ISQua Board Update

GDPR

General Data Protection Regulation

The General Data Protection Regulation (GDPR) will come into force on the 25th May 2018, replacing the existing data protection framework under the EU Data Protection Directive.

 

The new regulations strictly enforce previous data protection requirements such as data retention, data accuracy and data security with additional requirements such as accountability and an increased risk for organisations that do not comply. 

 

In addition to tightening up our processes ISQua has a responsibility to ensure that all staff are implementing the principles of the GDPR in their daily work processes.

 

The GDPR applies to Data Controllers (e.g. ISQua), Data Processors (those who process data on behalf of data controllers) and Data Subjects (members, fellows, conference delegates, staff etc.).  The key changes that put the onus on organisations to comply are greater transparency, financial implications, how consent is given and a great obligation for accurate record keeping which includes:

  • More information must be given to data subjects (how long data will be kept, right to lodge a complaint, source of the data etc.)
  • Must explain and document legal basis for processing personal data;​
  • GDPR tightens the rules on how consent is obtained (must be freely distinguishable from other matters and in clear plain language);​
  • Must be as easy to withdraw consent as it is to give it (see below further information on consent)
  • More flexibility on “legitimate interests” as a lawful ground to process personal data in some circumstances but must inform people if you are relying on this. Single set of Rules and “One Stop Shop” (one supervisory authority for organisations who are based in multiple countries);​
  • Privacy Impact Assessments (mandatory in certain circumstances);​
  • Privacy by Design & Default;​
  • Subject Access, rectification and portability (Right of access, enhanced rights to be “forgotten”, data portability, right to object to certain processing e.g. marketing);​
  • New rules on profiling (explicit consent required) - Article 4 (11) of the GDPR 'any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her
  • Implications for data controllers is 4% of an organisation worldwide turnover if there is a breach.
  • Right of an individual includes compensation for material or non-material damage e.g. stress caused to individual as a result of breach of an individual’s rights.

Requirements for ISQua

Data Protection Commissioner

As ISQua has less than 250 employees there is no requirement to register with the Data Protection Commissioner in Ireland.

 

Appointment a Data Protection Officer (DPO)

The GDPR requires some organisations to appoint a DPO.  A DPO ““shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article39.”

 

Under the GDPR those organisation that require to appoint a DPO are noted below:

  1. All public authorities and bodies, including government department.
  2. Where the core activities of the organisation (controller or processor_ consist of data processing operations, which require regular and systematic monitoring of individuals on a large scale.
  3. Where the core activities of the organisation consist of special categories data of data (i.e. health data) or personal data relating to criminal convictions or offences.

Taking the above into account suggests that ISQua does not need to appoint a DPO.

12 Steps

The Data Protection Commissioner has advised the following 12 steps to become compliant:

  1. Becoming Aware
  2. Becoming Accountable
  3. Communicating with Staff and Service Users
  4. Personal Privacy Rights
  5. How will Access Rights change
  6. What we mean we talk about a “Legal Basis”
  7. Using customer consent as grounds to process data
  8. Processing Children’s Data
  9. Data Protection Impact Assessments (DPIA) and Data Protection by design and default
  10. Reporting data breaches
  11. Data Protection Officers
  12. Cross-border processing and the one stop shop
The GDPR and You.jpg

Plan Overview

Deirdre Burke (DB) has taken the lead to ensure that ISQua meets all of the necessary requirements. The below plan regularly updated: