Data Protection and GDPR
Personal data is defined in law as any information that refers to a living, identifiable individual. That includes information like name, address or telephone number, but also PPS number, medical information, IP address or preferences. By law, organisations must protect personal data.
In May 2018 a new EU-wide regulation, known as the EU General Data Protection Regulation (GDPR), was introduced to govern how citizen’s data is used by organisations. It increases emphasis on accountability, security and transparency for organisations processing personal data and gives citizens enhanced rights over their data.
Under the GDPR, all organisations in Ireland that process the personal data of living individuals must work to protect that data, only use it for specific named purposes and account to those individuals for the organisation’s use of their data.
Under the GDPR many community and voluntary organisations, charities and social enterprises have new obligations.
Adhering to these required standards means organisations need to be aware of the personal data that they collect and make sure that they put systems in place to manage the way that they use personal data. For some organisations this is a complex task requiring specialist skills on staff, for other organisations, with less complex data management needs, they still need to be able to account for and manage their data use in a compliant manner.
Either way organisations need to ensure they are up-to-speed with the requirements of the General Data Protection Regulation and consider which elements apply to their operations. In order to support our members in this area we have published Preparing for the General Data Protection Regulation (GDPR): A Guide for Nonprofits. This guide will give you a straightforward overview of the legislation and particular issues that arise for nonprofit organisations, including:
- An overview of the 7 Principles of the GDPR
- Top 10 Tips for Preparing for Compliance
- Explanation of the Requirements for Consent
- The Role of the Data Protection Officer
- The Subject Access Request
- Do’s and Don’ts for Compliance
The Seven Principles
The General Data Protection Regulation is based on seven principles:
- Lawful, Fair and Transparent Processing
- Specified and Lawful Purpose
- Minimisation of Processing
- Storage Limitation
- Security and Confidentiality
- Liability and Accountability
All of your organisation’s use of personal data needs to be aligned with these principles.
Not only do your practices need to be compliant but, under the GDPR, your organisation needs to be able to demonstrate compliance. Therefore you need to document your practices and be able to track the processing that happens to personal data in your organisation. Ultimately the organisation’s board needs to take responsibility to ensure that the organisation is meeting its obligations and has documented how it goes about this.
The authority for policing the regulations in Ireland lies with the Data Protection Commission. You can visit their website and read their guidance on GDPRandYou.ie.
Issues to Consider
Some questions that the board may wish to consider:
- For what PURPOSE are we collecting data?
- How are we PROCESSING that data?
- Are we doing so under a LAWFUL PROCESSING CONDITION?
- What is the quality of CONSENT, if we rely on that for processing?
- How are we STORING the data?
- For how long and why are we RETAINING it?
- What happens if we have a BREACH?
- Do we have a GDPR compliant POLICY and PROCEDURES in place?
Data Protection Basics: Full Guidance Note