Tag Archives: GDPR

Law Customers Company Information

GDPR Post Brexit

A lot has been said and written on GDPR. At a time when we are just beginning to grasp the fact that ICT cannot be without GDPR, mainly due to the ‘consent’ email bombardment, comes Brexit and the uncertainty of it in relation to GDPR as it is an EU regulation. People and businesses are asking ‘’what will GDPR be like post Brexit?’’ Fortunately, a lot of articles have been written and discussions are going on from different perspectives, GDPR post Brexit won’t be a scenario of ‘’ how to manage your expectations during the first few days, weeks, months of dating’’ rather it is a subject of forward looking, information gathering, be in the know of suggested options especially for companies dealing in B2C or even B2B in case data management dealings don’t go according to plan.

Before going further, here is a brief recap on GDPR for those who need it. In the beginning, the European Union adopted the DGPR (2016) as an EU law on Data protection to provide privacy for all individuals in the EU and the EEA. The regulation which became enforceable beginning of May 2018 has two main priorities, to; give individuals control over their personal data and, to; simplify the regulatory environment for international businesses by unifying the regulation within the EU. GDPR also addresses export of personal data outside the EU and EEA. With Brexit in sight, this is where GDPR post Brexit questions arises, with UK about to become a third country, will the Britain abide by GDPR? What guarantees are there in terms of data privacy? – Whether in terms of B2C or B2B. Individually, people and businesses alike are researching the topic and informing those who are anxious.

Looking for Answers

Questions and answers have been suggested, with the amount of publications on the topic, we are becoming bombarded again. My opinion is to answer GDPR questions whatever perspective, we must go to the heart of GDPR – the principles (the core conditions that governs the regulation GDPR (2016/679) especially the 7th “Accountability”.

ICO wrote about GDPR principles, to be;

  1. Lawfulness, fairness and transparency,
  2. Purpose limitation,
  3. Data minimisation,
  4. Accuracy,
  5. Storage limitation,
  6. Integrity and confidentiality (security),
  7. Accountability.

Monique Magalhaes of Techgenix, in January 2018 wrote and highlighted that – ‘’organisations need to follow these principles when collecting, processing and managing European citizens personal information regardless of whether the business is in EU or elsewhere in the world.’’ I believe this explanation applies to Britain once it becomes third country.

According to another website tripwire.com; there might be a common misapprehension which might be a wishful thinking for some British businesses who don’t want the hassle of achieving GDPR compliance, thinking that UK businesses might not need to comply with GDPR post Brexit as it is an EU regulation. The fact is, currently the UK adopted all the rules of the GDPR into the Data Protection Act 2018 – which means that UK businesses will have to continue complying with the GDPR after Brexit and those that deal with EU citizens have to comply with GDPR directly.

Important for UK businesses to remember; compliance with the key principles is a paramount building block for good data protection practice for those involved. Failure to comply with the principles may lead to substantial fines. Article 83(5) (a) states that infringements of the basic principles for processing personal data are subject to the highest tier of administrative fines. This means a fine of up to €20 million, or 4% of your total worldwide annual turnover, whichever is higher.

Brian Honan of independent.ie writes; GDPR and Brexit will potentially bring many challenges to organisations over the coming years, but proper planning and keeping abreast of how talks regarding data protection post-Brexit will help keep on top of those challenges. This suggests that businesses and the concerned alike need to keep eyes open for the future is unclear.

For more information visit the pages referred;

https://www.dataprotection.ie/

https://www.independent.ie/business/data-sec/gdpr-will-the-uk-still-be-a-safe-place-for-your-data-postbrexit-36741468.html


Contact Us with related queries or to get support for your Strategic Sourcing Brexit risk

100 DAYS TO GDPR

The General Data Protection Regulation aims to strengthen the protection of personal data. The current data legislation dates back to 1995 with the Data Protection Directive which has a lack of harmony and has not evolved to deal with the current uses for Data eg marketing. The principles remain the same but the new policy is meant to update standards to fit today’s technology which has changed dramatically since 1995. Today, there are 3 billion internet users compared to 16 million 20 years ago, with the rise of social networks. The GDPR affects all businesses operating within the EU: EU Companies that process personal data, Non-EU companies who offer goods or services to individuals in the EU and Non-EU companies who monitor individual’s behaviour that takes place in the EU. It will come in effect on May 25th 2018 and we have to make these changes now to ensure that we are compliant.

MAIN CHANGES :

  • CONSENT : Permission and consent are required to send marketing information. The consent must be unambiguous, informed and freely given. Prior to giving consent, data subjects (individuals whom particular personal data is about) must be informed of the right to withdraw consent at any time and it must be easy for them to do so. For children under 16, a parent or guardian must give his approval.
  • RIGHTS FOR DATA SUBJECTS : Right to be informed, Right to access, Right to rectification, Right to erasure, Right to restrict processing, Right to data portability, Right to object, Rights in relation to automated decision making.
  • DATA BREACHES : for example the destruction, loss, alteration, unauthorised disclosure of or access to personal data, human error. New mandatory obligation to notify data breaches to the regulator ASAP but not later than 72 hours and if notification is not made after 72 hours a reasoned justification is needed.
  • ADMINISTRATIVE FINES AND COMPENSATION : Under the GDPR, data subjects will have a right to sue and recover material or non-material damages, e.g. loss of personal data, damage to reputation, loss of confidentiality. The current maximum fines are €3000 but GDPR fines are up to €20 million or 4% of the Turnover.
  • INCREASED TERRITORIAL SCOPE : The policy applies to all companies processing the data of E.U. subjects , regardless of the company’s location.
  • PRIVACY BY DESIGN : Data protection has to be included in the initial system design rather than added later.

 

 

KEY ACTIONS TO BE TAKEN

1/ AUDIT :

  • You are required to document what personal data you hold, where it came from and who you share it with.
  • It is recommended to conduct an information audit across the organisation or within particular business areas which need to be GDPR compliant.

2/ IDENTIFICATION :

  • You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in common used format.
  • You should identify the lawful basis for your processing activity in the GDPR, document it and update your notices.

3/ UPDATE DATA PROTECTION POLICY :

  • You should update your procedure for dealing with subject requests to handle them within the new timescales;
  • You should review how to seek, record and manage consent and whether you need to make any changes.
  • You should also put a system in place to verify individuals’ age and to obtain parental or guardian consent for any data processing activity.
  • Finally you should make sure you have the right procedures in place to detect, report and investigate a personal data breach.

4/ UPDATE PRIVACY NOTICES :

  • After updating the data protection policy, it is important to review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
  • They have to be concise and in an easy-to-read format with limited legalese.
  • They must include : identity and contact details of the controller and the Data Protection Officer; purposes and legal basis for the processing; recipients of the personal data; retention periods; details on the right to access to personal data and rectification or deletion of it; right to withdraw consent; …

5/ UPDATE CONTRACTS WITH PROCESSOR AND CONTROLLERS : the contracts must set out :

  • The subject matter and duration of the processing
  • The nature and purpose of the processing
  • The type of personal data and categories of data subject
  • The obligations and rights of the controller

6/ CONSIDER AN APPOINTMENT WITH A DPO :

You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure. A Data Protection Officer can be outsourced to assist you in managing your organisation on its journey to becoming GDPR compliant . If your organisation operates in more than one EU member state, you should determine your lead data protection supervisory authority.

7/TRAINING :

  • You should ensure that everybody is aware that the law is changing to the GDPR (mostly decision makers and key people) so they can start identifying areas that could cause compliance issues.
  • You then have to train relevant staff and teach them how GDPR affects their role.

 

WHAT PROCUREMENT TEAMS SHOULD DO

Map the flow of personal data through supply chains. Identify recipients of personal data, including sub-processors. Note where and how the personal data is processed.

Identify existing supplier contracts that involve the processing of personal data and review the data protection provisions.

Consider the organisation’s approach to risk with existing and new contracts in relation to GDPR compliance. The financial risks posed by the regulation may change the risk profile of data processing contracts, necessitating a different approach Not sure what was meant here?? and data security breaches.

Carry out adequate due diligence on new suppliers to check their GDPR compliance, obtain guarantees regarding the measures that suppliers have in place and ensure there are rights of audit within the contract together with the other mandated data processing provisions.

Check whether existing insurance policies will cover data protection and security breaches including breaches by suppliers.

Check internal systems to ensure that processes are in place to enable the organisation to satisfy the 72-hour breach notification requirement.

 

USEFUL GDPR LINKS

For more information : https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/ OR https://gdprandyou.ie/organisations

Are you ready for GDPR ? make sure you have not forgotten anything thanks to this MCQ

You can also consult the Irish Data Protection Authority website.

Pixalert can help you by providing a software which locates all credit card data and critical data in your network to be GDPR compliant.

 

To assist you on how to get started and what GDPR means to your business, ISME Skillnet have designed GDPR Preparation training sessions called GDPR Essentials for SMEs specifically aimed at SMEs and business owners.

The first session in this series on Thursday, 15th February in the Clayton Hotel, Liffey Valley, Dublin is already booked out.

Additional sessions will take places in:

The Dun Library, Royal College of Physicians, 6 Kildare Street, Dublin on Wednesday 21st February

Clayton Hotel, Silver Springs, Tivoli, Cork on Tuesday, 6th March

Limerick Strand Hotel, Ennis Road, Limerick on Wednesday 7th March

BOOK YOUR PLACE NOW