 GDPR - Get aware, and get prepared!

The General Data Protection Regulation (GDPR) significantly changes data protection law in Europe, strengthening the
rights of individuals and increasing the obligations on organisations.

The GDPR will give greater control to individuals over their personal data by setting out additional and more clearly defined
rights for individuals whose personal data is collected and processed by organisations and businesses.


 Key Date: 25th May 2018


All organisations that process data need to be aware that the GDPR will apply directly to them. The responsibility to become
familiar with the Regulation and comply with its provisions from 25th May 2018 onwards therefore lies with the organisation.




This course covers:


o The purpose of the General Data Protection Regulation (GDPR).

o What organisations can do to prepare for the GDPR.

o What the role of the Data Protection Officer (DPO) in the GDPR entails.

o Guidance around personal data security for microenterprises.

o Five steps organisations can implement to secure their cloud-based environments.

o How the GDPR affects the private individual and their data protection rights.

o The key steps organisations need to take to ensure compliance with the GDPR.

 The GDPR and Data Protection

 
 The General Data Protection Regulation (GDPR) will replace current data protection laws in the European Union.

The new law will give individuals greater control over their data by setting out additional and more clearly defined rights for
individuals whose personal data is collected and processed by organisations. The GDPR also imposes corresponding and
greatly increased obligations on organisations that collect this data.


 Personal data is any information that can identify an individual person. This includes:

- a name,

- an ID number,

- location data (for example, location data collected by a mobile phone) or a postal address,

- online browsing history,

- images or anything relating to the physical, physiological, genetic, mental, economic, cultural or social identity of a person.

 Core Principles
 The GDPR is based on the core principles of data protection which exist under the current law. These principles require
organisations and businesses to:

o Collect no more data than is necessary from an individual for the purpose for which it will be used;

o Obtain personal data fairly from the individual by giving them notice of the collection and its specific purpose;

o Retain the data for no longer than is necessary for that specified purpose;

o Keep data safe and secure;

o Provide an individual with a copy of his or her personal data if they request it.

 Strengthened Rights and Greater Transparency

 Under the GDPR individuals have the significantly strengthened rights to:

o Obtain details about how their data is processed by an organisation or business;

o Obtain copies of personal data that an organisation holds on them;

o Have incorrect or incomplete data corrected;

 o Have their data erased by an organisation, where, for example, the organisation has no legitimate reason
for retaining the data;

o Obtain their data from an organisation and to have that data transmitted to another organisation (Data
Portability);

o Object to the processing of their data by an organisation in certain circumstances;

o Not be subject to (with some exceptions) automated decision making, including profiling (see topic
'Introduction to GDPR for the Private Individual').

 Organisations and businesses collecting and processing personal data will be required to meet a very high standard
in how they collect, use and protect data. Very importantly, organisations must always be fully transparent to
individuals about how they are using and safeguarding personal data, including by providing this information in
easily accessible, concise, easy to understand and clear language.
 Financial Penalties
 For organisations and businesses who breach the law, the Data Protection Commissioner is being given more
robust powers to impose very substantial sanctions including the power to impose fines.


 Under the new law, the DPC will be able to fine organisations up to €20 million (or 4% of total global
turnover) for the most serious infringements.
 The GDPR will also permit individuals to seek compensation through the courts for breaches of their data privacy
rights, including in circumstances where no material damage or financial loss has been suffered.
 Organisations Must Prepare for GDPR
 It is essential that all organisations immediately start preparing for the implementation of GDPR by carrying out a
“review and enhance” analysis of all current or envisaged processing in line with GDPR. This will allow time to
ensure that you have adequate procedures in place to deal with the improved transparency, accountability and
individuals’ rights provisions, as well as optimising your approach to governance and how to manage data
protection as a corporate issue.


 It is essential to start planning your approach to GDPR compliance as early as you can, and to ensure a cohesive
approach amongst key people in your organisation.

The sooner you begin to prepare for the GDPR, the more cost-effective it will be for your organisation. The GDPR also
makes it considerably easier for individuals to bring private claims against data controllers when their data privacy has been
infringed, and allows data subjects who have suffered non-material damage as a result of an infringement to sue for
compensation.

 What Can Organisations Do Now to Prepare for the GDPR?


 The following are areas that all organisations should cover to prepare effectively for the GDPR. These areas will be covered
in more detail in the following pages.

1. Becoming Aware

2. Becoming Accountable

3. Communicating with Staff and Service Users

4. Personal Privacy Rights

5. How will Access Requests change?

6. What we mean when we talk about a ‘Legal Basis’

7. Using Customer Consent as grounds to process data

8. Processing Children's Data

9. Reporting Data Breaches

10. Data Protection Impact Assessments (DPIA) and Data Protection by Design and Default

11. Data Protection Officers

12. International Organisations and the GDPR


 1. Becoming Aware
 It is imperative that key personnel in your organisation are aware that the law is changing to the GDPR, and start to
factor this into their future planning. They should start to identify areas that could cause compliance problems under
the GDPR.


 Initially, data controllers should review and enhance their organisations risk management processes, as
implementing the GDPR could have significant implications for resources; especially for more complex
organisations. Any delay in preparations may leave your organisation susceptible to compliance issues following the
GDPR’s introduction.


 2. Becoming Accountable
  Make an inventory of all personal data you hold and examine it under the following headings:

1. Why are you holding it?

2. How did you obtain it?

3. Why was it originally gathered?

4. How long will you retain it?

5. How secure is it, both in terms of encryption and accessibility?

6. Do you ever share it with third parties and on what basis might you do so?

 This is the first step towards compliance with the GDPR’s accountability principle, which requires organisations to
demonstrate (and, in most cases, document) the ways in which they comply with data protection principles when
transacting business. The inventory will also enable organisations to amend incorrect data or track third party
disclosures in the future, which is something that they may be required to do.


 3. Communicating with Staff and Service Users
 Review all current data privacy notices alerting individuals to the collection of their data. Identify any gaps that exist
between the level of data collection and processing your organisation engages in, and how aware you have made
your customers, staff and services users of this fact. If gaps exist, set about redressing them using the criteria laid
out in ‘2: Becoming Accountable’ above as your guide.

Before gathering any personal data, current legislation requires that you notify your customers of your identity, your reasons
for gathering the data, the use(s) it will be put to, who it will be disclosed to, and if it’s going to be transferred outside the
EU.

Under the GDPR, additional information must be communicated to individuals in advance of processing, such as the legal
basis for processing the data, retention periods, the right of complaint where customers are unhappy with your
implementation of any of these criteria, whether their data will be subject to automated decision making and their individual
rights under the GDPR. The GDPR also requires that the information be provided in concise, easy to understand and clear
language.


 4. Personal Privacy Rights
 You should review your procedures to ensure they cover all the rights individuals have, including how you would delete
personal data or provide data electronically and in a commonly used format.

Rights for individuals under the GDPR include:


o Subject access
o To have inaccuracies corrected

o To have information erased

o To object to direct marketing

o To restrict the processing of their information, including automated decision-making

o Data portability

 On the whole, the rights individuals will enjoy under the GDPR are the same as those under the Acts, but with some
significant enhancements. Organisations who already apply these principles will find the transition to the GDPR less difficult.

Review your current procedures.


o How would your organisation react if it received a request from a data subject wishing to exercise their rights under the
GDPR?

o How long to locate (and correct or delete) the data from all locations where it is stored?

o Who will make the decisions about deletion?

o Can your systems respond to the data portability provision of the GDPR, if applicable where you have to provide the data
electronically and in a commonly used format?


 5. How will Access Requests change?
 You should review and update your procedures and plan how you will handle requests within the new timescales.
(There should be no undue delay in processing an Access Request and, at the latest, they must be concluded
within one month). The rules for dealing with subject access requests will change under the GDPR. In most cases,
you will not be able to charge for processing an access request, unless you can demonstrate that the cost will be
excessive.

The timescale for processing an access request will also shorten, dropping significantly from the current 40 day period.
Organisations will have some grounds for refusing to grant an access request. Where a request is deemed manifestly
unfounded or excessive, it can be refused. However, organisations will need to have clear refusal policies and procedures in
place, and demonstrate why the request meets these criteria. You will also need to provide some additional information to
people making requests, such as your data retention periods and the right to have inaccurate data corrected.

If your organisation handles a large number of access requests, the impact of the changes could be considerable. The
logistical implications of having to deal with requests in a shorter time frame and provide additional information will need to
be factored into future planning for organisations. It could ultimately save your organisation a great deal of administrative
cost if you can develop systems that allow people to access their information easily online.

 6. What is meant by the term ‘Legal Basis’
 You should look at the various types of data processing you carry out, identify your legal basis for carrying it out and
document it. This is particularly important where consent is relied upon as the sole legal basis for processing data.

Under the GDPR, individuals will have a stronger right to have their data deleted where customer consent is the only
justification for processing. You will have to explain your legal basis for processing personal data in your privacy notice and
when you answer a subject access request.

For government departments and agencies, there has been a significant reduction in the number of legal bases they may
rely on when processing data. It will no longer be possible to cite legitimate interests. Instead, there will be a general
necessity to have specific legislative provisions underpinning one or more of the methods organisations use to process
data.

All organisations need to carefully consider how much personal data they gather, and why. If any categories can be
discontinued, do so. For the data that remains, consider whether it needs to be kept in its raw format, and how quickly you
can begin the process of anonymisation and pseudonymisation.


 7. Using Customer Consent to process data
 If you do use customer consent when you record personal data, you should review how you seek, obtain and record that
consent, and whether you need to make any changes. Consent must be ‘freely given, specific, informed and unambiguous.’
Essentially, your customer cannot be forced into consent, or be unaware that they are consenting to processing of their
personal data.

They must know exactly what they are consenting to, and there can be no doubt that they are consenting. Obtaining consent
requires a positive indication of agreement – it cannot be inferred from silence, pre-ticked boxes or inactivity.

If consent is the legal basis relied upon to process personal data, you must make sure it will meet the standards required by
the GDPR. If it does not, then you should amend your consent mechanisms or find an alternative legal basis.


 Note that consent has to be verifiable, that individuals must be informed in advance of their right to withdraw consent and
that individuals generally have stronger rights where you rely on consent to process their data.
 The GDPR is clear that controllers must be able to demonstrate that consent was given. You should therefore review the
systems you have for recording consent to ensure you have an effective audit trail.
 
 8. Processing Children’s Data
 If the work of your organisation involves the processing of data from underage subjects, you must ensure that you
have adequate systems in place to verify individual ages and gather consent from guardians.

The GDPR introduces special protections for children’s data, particularly in the context of social media and commercial
internet services. The state will define the age up to which an organisation must obtain consent from a guardian before
processing a child’s data. It should be noted that consent needs to be verifiable, and therefore communicated to your
underage customers in language they can understand.


 9. Reporting Data Breaches
 You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
Some organisations are already required to notify the DPC when they incur a personal data breach. However, the GDPR will
bring in mandatory breach notifications, which will be new to many organisations.


 All breaches must be reported to the DPC, typically within 72 hours, unless the data was anonymised or
encrypted. In practice this will mean that most data breaches must be reported to the DPC. Breaches that are likely to bring
harm to an individual – such as identity theft or breach of confidentiality – must also be reported to the individuals
concerned.
 Now is the time to assess the types of data you hold and document which ones which fall within the notification requirement
in the event of a breach. Larger organisations will need to develop policies and procedures for managing data breaches,
both at central or local level. It is worth noting that a failure to report a breach when required to do so could result in a fine,
as well as a fine for the breach itself.


 10. DPIA - Data Protection by Design and Default
 A Data Protection Impact Assessment (DPIA) is the process of systematically considering the potential impact that
a project or initiative might have on the privacy of individuals. It will allow organisations to identify potential privacy
issues before they arise, and come up with a way to mitigate them.

A DPIA can involve discussions with relevant parties/stakeholders. Ultimately such an assessment may prove invaluable in
determining the viability of future projects and initiatives. The GDPR introduces mandatory DPIAs for those oganisations
involved in high-risk processing; for example where a new technology is being deployed, where a profiling operation is likely
to significantly affect individuals, or where there is large scale monitoring of a publicly accessible area.

Where the DPIA indicates that the risks identified in relation to the processing of personal data cannot be fully mitigated,
data controllers will be required to consult the DPC before engaging in the process.

 Organisations should now start to assess whether future projects will require a DPIA and, if the project calls for a DPIA,
consider:


o Who will do it?

o Who else needs to be involved?

o Will the process be run centrally or locally?

 It has always been good practice to adopt privacy by design as a default approach; privacy by design and the minimisation
of data have always been implicit requirements of the data protection principles.

However, the GDPR enshrines both the principle of ‘privacy by design’ and the principle of ‘privacy by default’ in law. This
means that service settings must be automatically privacy friendly, and requires that the development of services and
products takes account of privacy considerations from the outset.


 11. Data Protection Officers
 The GDPR will require some organisations to designate a Data Protection Officer (DPO). Organisations requiring DPOs
include public authorities, organisations whose activities involve the regular and systematic monitoring of data subjects on a
large scale, or organisations who process what is currently known as sensitive personal data on a large scale.


 The important thing is to make sure that someone in your organisation, or an external data protection advisor, takes
responsibility for your data protection compliance and has the knowledge, support and authority to do so effectively.
Therefore you should consider now whether you will be required to designate a DPO and, if so, to assess whether your
current approach to data protection compliance will meet the GDPR’s requirements.
 The role of the Data Protection Officer (DPO) under GDPR is covered in more detail in the next topic.


 12. International Organisations and the GDPR
 The GDPR includes a ‘one-stop-shop’ provision which will assist those organisations which operate in many EU
member states. Multinational organisations will be entitled to deal with one Data Protection Authority, referred to as
a Lead Supervisory Authority (LSA) as their single regulating body in the country where they are mainly
established.


 That Data Protection Authority will then become the LSA when regulating all data protection matters involving that
organisation, although it will be obliged to consult with other concerned Data Protection Authorities which are
concerned in relation to certain matters.
  In general the main establishment of an organisation is determined according to where the organisation has its main
administration, or where decisions about data processing are made. However, it would be helpful for you to map out
where your organisation makes its most significant decisions about data processing, as this will help to determine
your main establishment and therefore your LSA.

 The Data Protection Officer (DPO) Role in the GDPR



The Data Protection Officer (DPO) role is an important GDPR innovation and a cornerstone of the GDPR’s accountability-
based compliance framework. In addition to supporting an organisation’s compliance with the GDPR, DPOs will have an
essential role in acting as intermediaries between relevant stakeholders (e.g. supervisory authorities, data subjects, and
business units within an organisation).

The DPO will have professional standing, independence, expert knowledge of data protection and, to quote the GDPR, be
‘involved properly and in a timely manner’ in all issues relating to the protection of personal data.


 The DPC recommends that all organisations who will be required by the GDPR to appoint a DPO should do this as soon as
possible and well in advance of May 2018. With the authority to carry out their critical function, the Data Protection Officer
will be of pivotal importance to an organisation’s preparations for the GDPR and meeting the accountability obligations.
 A DPO may be a member of staff at the appropriate level with the appropriate training, an external DPO, or one
shared by a group of organisations, which are all options provided for in the GDPR.
 It is important to note that DPOs are not personally responsible where an organisation does not comply with the
GDPR. The GDPR makes it clear that it is the controller or the processor who is required to ensure and to be able
to demonstrate that the processing is in accordance with the GDPR. Data protection compliance is ultimately the
responsibility of the controller or the processor.



 Who needs a DPO?

o All public authorities and bodies, including government departments.

o Where the core activities of the organisation (controller or processor) consist of data processing operations,
which require regular and systematic monitoring of individuals on a large scale.

o Where the core activities of the organisation consist of special categories of data (ie health data) or
personal data relating to criminal convictions or offences.

 Public Authority or Body?

 Public authorities and bodies include national, regional and local authorities, but the concept typically also includes a range
of other bodies governed by public law.

It is recommended, as a good practice, that private organisations carrying out public tasks or exercising public authority
should designate a DPO.

 Core activities can be defined as the key operations necessary to achieve an organisation’s (controller or processor’s) goals.
For example, a private security company which carries out surveillance of private shopping centres and/or public spaces
using CCTV would be required to appoint a DPO as surveillance is a core activity of the company.
 On the other hand, it would not be mandatory to appoint a DPO where an organisation undertakes activities such as payroll
and IT support as, while these involve the processing of personal data, they are considered ancillary rather than core
activities.

 Large-scale processing
 While the GDPR does not define large-scale the following factors should be taken into consideration:

o The number of individuals (data subjects) concerned – either as a specific number or as a proportion of the relevant
population.

o The volume of data and/or the range of different data items being processed.

o The duration, or permanence, of the data processing activity.

o The geographical extent of the processing activity.


o Large-scale Processing
o Small-scale Processing
o Examples of large-scale processing include:

• Processing of patient data in the regular course of business by a hospital.

• Processing of travel data of individuals using a city’s public transport system (e.g. tracking via travel cards).

• Processing of real time geo-location data of customers of an international fast food chain for statistical purposes by a
processor specialised in providing these services.

• Processing of customer data in the regular course of business by an insurance company or a bank.

• Processing of personal data for behavioural advertising by a search engine.

• Processing of data (content, traffic, location) by telephone or internet service providers.

 Regular and systematic monitoring

 Regular and systematic monitoring should be interpreted, in particular, as including all forms of tracking and profiling on the
internet, including for behavioural advertising. However, the definition of monitoring is not restricted to the online
environment. Online tracking is just one example of monitoring the behaviour of individuals.

o Regular Monitoring
o Systematic Monitoring
o ‘Regular Monitoring’ is interpreted by the Working Party 29 (comprising the EU’s data protection authorities) as meaning one
or more of the following:

• Ongoing or occurring at particular intervals for a particular period.

• Recurring or repeated at fixed times.

 Special Categories of Data

These include personal data revealing; racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade
union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural
person, data concerning health or data concerning a natural person’s sex life or sexual orientation or personal data relating
to criminal convictions and offences


 Further information and guidance

Further information and guidance on the Data Protection Officer role is set out in the guidelines of the Working Party 29. In
particular, these guidelines set out the position of the EU’s data protection authorities on matters such as:

• Designation of a single DPO for several organisations

• Expertise and skills of the DPO

• Role, tasks, responsibilities and independence of the DPO

• Resources that should be provided to a DPO to carry out their tasks

 Qualifications


 Article 37.5 of the GDPR provides that a Data Protection Officer “shall be designated on the basis of professional qualities
and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article
39.”
 The GDPR does not define the professional qualities required or prescribe the training a DPO should undergo to be qualified
to undertake the role. This allows organisations to decide on their DPO’s qualifications and training tailored to the context of
the organisation’s data processing.

The appropriate level of qualification and expert knowledge should be determined according to the personal data processing
operations carried out, the complexity and scale of data processing, the sensitivity of the data processed and the protection
required for the data being processed.


 For example, where a data processing activity is particularly complex, or where a large volume or sensitive data is involved
(i.e. an internet or insurance company), the DPO may need a higher level of expertise and support.

 Relevant Skills and Expertise

 Relevant skills and expertise include:

o expertise in national and European data protection laws and practices including an in-depth understanding of the GDPR;

o understanding of the processing operations carried out;

o understanding of information technologies and data security;

o knowledge of the business sector and the organisation;

o ability to promote a data protection culture within the organisation.




 For example, a DPO may need an expert level of knowledge in certain specific IT functions, international data transfers, or
familiarity with sector-specific data protection practices such as public sector data processing and data sharing, to
adequately perform their duties.

 Training Courses
 Taking into account the scale, complexity and sensitivity of their data processing operations, organisations should
proactively decide on the qualifications and level of training required for their Data Protection Officer.

In undertaking such an assessment, organisations should be aware that there are various training options that may be
pursued. Some training courses are one-day sessions, while some are online only. Others lead to academically accredited
certificates such as diplomas from national law societies.


 There are also other professional training programmes which are recognised internationally and that offer professional
qualifications that require an ongoing commitment to training in order to maintain the professional qualification.


 The following non-exhaustive list of factors should be taken into consideration when selecting the appropriate DPO
training programme:

o The content and means of the training and assessment;

o Whether training leading to certification is required;

o The standing of the accrediting body;

o Whether the training and certification is recognised internationally.

 In any case, a Data Protection Officer should have an appropriate level of expertise in data protection law and
practices to enable them to carry out their critical role.
 Conflict of Interests

It is important to take into account that while a DPO is permitted to fulfil other tasks and duties, the organisation is required
to ensure that any such tasks and duties do not result in a conflict of interests. This is essential to protecting the
independence of the DPO.
 In particular, it means that a DPO cannot hold a position in an organisation where they have the authority to decide the
purposes for which personal data is processed and the means by which it is processed.

While each organisational structure should be considered case by case, as a rule of thumb, conflicting positions within an
organisation may include senior management positions such as chief executive, chief operating/financial/medical officer,
head of HR or head of IT).


 Publication and communication of the DPO’s contact details

Organisations will be required by the GDPR to publish contact details of the DPO and to communicate these details to the
relevant data protection authority.

The purpose of this requirement is to ensure that individuals (internal and external to the organisation) and the data
protection authority can easily and directly contact the DPO without having to contact another part of the organisation.

 Personal Data Security Guidance for Microenterprises

 The GDPR significantly increases the obligations and responsibilities of organisations and businesses with regard to how
they collect, use and protect personal data.

At the heart of the new law is the requirement for organisations and businesses to be transparent about how they are
obtaining, using and safeguarding personal data. This transparency requirement is outlined under Article 12 of the GDPR
and encompasses the provision of clear, concise information to data subjects and the facilitation of data subjects’ rights.


 Additionally the principle of accountability, which is outlined under Article 5 of the GDPR, will see organisations and
businesses responsible for demonstrating their compliance with the new law’s principles relating to the processing of
personal data.

 What is a Microenterprise?


 A microenterprise is defined as an organisation having fewer than 10 employees and an annual turnover (the amount of
money taken in a particular period) or balance sheet (a statement of a company's assets and liabilities) below €2 million [1].
 If your company is a microenterprise engaged in the processing of personal data, as either a data controller or a data
processor, you will be subject to the provisions of the new law. A data controller is defined under article 4 of the GDPR as a
natural or legal person that determines, alone or jointly with others, the purposes and means of the processing of personal
data. The same article defines a data processor as a natural or legal person that processes personal data on a data
controller’s behalf.

The GDPR is applicable to the processing of personal data by microenterprises established in and operating outside the
European Union (EU). If your company is established in the EU, the provisions of the GDPR are applicable to your
processing of personal data in the context of the activities of your EU establishment(s).

If your company is not established in the EU, the new law is applicable to your processing of the personal data of individuals
in the EU with regard to the offering of goods or services (regardless of whether payment is involved) and to the monitoring
of an individual’s behavior (in so far as that behaviour takes place within the EU).


 Four Key Ways to Secure ICT Systems
 Four key ways to assist microenterprises in securing their Information and Communications Technology (ICT) systems
under the GDPR:


1. Know your data

2. Determine the Appropriate Level of ICT Security

3. Data Collection and Retention Policies

4. Utilising Data Processors


 1. Know your data
 Microenterprises should regularly review the personal data they process and determine what personal data and, in
particular, what special categories of personal data they hold.
‘Personal data’ is defined under Article 4 of the GDPR as any information relating to an identified or identifiable natural
person (a “data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by
reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more
factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Article 9 of the GDPR defines ‘special categories of personal data’, as data relating to an individual’s:


1. racial or ethnic origin

2. political opinions

3. religious or philosophical beliefs

4. trade union membership


1. genetic data

2. biometric data

3. data concerning health

4. data concerning sex life or sexual orientation

 Principles you must adhere to with regard to the processing of personal data are outlined in Article 5 of the GDPR.
When considering your company’s processing, questions to be asked include whether you are processing personal
data:

1. According to the principles of lawfulness, fairness, and transparency;

2. For specified, explicit and legitimate purposes;

3. With a view to data minimisation;

4. With a view to ensuring accuracy and, where necessary, that data is kept up to date;

5. Such that data are kept in a form which permits identification of data subjects for no longer than is
necessary for the purposes of processing;

6. In a manner that ensures appropriate security of the personal data.

 If you outsource the processing of personal data to a data processor (including, for example, to a 'cloud computing'
service provider), you should be able to confirm that:

1. The processing is compliant with Article 28 of the GDPR;

2. The processor’s security procedures are adequate;

3. You have sought and been given assurances regarding the appropriate security measures from the
processor.

 2. Determine the Appropriate Level of ICT Security
 Article 32 of the GDPR obliges data controllers and data processors to implement the technical and organisational
measures necessary to ensure an appropriate level of security in relation to the risks presented by processing. In
considering what constitutes an appropriate level of security, you should take into account

1. "The state of the art"

2. "The cost of implementing and the nature of the scope"

3. "The context and purposes of processing”

4. “The risk of varying likelihood and severity for the rights and freedoms of natural persons"

 The DPC has published best practice Data Security Guidance [2] regarding the security of ICT systems. Additional
information is also available from organisations such as the European Union Agency for Network and Information
Security [3], and the US-based National Institute of Standards and Technology [4].
 Security measures predominately fall under the following headings:

(These will be outlined in more detail on the following pages)


o Technical security

o Physical security

o Organisational security

 Technical security
 Technical security measures protect ICT systems by ensuring that appropriate technology is implemented to secure
personal data processing.


 Examples of practical technical security measures are:

o Ensuring that all computing devices such as PCs, mobile phones, and tablets are using an up-to-date
operating system;

o Ensuring all computing devices are regularly updated with manufacturer’s software and security patches;

o Using antivirus software on all devices;

o Implementing a strong firewall;

o Reviewing vendor supplied software and updating default system, administrator, and root passwords and
other security parameters to ensure defaults are not left in place;

o Ensuring data backups are taken and are stored securely in a separate location;

o Ensuring that data backups are periodically reviewed and tested to ensure they are functioning correctly;
 o Ensuring that data is collected & stored securely;

o Ensuring that mobile devices (such as laptops and mobile phones and tablets) are encrypted;

o Ensuring that two-factor authentication is enabled for remote access;

o Ensuring that websites have TLS (transport layer security) in place to securely collect personal data via
webforms (such as for newsletter subscriptions) or on e-commerce websites.

 Physical security
 Physical ICT security measures assist organisations with the protection of ICT systems such as facilities,
equipment, personnel, resources, and other properties.


 Examples of ICT equipment that may require protection includes any device which can store information
electronically, such as:

o Computers - servers, desktop, laptop or tablet

o Photocopiers, multi-function devices and printers

o Mobile telephones

o Digital cameras

o Storage media, such as, portable hard drives, USB sticks, CDs, DVDs

 The level of protection that should be applied to ICT equipment is based on the business impact level that may
result from data being compromised, loss of integrity, or unavailability of the electronic information held on the
device, this would also include the loss or unavailability of the device due to a failure.


 Examples of practical physical security measures are:

o Keeping offices and storage units locked;

o Keeping server rooms or cabinets locked;

o Cabling desktop machines and laptops to desks;

o Implementing clean desk policies;

o Ensuring that fire and burglar alarms are in place and that they are functioning correctly;

o Ensuring that ICT equipment such as hard drives and old laptops, computers and mobile devices are
securely disposed of at end of life.
 
 Organisations should also assess the risk arising when devices cannot be secured when not in use. Where an
organisation has determined the business impact of the data compromise, loss of integrity or unavailability
regarding a device, which is not in use, organisations should ensure that such devices are stored securely.

It is recommended that microenterprises design and implement an asset control policy for ICT equipment. This would
include:


o Recording the location and user of the device;

o Conducting periodical audits of its ICT equipment.

 Organisational security
 Organisational security measures protect ICT systems by ensuring that policies, procedures, training, and audit trail
functions are in place.

These measures are mostly documentary in nature, however such policies need not be time consuming nor overly
complicated to implement. Any documentation should be written in clear, concise, language, should list the rules that apply
to the processing of personal data, and should be readily accessible to employees. Such documentation should be reviewed
periodically to ensure that it is accurate and up-to-date.


 Examples of practical organisational security measures consist of:

o Communicating the importance of company data and all the measures they can take to protect it to
employees;

o Conducting ongoing staff training on, but not limited to, social engineering attacks, crypto ransomware, and
data protection;

o Documenting data collection and retention policies;

o Ensuring the use of strong passwords by having a password policy in place that is enforced;

o Ensuring remote access is supported by a remote access policy;

 o Documenting a data breach incident response plan and testing it periodically to ensure a data breach can
be effectively responded to;

o Documenting CCTV policies (where appropriate);

o Documenting data back-up policies;

o Periodically reviewing contracts with 3rd party ICT providers to ensure the security measures documented
are still appropriate and up to date.


 3. Data Collection and Retention Policies
 If your organisation will be holding personal data for longer periods, you should be aware of your obligations
under Article 5(1)(e) as both a data controller and a data processor with regard to data retention. The essence of
the storage limitation principle under the GDPR is slightly different to the existing principle under the Data Protection
Directive.

In summary, personal data should not be retained in identifiable form for longer than is necessary in relation to the purposes
for which such data is processed. A pragmatic approach to retention is simply to delete the data once the purpose for which
it was processed has ceased. Data collection and retention should be assessed against business needs and minimised,
either by not collecting unnecessary data, by deleting data, or by rendering it anonymous.

Microenterprises should:


o Define and implement a data collection policy. The policy should detail the categories of personal data
collected and the purposes for collection.

o Define and implement a data retention policy. This policy should detail the retention period for personal
data collected and measures taken to ensure deletion or if applicable, the techniques to render the data
non-identifiable.

 These policies should be communicated to all employees and periodic reviews should be conducted to ensure that
personal data is handled correctly when it is no longer needed for the purposes for which it was collected.


 With regard to retention policies, if you intend to further process personal data for the purposes of archiving,
scientific or historical research, or statistical purposes, you should ensure appropriate safeguards are in place to
ensure the rights and this processing does not impede freedoms of data subjects.
  In particular, these safeguards should ensure that technical and organisational measures are in place to ensure
respect for the principle of data minimisation.

A documented retention policy should offer guidance and provide a framework for employees to manage information across
its lifecycle so that your company complies with the laws and regulations pertaining to data management. A retention policy
should apply to both physical and digital formats.


 4. Utilising Data Processors
 Microenterprises, due to a lack of in-house expertise, may rely on third party data processors to process personal data on
their behalf, such as e-commerce websites, cloud services such as email or online data backup solutions. Microenterprises
should:

o Define the responsibilities of the data controller and data processor and ensure that processing is carried out on foot of a
written agreement detailing the appropriate technical security and organisational measures to be applied by the data
processor specifically in relation to the personal data processing operations.

o Obtain sufficient guarantees regarding the security measures applied by processors acting on their behalf and periodically
review to ensure that the terms of the written agreement are being adhered to.

 A practical way for a microenterprise to obtain sufficient guarantees and ensure compliance is to:

o Use a data processor that has vendor certification, appropriate IT qualifications and/or certification, or the appropriate
certification from a relevant certifying body such as the International Organization for Standardization or the Payment Card
Industry.

o Have formal project completion / change management sign off procedures in place to ensure that appropriate security
measures are implemented and that changes/updates are performed.

o Have data processors provide regular reports on the management of the ICT systems and following up to ensure that work
is carried out.

o Review security measures periodically to ensure they are up to date, this can be especially prevalent when utilising Cloud-
Based environments (see the next Topic in the course).


 References
 [1] Commission Recommendation of 6 May 2003 concerning the definition of micro, small and medium sized
enterprises http://eur-lex.europa.eu/legal-content/EN/LSU/?uri=CELEX:32003H0361

[2] Data Security Guidance https://www.dataprotection.ie/docs/Data-security-guidance/1091.htm

 [3] European Union Agency for Network and Information Security https://www.enisa.europa.eu/

[4] National Institute of Standards and Technology https://www.nist.gov/topics/information-technology

 Five Steps to Secure Cloud-based Environments

 Cloud-based environments offer many advantages to organisations. However, they also introduce a number of technical
security risks which organisations should be aware of such as:


o Data breaches

o Hijacking of accounts

o Unauthorised access to personal data

 Organisations should determine and implement a documented policy and apply the appropriate technical security and
organisational measures to secure their Cloud-based environments. If organisations do not implement such controls, they
may increase their risk of a personal data breach [1].

Organisations should apply technical security and organisational security measures in a layered manner consisting of but
not limited to:



o Access controls

o Firewalls

o Antivirus software

o Staff training

o Policy development

 A layered approach to Cloud-based security mitigates the risk of a single security measure failing which may result
in a personal data breach.

Many Cloud-based providers, such as Microsoft’s Office 365 and Google’s G-suite provide advanced settings and solutions
which can assist organisations to appropriately secure their use of Cloud-based services. These providers, in most cases,
also offer best practice guidance to assist organisations in securing their Cloud-based environments.
 
 Additional information, advice, and best practice regarding security of Cloud-based environments is also provided
by agencies such as the European Union Agency for Network and Information Security (ENISA) [2].


 Five key ways organisations can secure their Cloud-based environments to mitigate their risk of a personal data
breach:


o Access control and authentication

o Review default security settings

o Seek assurances from your ICT service provider

o Clear policies and staff training

o Know your data and secure it

These will be outlined in more detail on the following pages.


 1. Access control and authentication

o Organisations should implement strong password polices [3] to ensure that users accessing personal data within Cloud-
based environments do so in a secure manner.

o Organisations should implement two-factor authentication. Two-factor authentication is an effective way to further enhance
Cloud-based security and is available from most Cloud-based providers.

o Organisations should be aware of and document user access privileges within their Cloud-based environments. User access
control is particularly important where group mailboxes or shared folders are utilised. Organisations should also document
each user’s specific access requirements and ensure that these are supported by an appropriate change control process.

o Security measures applied by an organisation must be supported by regular reviews of user access to ensure that all
authorised access to personal data is strictly necessary and justifiable for the performance of a specific function.

 2. Review default security settings
 Organisations should not rely on Cloud-based service providers’ default security settings. Organisations should
review the Cloud-based security features available from the Cloud-based service provider to ensure that they are
applied appropriately and in a layered manner. Examples of security settings and controls provided by Cloud-based
service providers often include:

o Centralised administration tools

o Mobile device management

o Multifactor authentication

o Login alerts

o Encryption during message send and receive


o Encryption of message content

o Account activity monitoring and alerts

o Data loss prevention

o Malware protection

o Spam and spoofing protection

o Phishing protection

 Organisations should also be aware that Cloud-based services might be publically accessible and organisations
should review and implement the appropriate security settings to secure remote access.


 3. Seek assurances from your ICT service provider

o Organisations may utilise external ICT services providers to implement their Cloud-based environments. It
is vital during such engagements that organisations seek formal assurances from their ICT service provider
that the security controls which have been implemented meet an organisation’s specific security
requirements and protect the organisation’s personal data.

o Organisations should proactively engage and conduct regular security reviews with their ICT service
providers to ensure the security controls in place are up-to-date and are effective to protect the
organisation in an evolving threat landscape.


 4. Clear policies and staff training

 o Organisations should ensure that staff receive appropriate training on social engineering attacks, phishing
attacks and security threat practices. Such training should be supported by refresher training/awareness
programmes to mitigate the risk posed by an evolving threat landscape.

o Organisations should have clear policies in place with respect to the usage and security of Cloud-Based
services, especially where these services are being accessed outside of the organisation corporate
network under Bring Your Own Device ("BYOD") policies.

o Organisations should have clear “employee leaver” and “succession” policies in place and these should be
applied to an organisations Cloud-based environment.

o Organisations should have a clear policy in place for data retention and conduct regular reviews to ensure
that personal data is not retained longer than necessary or where the original purpose for the use of the
personal data has ceased.


 5. Know your data and secure it

o Organisations should understand and monitor the types of data that is stored in their Cloud-based
environments. Knowing the types of data stored in the Cloud enables an organisation to ensure the
appropriate security and access controls are applied to protect the data.

o Organisations should utilise data classification methods to identify the data which they store and process
within Cloud-based environments. The process of data classification enables an organisation to categorise
their stored data in order to determine the appropriate security controls.

 Organisations should carefully evaluate Cloud-based vendors based on the security features they offer and how
they specifically meet with their organisational requirements.

Who has access to your data, how is it secured, how often is the data backed up and if the Cloud-based environment aligns
to your organisational policies are all vital questions to ask of both your Cloud-Based service provider and / or the ICT
service provider charged with implementing your environment.

Applying the appropriate security measures is not a once off “Set and forget” exercise. Cloud-based security settings should
be reviewed on a regular basis to ensure that they are still appropriate and up-to-date.


  References
 [1] Personal Data Security Breach Code of Practice

https://www.dataprotection.ie/docs/Data_Security_Breach_Code_of_Practice/1082.htm

[2] https://www.enisa.europa.eu/, and the US-based National Institute of Standards and Technology (“NIST”)
https://www.nist.gov/topics/information-technology.

[3] https://www.dataprotection.ie/docs/Data-security-guidance/1091.htm

 Introduction to the GDPR for the Private Individual

 Data protection is a fundamental right set out in Article 8 of the EU Charter of Fundamental Rights:

1. Everyone has the right to the protection of personal data concerning him or her.

2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned
or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected
concerning him or her, and the right to have it rectified.

3. Compliance with these rules shall be subject to control by an independent authority.


 The key principles under the GDPR are:

o Lawfulness, fairness and transparency

o Purpose Limitation

o Data minimisation

o Accuracy


o Storage Limitation

o Integrity and confidentiality

o Accountability

 The information in this course is intended to guide you through your rights, as data subjects, under the GDPR.


 What rights do you have?

o The right to be informed (Article 13 & 14 of the GDPR)

o The right to access information (Article 15 of the GDPR)

o The right to rectification (Articles 16 & 19 of the GDPR)

o The right to erasure (Articles 17 & 19 of the GDPR)

 o The right to data portability (Article 20 of the GDPR)

o The right to object to processing of personal data (Article 21 of the GDPR)

o The right of restriction (Article 18 of the GDPR)

o Your rights in relation to automated decision making, including profiling (Article 22 of the GDPR)

 These eight rights for the private individual are covered in the following pages.


 1. The right to be informed (Article 13 & 14)


Where the personal data is collected from you, the data controller must provide you with the following information:

Identity and contact details of the data controller (and where applicable, the controller’s representative).

Contact details of the Data Protection Officer (person with responsibility for data protection matters within the organisation).

Purpose(s) of the processing and the lawful basis for the processing.

Where processing is based on the legitimate interests of the controller or a third party, the legitimate interests of the
controller

Any other recipient(s) of the personal data.

Where applicable, details of any intended transfers to a third country (non-EU member state) or international organisation
and details of adequacy decisions and safeguards.

The retention period (how long an organisation holds onto data) or, if that is not possible, the criteria used to determine the
retention period.

The existence of the following rights –

- Right of access
- Right to rectification
- Right to erasure
- Right to restrict processing
- Right to data portability
- Right to object – and to request these from the data controller.

Where processing is based on consent, the right to withdraw consent at any time, without affecting the lawfulness of
processing based on consent before its withdrawal.

The right to lodge a complaint with a supervisory authority.

Whether the provision of personal data is a statutory or contractual requirement, necessary to enter into a contract, an
obligation, and the possible consequences of failing to provide the personal data.

The existence of any automated decision making processes that will be applied to the data, including profiling, and
meaningful information about how decisions are made, the significance and the consequences of processing.


 When should this information be provided to you?
 - At the time your personal data is collected from you.

 How will this information be provided to you?
 - Clear guidance on this process can be found in the section 'Matters which apply to all the rights detailed above' later in this
topic.


 What happens when the data controller intends to process your personal data for a purpose other than that for
which it was originally collected?
 Where the controller intends to process your personal data for another purpose (other than the purpose for which the data
was originally collected):

- The controller must provide you, prior to that other processing, with any further relevant information as per Personal Data 1
- 12 above.


 Are there any circumstances in which these requirements will not apply?
 The above requirements will not apply:

- Where you already have the above information.


 Where the personal data has not been obtained from you, the data controller must provide you with:

1. The information in Personal Data 1 - 10 & 12 above;

2. Information on the types of personal data they hold about you;

3. Information on how they obtained the personal data and whether it came from publicly accessible sources.


 When should this information be provided to you?
 - Within a reasonable period of having obtained the data and, at the latest, within one month;

- If the data is used to communicate with you, at the latest, when the first communication takes place;

- If it is expected that your personal data will be disclosed to another recipient, when your personal data is first disclosed.

 How will this information be provided to you?
 - Clear guidance on this process can be found in the section 'Matters which apply to all the rights detailed above' later in this
topic.



 What happens when the data controller intends to process your personal data for a purpose other than that
for which it was originally collected?
 Where the controller intends to process your personal data for another purpose (other than the

purpose for which the data was originally collected):

- The controller must provide you, prior to that other processing, with any further relevant information.


 Are there any circumstances in which these requirements will not apply?
 The above requirements will not apply:

- Where you already have the above information;

- Where the provision of such information is impossible or would involve a disproportionate effort;

- Where obtaining the information or disclosure is a legal obligation and

- Where the personal data must remain confidential due to an obligation of professional secrecy regulated by law.

This right will typically be fulfilled through a ‘Privacy Notice’.


 2. The right to access information (Article 15)


You have the right to obtain the following, from the data controller:


1. Confirmation of whether or not personal data concerning you is being processed;

2. Where personal data concerning you is being processed, a copy of your personal information;
 3. Where personal data concerning you is being processed, you have the right to other additional information as
follows:


o Additional Information

Purpose(s) of the processing.

Categories of personal data.

Any recipient(s) of the personal data to whom the personal data has or will be disclosed, in particular recipients in third
countries or international organisations and information about appropriate safeguards.

The retention period or, if that is not possible, the criteria used to determine the retention period.

The existence of the following rights –

i. Right to rectification
ii. Right to erasure
iii. Right to restrict processing
iv. Right to object –
and to request these from the controller.

The right to lodge a complaint with a supervisory authority (see list of European Union Data Protection Authorities in the
Resources section of this course).
Where personal data is not collected from the data subject, any available information as to their source.

The existence of automated decision making, including profiling and meaningful information about how decisions are made,
the significance and the consequences of processing.


 Can the data controller charge a fee to provide a copy of the information?
 No, the data controller must provide a copy of the information:

- For free;

- However, if any further copies are requested by the data subject, the controller may charge a reasonable fee.


 What happens if you make the access request by electronic means?
 - The information must be provided in electronic form, unless otherwise requested by you.


 3. The right to rectification (Articles 16 & 19)


If your personal data is inaccurate, you have the right to have the data rectified, by the controller, without undue delay.
 If your personal data is incomplete, you have the right to have data completed, including by means of providing
supplementary information.


 4. The right to erasure (Articles 17 & 19)


This is also known as the ‘right to be forgotten’.

You have the right to have your data erased, without undue delay, by the data controller, if one of the following grounds
applies:


1. Where your personal data is no longer necessary in relation to the purpose for which it was collected or processed;

2. Where you withdraw your consent to the processing and there is no other lawful basis for processing the data;

3. Where you object to the processing and there is no overriding legitimate grounds for continuing the processing (See
point 6 below).

4. Where you object to the processing and your personal data is being processed for direct marketing purposes (See
point 6 below);

5. Where your personal data has been unlawfully processed;

6. Where your personal data have to be erased in order to comply with a legal obligation;

7. Where your personal data has been collected in relation to the offer of information society services to a child.


 What happens when the data controller made your personal data public and is obliged to erase the data?
 Where the data controller has made your personal data public and, on the basis of one of the above grounds, is
obliged to erase the data:

- The data controller must communicate any rectification or erasure of your personal data to each recipient to whom the
personal data have been disclosed, unless this is impossible or involves disproportionate effort.

- If you request information on recipients of your personal data, the data controller must inform you about the recipients.

- The data controller shall take reasonable steps to inform other controllers, who are processing your personal data, that you
have requested the erasure by them of any links to or copies of your data.
 Reasonable steps means taking account of available technology and the cost of implementation including technical
measures.


 Are there circumstances in which the right to be forgotten will not apply?
 Yes, the right to be forgotten will not apply where processing is necessary for:

- Exercising the right of freedom of expression and information;

- Compliance with a legal obligation, the performance of a task carried out in the public interest or in the exercise of official
authority;

- Reasons of public interest in the area of public health (See Article 9(2)(h) & (i) and Article 9(3), GDPR);

- Archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;

- Establishment, exercise or defence of legal claims.


 5. The right to data portability (Article 20)


In some circumstances, you may be entitled to obtain your personal data from a data controller in a format that makes it
easier to reuse your information in another context, and to transmit this data to another data controller of your choosing
without hindrance. This is referred to as the right to data portability.


 When does the right to data portability arise?
 This right only applies where processing of personal data (supplied by the data subject) is carried out by automated means,
and where you have either consented to processing, or where processing is conducted on the basis of a contract between
you and the data controller.

This right only applies to the extent that it does not affect the rights and freedoms of others.


 When this right applies, how must data controllers provide and transmit data?
 Where this right applies, data controllers must provide and transmit personal data in structured, commonly used and
machine readable form. Data is structured and machine readable if it can be easily be processed by a computer.

Under this right, you can ask a data controller to transmit your data to another data controller, if such transmission is
technically feasible.


 6. The right to object to processing of personal data (Article 21)



 When do you have a right to object?
 You have the right to object to certain types of processing of your personal data where this processing is carried out in
connection with tasks in the public interest, or under official authority, or in the legitimate interests of others.

You have a stronger right to object to processing of your personal data where the processing relates to direct marketing.
Where a data controller is using your personal data for the purpose of marketing something directly to you, or profiling you
for direct marketing purposes, you can object at any time, and the data controller must stop processing as soon as they
receive your objection.

You may also object to processing of your personal data for research purposes, unless the processing is necessary for the
performance of a task carried out in the public interest.


 How do you object to processing?
 In order to object to processing, you must contact the data controller and state the grounds for your objection. These
grounds must relate to your particular situation. Where you have made a valid objection, the data controller must cease
processing your personal data, unless the data controller can provide compelling legitimate reasons to continue processing
your data. Data controllers can also lawfully continue to process your personal data if it is necessary for certain types of legal
claims.


 What obligations do data controllers have in relation to this right?
 Where the right to object applies, data controllers are obliged to notify you of this at the time of their first communication with
you. Where processing is carried out online, data controllers must offer an online method to object.
 
 7. The right of restriction (Article 18)


You have a limited right of restriction of processing of your personal data by a data controller. Where processing of your data
is restricted, it can be stored by the data controller, but most other processing actions, such as deletion, will require your
permission.


 How does this right apply?
 This right applies in four ways.

The first two types of restriction of processing apply where you have objected to processing of your data under Article 21,
or where you have contested the accuracy of your data. In these cases, the restriction applies until the data controller has
determined the accuracy of the data, or the outcome of your objection.

The third situation in which you can request restriction relates to processing which is unlawful. In these cases, if you do not
want the data controller to delete your information, you can request restriction of the personal data instead.

The fourth type of restriction of processing applies where you require data for the purpose of a legal claim. In this case,
you can request restriction even where the data controller no longer needs the data.


 When you have obtained restriction of processing, what obligations does the data controller have?
 Where you have obtained restriction of processing of your data, the data controller must inform you before lifting the
restriction.


 8. Your rights in relation to automated decision making,
including profiling (Article 22)


You have the right to not to be subject to a decision based solely on automated processing. Processing is “automated”
where it is carried out without human intervention and where it produces legal effects or significantly affects you.
Note: Automated processing includes profiling.


 In respect of personal data, when is automated processing permitted?
 Automated processing is permitted only with your express consent, when necessary for the performance of a
contract or when authorised by Union or Member State law. Where one of these exceptions applies, suitable
measures must be in place to safeguard your rights, freedoms and legitimate interests. This may include the right to
obtain human intervention on the controller’s part, the right to present your point of view and the right to challenge
the decision.


 In respect of special category personal data (‘sensitive’), when is automated processing permitted?
 Where automated processing relates to the special categories of personal data (outlined in the glossary above),
processing is only lawful where you have given your express consent to the processing, or where it is necessary for
reasons of substantial public interest.
 Matters which apply to all the rights detailed above (Article 12)
 Restrictions on exercising rights:

The GDPR (Article 23) allows all the rights detailed as follows –



o The right to be informed;

o The right of access;

o The right to rectification;

o The right to erasure;

o The right to restrict processing;

o The right to data portability;

o The right to object;

o Rights in relation to automated decision making and profiling (to be restricted by national law in certain
circumstances for example, the prevention and detection crime).


 How will the information be provided?
  When you exercise your rights under the General Data Protection Regulation, the information provided to you must
be:

- Provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language, particularly for
any information addressed to a child.

- The information must be provided in writing, or by other means, including, where appropriate, by electronic means.

- Where the data subject makes the request by electronic form means, where possible, the information must be provided by
electronic means, unless otherwise requested by you.

- When requested by you, the information may be provided orally, provided that your identity is proven by other means.

- Except in the cases where your rights are restricted, a data controller cannot refuse to act on your request to exercise your
rights unless the controller demonstrates that it is not in a position to identify you.

- Where a data controller has reasonable doubts about your identity, the data controller may request the provision of
additional information necessary to confirm your identity. This is only applicable in respect of the rights of access, to
rectification, erasure, restrict processing, data portability, to object and in relation to automated decision making and
profiling.


 What are the time frames for dealing with requests to exercise my rights?
 When a request to exercise your rights is made, a data controller must:

- Provide information on action taken without undue delay;

- In any event, within 1 month of receipt of the request;

- The 1 month period may be extended by 2 further months, where necessary, taking into account the complexity and
number of requests, where necessary.


o In this case, the data controller shall inform you of any extension within 1 month of receipt of the request and the reasons for
the delay.
 - If the controller does not take action on foot of your request, the data controller must inform you without delay and, at the
latest, within 1 month of receipt of your request, of:

o The reasons for not taking action;

o The possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.


 What are the monetary charges?
 Your requests will be dealt with free of charge.

Where requests from a data subject are considered ‘manifestly unfounded or excessive’ - for example where an individual
continues to make unnecessary repeat requests or the problems associated with identifying one individual from a collection
of data are too great. Here the data controller may:


o Charge a reasonable fee, taking into account the administrative costs of providing the information/ taking
the action requested; or

o Refuse to act on your request.

 In cases where this is used as a reason to refuse an access request or to charge a fee, it is up to the organisation to
prove why they believe the request is manifestly unfounded or excessive.
 Making a complaint to the Data Protection Commission
 Under Article 77 of the GDPR, you have the right to lodge a complaint with the Data Protection Commission if you
consider that processing of your personal data is contrary to the GDPR.

Under Article 78 of the GDPR, you have a right to an effective judicial remedy where the Data Protection Commission does
not handle your complaint, or does not inform you within three months on the progress or outcome of your complaint.

Under Article 80, you may authorise certain third parties to make a complaint on your behalf.




See the list of European Union Data Protection Authorities in the Resources section for a list of data protection
authorities in individual European countries.

 Key Steps to Ensure Compliance with the GDPR


 The following are 10 key steps that will ensure your business or organisation will be compliant with the new regulations in
the GDPR.


o Step 1

Identify what personal data you hold (this can be achieved by setting out the information listed in Article 30 of the GDPR or
for smaller companies a tailored process such as the accompanying template that identifies details of personal data held).

2.Conduct a risk assessment of the personal data you hold and your data processing activities (Article 24, Recital 75).

3.Implement appropriate technical and organisational measures to ensure data (on digital and paper files) is stored securely.
The security measures your business should put in place will depend on the type of personal data you hold and the risk to
your customers and employees should your security measures be compromised (Article 32).

4. Know the legal basis you rely on (consent? contract? legitimate interest? legal obligation?) to justify your processing of
personal data (Articles 6 to 8).

5. Ensure that you are only collecting the minimum amount of personal data necessary to conduct your business, that the
data is accurate and kept no longer than is needed for the purpose for which it was collected (Article 5).

6. Be transparent with your customers about the reasons for collecting their personal data, the specific uses it will be put to,
and how long you need to keep their data on file (e.g. notices on your website or signs at points of sale) (Articles 12, 13
and 14).

7. Establish whether or not the personal data you process falls under the category of special categories (sensitive) of
personal data and, if it does, know what additional precautions you need to take (Article 9).

8. Decide whether you will need to retain the services of a Data Protection Officer (DPO) (Article 37).

9. Be able to facilitate requests from service-uses wishing to exercise their rights under the GDPR, including rights of
access, rectification, erasure, withdrawal of consent, data portability and the right to object to automated processing
(Articles 12 to 22).

10. Where appropriate, have up-to-date policy/procedure documents that detail how your organisation is meeting its data
protection obligations.

 A Risk-based Approach to Being GDPR Compliant

 When your organisation collects, stores or uses (i.e. processes) personal data, the individuals whose data you are
processing may be exposed to risks. It is important that organisations which process personal data take steps to ensure that
the data is handled legally, securely, efficiently and effectively in order to deliver the best possible care.
 The risk-profile of the personal data your organisation processes should be determined according to the personal data
processing operations carried out, the complexity and scale of data processing, the sensitivity of the data processed and the
protection required for the data being processed.


 For example, where a data processing activity is particularly complex, or where a large volume or sensitive data is involved
(i.e. an internet, health, financial or insurance company), this would attract a higher risk rating than routine personal data that
relates solely to employee or customer account details.
 When looking at the risk profile of the personal data your organisation processes, it is useful to look at the tangible
harms to individuals that your organisation needs to safeguard against. These are detailed in Recital 75 of the
GDPR and include processing that could give rise to:


o discrimination

o identity theft or fraud

o financial loss

o damage to the reputation

o loss of confidentiality of personal data protected by professional secrecy

o unauthorised reversal of pseudonymisation

o any other significant economic or social disadvantage

 Conducting a risk-assessment will improve awareness in your organisation of the potential future data protection
issues associated with a project. This will in turn help to improve the design of your project and enhance your
communication about data privacy risks with relevant stakeholders.
 The GDPR provides for two crucial concepts for future project planning:

Data Protection By Design and Data Protection By Default.

While recommended as good practice, both of these principles are enshrined in law under the GDPR (Article 25).


 Data Protection by design means embedding data privacy features and data privacy enhancing technologies
directly into the design of projects at an early stage. This will help to ensure better and more cost-effective
protection for individual data privacy.



 Data Protection by default means that the user service settings (e.g. no automatic opt-ins on customer account
pages) must be automatically data protection friendly, and that only data which is necessary for each specific
purpose of the processing should be gathered at all.
 Under the GDPR, a Data Protection Impact Assessment (DPIA) will be a mandatory pre-processing requirement
where the envisaged project/initiative/service involves data processing which “is likely to effect in a high risk to the
rights and freedoms of natural persons.”

 This is particularly relevant when a new data processing technology is being introduced in your organisation. In cases where
it is not clear whether a DPIA is strictly mandatory, carrying out a DPIA is still best practice and a very useful tool to help
data controllers demonstrate their compliance with data protection law. DPIAs are scalable and can take different forms, but
the GDPR sets out the basic requirement of an effective DPIA.


 Maintaining a data protection risk register can allow you to identify and mitigate against data protection risks, as well
as demonstrate compliance in the event of a regulatory investigation or audit.


 GDPR Readiness Checklist Tools
 These checklists are available for you to download from the Resources section of this course. You can edit
them according to your own organisation’s information.

The grid in the resource document will assist organisations in mapping the personal data that they currently hold and
process, the lawful basis on which the data was collected, and the retention period for each category of data. Carrying out
this exercise will help identify where immediate remedial actions are required in order to be compliant with the GDPR.

The following pages in the resource document will take organisations through more detailed questions in the areas of:


o Personal data

o Data subject rights

o Accuracy and retention

o Transparency requirements


o Other data controller obligations

o Data security

o Data breaches

o International data transfers

 General Data Protection Regulation - Lesson Summary



The General Data Protection Regulation (GDPR) from 25th May 2018 will replace current data protection laws in the
European Union.
 The new law will give individuals greater control over their data by setting out additional and more clearly defined rights for
individuals whose personal data is collected and processed by organisations. The GDPR also imposes corresponding and
greatly increased obligations on organisations that collect this data.

The GDPR is based on the core principles of data protection which exist under the current law. These principles require
organisations and businesses to:


o Collect no more data than is necessary from an individual for the purpose for which it will be used;

o Obtain personal data fairly from the individual by giving them notice of the collection and its specific purpose;

o Retain the data for no longer than is necessary for that specified purpose;

o Keep data safe and secure;

o Provide an individual with a copy of his or her personal data if they request it.

 The following are areas that all organisations should cover to prepare effectively for the GDPR.

o Becoming Aware

o Becoming Accountable

o Communicating with Staff and Service Users

o Personal Privacy Rights

o How will Access Requests change?

o What we mean when we talk about a ‘Legal Basis’

o Using Customer Consent as grounds to process data

o Processing Children's Data

o Reporting Data Breaches

o Data Protection Impact Assessments (DPIA) and Data Protection by Design and Default

o Data Protection Officers

o International Organisations and the GDPR

 The Data Protection Officer (DPO) role is an important GDPR innovation and a cornerstone of the GDPR’s
accountability-based compliance framework. In addition to supporting an organisation’s compliance with the GDPR,
DPOs will have an essential role in acting as intermediaries between relevant stakeholders (e.g. supervisory
authorities, data subjects, and business units within an organisation).

Who needs a DPO?


o All public authorities and bodies, including government departments.
 o Where the core activities of the organisation (controller or processor) consist of data processing operations,
which require regular and systematic monitoring of individuals on a large scale.

o Where the core activities of the organisation consist of special categories of data (ie health data) or
personal data relating to criminal convictions or offences.

 Four key ways to assist microenterprises in securing their Information and Communications Technology (ICT) systems
under the GDPR:

1. Know your data

2. Determine the Appropriate Level of ICT Security

3. Data Collection and Retention Policies

4. Utilising Data Processors

Cloud-based environments offer many advantages to organisations. However, they also introduce a number of technical
security risks which organisations should be aware of such as:


o Data breaches

o Hijacking of accounts

o Unauthorised access to personal data

 Five key ways organisations can secure their Cloud-based environments to mitigate their risk of a personal data
breach:

o Access control and authentication

o Review default security settings

o Seek assurances from your ICT service provider

o Clear Policies and staff training

o Know your data and secure it

 The GDPR gives private individuals the following rights for their personal data:

o The right to be informed (Article 13 & 14 of the GDPR)

o The right to access information (Article 15 of the GDPR)

o The right to rectification (Articles 16 & 19 of the GDPR)

o The right to erasure (Articles 17 & 19 of the GDPR)

o The right to data portability (Article 20 of the GDPR)

o The right to object to processing of personal data (Article 21 of the GDPR)

o The right of restriction (Article 18 of the GDPR)

 o Your rights in relation to automated decision making, including profiling (Article 22 of the GDPR)