records data, which are no longer included in “sensitive” personal data.
This section explores the useful lawful ground “legitimate interests”, explaining what it is, when it can be used, and how to conduct a legitimate interest assessment.
The module concludes with some key take away points to make sure that your organisation uses the right lawful grounds and avoids breaking the law.
This section will test your knowledge on Module 6.
This section describes the key elements which must be in place in order for consent to be valid for standard personal data.
This section explains the need for an affirmative action to make consent valid.
This section explains what it means for consent to be “unambiguous”.
This section explains what is required for consent to be “freely given”.
This section explains what is required for consent to be “specific and informed”.
This section discusses how to achieve “granular” consent.
This section discusses some specific requirements when requesting consent through electronic means.
This section explores what should be documented, and some elements surrounding withdrawal of consent.
This section discusses refreshing consent.
This section explains when consent must be “explicit” and what that involves.
This section explains when you should, and should not, use consent.
This section will test your knowledge on Module 7.
This section looks at the GDPR’s approach to children and parental consent.
This section explains the exceptions from the need for parental consent.
This section highlights some key points to bear in mind when processing children’s personal data.
This section explores some practical measures which data controllers can take to ensure that they are processing children’s personal data lawfully.
This section will test your knowledge on Module 8.
This section explains what counts as a “data breach” under the GDPR, and when data breaches must be notified to the supervisory authority.
This section explains when a data breach must be notified to the affected individuals.
This section explains the time periods within which notifications must be made.
This section describes what must be included in a breach notification.
This section discusses how and why to make sure that personal data is secure.
This section looks at how to determine whether a breach is “high” risk.
This section discusses some key points to consider when managing data breaches.
This section will test your knowledge on Module 9.
This section explores what is meant by “data protection by design and default”.
This section explains the purpose of a “data protection impact assessment”.
This section explains when a data protection impact assessment should be carried out.
This section discusses what is meant by “high risk”.
This section sets out some factors that should be considered when assessing the risks posed to individuals.
This section explains how to carry out a data protection impact assessment.
This section explains when and how to report processing which is deemed to be “high risk”.
This section discusses some key steps that should be taken now.
This section will test your knowledge on Module 10.
This section explains what the DPO role involves, and when it is mandatory to appoint one.
This section explores what is meant by “core activity”.
This section explains what “large scale” and “systemic” processing mean.
This section highlights the need to conduct and document an analysis.
This includes an explanation of what the DPO role should include, what expertise a DPO should have, how to decide whether it should be resourced internally or externally.
This section explores whether a group of organisations can share the same DPO, and under what circumstances.
This section sets out some key steps for organisations on this topic.
This section will test your knowledge on Module 11.
This section explains the GDPR’s “one stop shop” mechanism.
This section explains what is meant by “cross-border” processing.
This section explains when the “one stop shop” does not apply.
This section explains how to determine which is your lead supervisory authority.
This section recaps the rules on transfers of personal data outside of the EEA.
This section explains how adequacy decisions and safeguards legitimise international data transfers.
This section discusses how and when derogations can be used to legitimise international data transfers.
This section will test your knowledge on Module 12.
