THE GENERAL DATA PROTECTION REGULATIONS (GDPR)

How Enterprise Resource Planning software (ERP) can help take pressure off management and make business more efficient
September 5, 2017
HOW BUDGET 2018 WILL IMPACT YOUR FINANCES
October 11, 2017
Show all

THE GENERAL DATA PROTECTION REGULATIONS (GDPR)

GDPR – HOW TO WORK TOWARDS COMPLIANCE …

This article outlines the benefits, as well as the obligations that the GDPR bestows on an organisation, and how it can approach fulfilling those obligations by May 2018.

The GDPR increases the rights and privileges of EU citizens over the privacy of their personal information. It also increases the obligations on those responsible for processing personal information.


It comes into effect on 25 May 2018 and the time has come to start preparing for it, if you wish to avoid having your organisation bathed in the warm glow of the scrutinizing spotlights of the Data Protection Commissioner, the authority responsible in Ireland for monitoring application of GDPR and exercising restrictions and penalties.

If somebody had told me a decade ago that I would develop an interest in the topic of ‘data’ I would have laughed ..or cried, depending on how I felt at the time. Data meant figures to me, and I have always considered myself less than mathematically inclined. Data was for the accountants, not for me.

Fast forward ten years and that somebody has been proved right. The contemporary subject of protection of personal data with regards to the GDPR I find compelling. These new regulations bring with them a sense of regaining control over the hold that our information society has on our personal information. There is also the agreeable promise of a framework in which organisations can prosper, while acting lawfully, fairly and transparently with regards to personal information.

With less than eight months remaining to carry out the investigation, documentation, communication, negotiation and fortification required to meet the GDPR requirements, it should be on the agenda of all your management meetings from this day forward. Read on to find out how your organisation can get ready to harness the positive effects, and avoid any negative impact, of the GDPR by the implementation date in May 2018.

DOES YOUR ORGANISATION PROCESS PERSONAL DATA?

Under the GDPR, the term processing is used to describe the operations performed on personal data. All processing activities come under GDPR law. See the table below for a set of processing activities.

ACTIVITIES DEFINED AS PROCESSING UNDER GDPR
Collection Retrieval Alignment
Recording Consultation Combination
Organization Use Restriction
Structuring Disclosure by Erasure
Storage Transmission Alteration
Adaption Dissemination Destruction

WHAT IS PERSONAL DATA?

Personal data is any information that could be used to identify a living person, called a data subject, either directly or indirectly. Here are some examples of such personal data:

EXAMPLES OF PERSONAL DATA
Name Medical information Ethincity Mobile device ID
Photo Employment history Religion Other types of on-line identifiers
Email address IP addresses Financial record Posts on social netowrking sites
Date of birth Cookie identifiers
SENSITIVE PERSONAL DATA
Racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, data concerning sex life or sexual orientation (processing of this category of personal data is prohibited, except when specific conditions are met).

 

Additional important terms to be familiar with are: the CONTROLLER of the data, which is the entity that determines the purposes (reasons for) and means of, the processing of personal data, and the PROCESSORwhich is the entity that processes personal data. An organisation may be both the controller and the processor.

When processing of personal data is outsourced, the processor processes personal data on behalf of the controller. In such instances, it is important that a CONTRACT is drawn up between the controller and the processor, defining the scope of the processing and the legal obligations and rights of each party.

Electronic and paper versions of records, policies and procedures are the tools that companies will use to demonstrate compliance with the GDPR. Here are some examples of the data sets that must be captured in company records regarding personal data:

 

PERSONAL DATA – WHAT THE COMPANY RECORDS NEED TO REVEAL

What personal data is being processed?

  • Have the data subjects given unambiguous consent to you processing their personal data?
  • Were they clearly informed of the reason(s) for processing? Do they know they can withdraw consent?
  • Are there procedures in place to renew that consent?

 

Why are you processing personal data?

  • Have you a legal basis or legitimate business reason for doing so?
  • If you are processing the data on behalf of another company, have you a contract that outlines roles and responsibilities?
  • Could you reduce the amount of personal data you collect and still run your business effectively?

 

How are you processing it?

  • Are there policies and procedures in place to govern processing?
  • What existing databases have you? Under GDPR, consent must be re-gained to continue processing.
  • What safety and security measures are in place to protect the privacy of the data subjects?
  • How long do you hold on to personal data?
  • How do you maintain the integrity and accuracy of personal data?
  • Is there a system in place to allow a data subject to access their data and have it corrected or deleted?
  • Is there a procedure for dealing with data security breaches?

 

Where is it being processed?

  • What physical and technical security measures protect personal data? Who has access to it?
  • What back-up and disaster recovery systems are in place?
  • Is there transfer of the data outside your organisation?
  • What policies and procedures govern transfers and transmissions?
  • Have you investigated the data protection policies of other organisations with whom you share personal data?

 

FIVE STEPS TO GET STARTED WITH BECOMING GDPR COMPLIANT

  1. Provide GDPR awareness training, initially for key personnel and eventually for all staff.
  2. Appoint a GDPR Project Lead, responsible for managing the overall GDPR implementation plan and guiding the company towards compliance with the regulations by May 25, 2018.
  3. Set up a schedule to review all relevant policies, procedures and contracts and to update them in accordance with GDPR. It will be necessary to liaise with customers regarding contracts.
  4. Designate a team, reporting to the GDPR Lead, who will share responsibility for completing compliance tasks, for example, performing information audits, writing policies and procedures, creating records, auditing technical security measures, staff training etc.
  5. Initially, it may be helpful to divide the organisation into four segments and isolate GDPR-accountable aspects of each one, as in the diagram below. While these are not exhaustive lists, they should help you start implementation of the GDPR across the organisation.

 

A HAPPY ENDING – ADVANTAGES OF GDPR FOR BUSINESS

Under GDPR, old and inaccurate company data will be deleted. Personal data will be held in an accountable manner, with maximum security controls, and staff will process the minimum amount of personal data needed for the company to operate. The result of compliance will manifest as a reduction in quantity, and an increase in quality of stored personal data, with less likelihood of data security breaches. For those engaged in EU trade, the need to deal with multiple data protection authorities will be eliminated, as the rules will be streamlined across the EU. Good news all round!

 

IN SUMMARY

Any organisation that collects the personal data of EU citizens must comply with the regulations, even if that organisation is outside the EU. In your organisation, is the processing of personal data lawful, fair and transparent? What steps are being taken to maintain the safety, security, integrity and accuracy of personal data?

Under GDPR, each organisation must be able to demonstrate that it is accountable with respect to the processing of personal data. Documentation must be available to show how processing is undertaken and controlled. Preparation for compliance takes time. It would be wise to start implementing the GDPR in your organisation right away!

 

If you are still unsure about how to start, please contact us here at MCS InTegrated Solutions and our GDPR team will be happy to assist you.

Sarah O’Connell
Sarah O’Connell
MCS GDPR Services Team