GDPR-COMPLIANCE.IE

TEL: +353 1 2960 560

KEY POINTS

Penalties (Administrative & Civil)

  • Administrative sanctions for non-compliance with GDPR
  • Individual data subjects have the right to institute legal action against organisations

Explicit Consent & Transparency

  • Terms of consent must be clearly understood at point of collection*
  • Freely given, specific, informed and unambiguous
  • Consent must be as easy to withdraw as it is to give it
  • Fair and transparent processing
  • Individual profiling

* GDPR sets out standard contractual clauses

International Effect

  • GDPR applies to organisations processing data within the EU irrespective of whether they organisations are based in the EU

Rights of Individuals (Data Subject)

  • Right of Access
  • Right to be Forgotten
  • Right to Notify a Breach
  • Right to Lodge a Compliant
  • Right to Data Portability/ Data Access requests

System Design & Data Security

  • Data Minimisation
  • Data Pseudonymisation/ encryption
  • Implementation of effective and appropriate technical and organisational measures

Data Protection Classification (High Risk) and Privacy Impact Assessments (DPIA)

  • Risk assessment and classification of high risk individuals (data subject)

Data Protection Officer (DPO)

  • A DPO must have expert knowledge (education/accreditation), appropriate resources and avoid conflicts of interest
  • A mandatory DPO is required where:
  • where the data processing is carried out by a public authority or body (except for courts)
  • for data controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or
  • of special categories of data and data relating to criminal convictions and offences.

Record Keeping

  • Data controllers and processors are required to maintain a record of processing activities which should be made available to the Data Protection Commissioner, upon request.

Policies & Procedures

  • Implementation of data policies by the data controller and the data processor.

Training

  • Awareness training and training to staff involved in processing operations and related audits on GDPR, Article 29 Working Group guidance and ongoing developments.

Demonstrate Compliance with GDPR Obligations

Key areas include:

  • IT Security
  • Data flow mapping
  • Consent of individual data subject
  • Security of processing (i.e. adequacy of organisational systems both automated and manual)
  • Implementation of appropriate data protection policies and procedures
  • Risk assessment and classification of high risk data and data protection risk assessments
  • Record keeping (breaches, complaints and processing activities)
  • DPO expertise and training
  • GDPR Compliance Monitoring