GDPR - Are you ready?

Similar documents
Islam21c.com Data Protection and Privacy Policy

Creative Funding Solutions Limited Data Protection Policy

Element Finance Solutions Ltd Data Protection Policy

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

M T BUCKLEY & Co Chartered Accountants

Data Protection Policy

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

Data Protection Policy

ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION

Contract Services Europe

GDPR effects on Gift Aid. Presented by Keren Caird Business Development Gift Aid Manager Sue Ryder

PS Mailing Services Ltd Data Protection Policy May 2018

General Data Protection Regulation (GDPR) Key Facts & FAQ s

Data Protection Policy

GLOBAL DATA PROTECTION POLICY

Toucan Telemarketing Ltd.

Data Protection Policy

How the GDPR will impact your software delivery processes

Eco Web Hosting Security and Data Processing Agreement

GLOBAL DATA PROTECTION POLICY

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

THE NEW GENERAL DATA PROTECTION REGULATION IMPLICATIONS FOR ENTERPRISES. Forum financier du Brabant wallon

GDPR Data Protection Policy

Introductory guide to data sharing. lewissilkin.com

8. AUTOMATED DECISION MAKING DURING DATA PROCESSING FURTHER INFORMATION FURTHER INFORMATION AND GUIDANCE CONTACT US...

1. Type of personal data that we collect and process?

DEPARTMENT OF JUSTICE AND EQUALITY. Data Protection Policy

Data Protection Policy

General Data Protection Regulation (GDPR) Policy

The Park Hotel Privacy Statement

Integrity Notice. Fjärde AP-fonden (AP4)

Do you handle EU residents personal data? The GDPR update is coming May 25, Are you ready?

You will see lots of references in the Checklist to the GDPR Pack if you would like to purchase this, go to

Rights of Individuals under the General Data Protection Regulation

DATA PROTECTION POLICY

PRIVACY POLICY PRIVACY POLICY

Data Protection Privacy Notice

Identity of the controller: CHARVAT CTS a.s., ID No.: , with the registered office at Okrinek 53, Podebrady, Czech Republic, Postcode

"PPS" is Private Practice Software as developed and produced by Rushcliff Ltd.

DATA PROTECTION POLICY

Privacy policy. Definitions and interpretation

BELLISSIMA BEAUTY SALON PRIVACY NOTICE

Adkin s Privacy Information Notice for Clients, Contractors, Suppliers and Business Contacts

Motorola Mobility Binding Corporate Rules (BCRs)

Made In Hackney Data Protection Policy Last Updated:

Data Protection policy

Wonde may collect personal information directly from You when You:

PRIVACY POLICY. 1. Introduction

GDPR: A QUICK OVERVIEW

UWC International Data Protection Policy

RVC DATA PROTECTION POLICY

Data subject ( Customer or Data subject ): individual to whom personal data relates.

Requirements for a Managed System

Within the meanings of applicable data protection law (in particular EU Regulation 2016/679, the GDPR ):

Extension Architecture Privacy Notice

Subject: Kier Group plc Data Protection Policy

General Data Protection Regulation April 3, Sarah Ackerman, Managing Director Ross Patz, Consultant

Privacy Notice - Stora Enso s Supplier and Stakeholder Register. 1 Purpose

EU GDPR and . The complete text of the EU GDPR can be found at What is GDPR?

Preparing for the GDPR

Website Privacy Notice

World Wide Jobs Ltd t/a Findmyexpert.com Privacy Policy 12 th April 2018

Data Protection and GDPR

2. The Information we collect and how we use it: Individuals and Organisations: We collect and process personal data from individuals and organisation

UWTSD Group Data Protection Policy

Link Exhibitions Privacy Policy

WEBSITE PRIVACY POLICY

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

Website Privacy Statement

Plus500UK Limited. Website and Platform Privacy Policy

Technical Requirements of the GDPR

Wesley House data protection statement and privacy notice (short-course delegates)

NIPPON VALUE INVESTORS DATA PROTECTION POLICY

Privacy and Data Protection Policy

PRIVACY NOTICE (TIER 4)

Privacy Policy CARGOWAYS Logistik & Transport GmbH

This article will explain how your club can lawfully process personal data and show steps you can take to ensure that your club is GDPR compliant.

INFORMATIVE NOTICE ON PERSONAL DATA PROCESSING

The Role of the Data Protection Officer

Privacy Notice. Lonsdale & Marsh Privacy Notice Version July

Cova Security Gates Ltd Privacy Notice. Unit C1, Sussex Manor Business Park, Crawley, West Sussex, RH10 9NH, United Kingdom

DATA PROTECTION POLICY THE HOLST GROUP

Website Privacy Policy

GDPR: A technical perspective from Arkivum

General Data Protection Regulation BT s amendments to the proposed Regulation on the protection of individuals with regard to the processing of

EIT Health UK-Ireland Privacy Policy

Personal Data Protection Policy

Privacy policy SIdP website EU 2016/679

About the information we collect We collect and process personal data including but not limited to:-

Brasenose College ICT Systems Privacy Notice (v1.2)

Privacy Statement for Use of the Trust Service of Swisscom IT Services Finance S.E., Austria

Privacy Notices under #GDPR: Have you noticed my notice?

SHELTERMANAGER LTD CUSTOMER DATA PROCESSING AGREEMENT

Data Protection Policy

A Homeopath Registered Homeopath

Cybersecurity Considerations for GDPR

Beam Suntory Privacy Policy WEBSITE PRIVACY NOTICE

General Data. Protection Regulations MAY Martin Chapman Head of Ops & Sales Microminder. Presentation Micro Minder Ltd 2017

Under the GDPR, you have the following rights, which we will always work to uphold:

PRIVACY POLICY. Introduction:

Transcription:

GDPR - Are you ready? Anne-Marie Bohan and Michael Finn 24 March 2018 Matheson Ranked Ireland s Most Innovative Law Firm Financial Times 2017 International Firm in the Americas International Tax Review 2017 European Financial Services Tax Deal of the Year International Tax Review 2017 UCITS Law Firm of the Year The Hedge Fund Journal 2017

Introduction The current regime Some common challenges Introducing the GDPR What the GDPR means for you Obligations of Data Controllers Data Subjects Rights Dealing with a Data Breach Fines and Liabilities Getting GDPR Ready

The Current Regime Governed by the Data Protection ( DP ) Acts 1988 to 2003 Implemented the DP Directive (95/46/EC) Applies to Data Controllers and Data Processors Relevant to: Personal Data Sensitive Personal Data Sensitive personal data includes data as to the physical or mental health of a living individual

Your current obligations Registration with the Data Protection Commissioner Adhere to data protection principles: Obtain and process information fairly Keep it for one or more specified lawful purposes Process it only in a manner compatible with those purposes Keep it safe and secure Keep it accurate and up to date Ensure that it is adequate, relevant and not excessive Retain it for no longer than is necessary Give a copy to the individual on their request

Common themes and challenges faced by dentists ICO Study, June 2014 to June 2015: Confusion around when a dentist should register with DPC Lack of security measures (eg: reception desks) Lack of written contracts with service providers, eg: IT contractors Risk of new technologies, mobile phones and personal devices Data retention policies not always in place

Introducing the General Data Protection Regulation http://gdprandyou.ie/

Introduction to the GDPR The General Data Protection Regulation (the GDPR ) is the first new EU-wide DP legislation for over 20 years The DP Directive was conceived in early 1990s, when there was: No internet No smartphones No social media No search engines No cybercrime No artificial intelligence

Introduction to the GDPR Range of data creation sources (CCTV, biometric, internet use, mobile device use, email, Wi-Fi, travel ) Sources Data flows into entities and is processed across a range of services and relationships Increasing potential for disputes Third parties may use rights and threats of sanction & penalties tactically

Introduction to the GDPR Objective: a single, uniform set of data protection rules applying across the EU Basic concepts are similar to current legislation Timing: GDPR applies in all EU Member States from 25 May 2018 Get ready: Need to start now, if not already started ICGP Guidance

Basic concepts still the same Illustrative Example Dental Practice GDPR applies to all personal data Dental Practice: employees, partners, contractors, job applicants, patients (including minors), suppliers & service suppliers, business contacts, experts, advisors, insurers, etc.

Basic concepts still the same GDPR applies to data processed by automated means, as well as manual data forming part of a filing system Processing must be fair and transparent; information required is more onerous under GDPR Personal data must only be collected for specified, explicit and legitimate purposes Personal data must be adequate, relevant and limited to what is necessary for the purpose for which they are processed

Basic concepts still the same More onerous obligations for special categories of personal data similar to existing provisions on sensitive personal data Retain personal data for no longer than necessary (then anonymise or delete) Put in place appropriate security measures Ensure that processing is legitimate by falling within one of the permitted processing grounds (eg, consent, preventative medicine, medical diagnosis, provision of health treatments etc)

Key Changes In Brief Much higher penalties up to 20m or 4% of undertaking s global turnover if more Liability for material and non-material breach Broader scope wider data subject rights Accountability and transparency More granularity and procedures More information for data subjects More compliance documentation policies and processes, records of processing Identify and record legal basis for processing

Controllers Additional Duties under the GDPR Maintain detailed record of processing activities and security measures Data protection by design and default Must build data protection into system design (eg, new CRM system) and processes Minimise data collected Third party contracts Data controller must: comply with data protection principles (as currently) and demonstrate compliance

Information (Privacy Notice) for Data Subjects Information to be provided includes: legal basis for processing retention periods data subject rights (including right to withdraw consent and to object to processing) complaint procedure Information (privacy notice) must be: Concise, intelligible and easily accessible Transparent

GDPR Data Subject Rights Delete it, Freeze It, Correct It! Right to access data Right to rectification, if inaccurate Right to erasure (be forgotten) - various conditions but, in general if unlawful (eg: consent withdrawn) processing no longer necessary dispute over "legitimate grounds" basis for processing Rights to restrict (freeze) processing Right to object (eg: direct marketing, research, etc.)

GDPR Data Subject Rights New Right to Portability Right to receive data which data subject provided to a controller in a structured, commonly used and machine readable format and to have it transmitted to another data controller. Dental Council Code of Practice Art 9.3 What implications does this have for transferring electronic dental records?

GDPR Data Subject Rights Subject Access Requests 30 day response time, with extension right of up to 2 further months where requests are complex or numerous Similar to current arrangements but more information to be given re: Storage period Right to request rectification or to object The recipients of the data, etc. Right of controller to refuse (or charge) if manifestly unfounded or excessive

Data Breaches under the GDPR Breach of security leading to accidental or unlawful data destruction, loss, alteration or unauthorised disclosure Notify DPC promptly and within 72 hours If late notification - provide a "reasoned justification" explaining the delay In notifying a breach, describe: what happened approximate numbers of individuals affected likely consequences measures taken or proposed Must inform data subject if breach = high risk to their rights

Data Breaches under the GDPR Data breaches not uncommon short time frame need clear policies on handling Tell data subject if there is a high risk to them Records must be kept of all data breaches and action taken even if no notification obligation

Penalties under the GDPR Tiered approach depending on nature of breach Higher of 10m or up to 2% of worldwide turnover Higher of 20m or up to 4% of worldwide turnover breach of requirements on international transfer or basic principles other breaches (e.g. records of processing activities, data protection by design, notification of breaches to regulator)

Penalties under the GDPR Fines may be levied by Data Protection Commission Factors taken into account include:

Preparation of Data Controllers / Processors Act now as preparation is necessary to achieve compliance: Integrity - How secure is the data? Procedures Amend procedures and notices to respect privacy rights Red Alert - Reporting data breaches? Access plan how you will handle access requests

Option to develop an IDA Code GDPR allows associations prepare Codes for approval, registration and certification with the DPC Adherence to Code then demonstrates compliance with GDPR Compliance with Code is then monitored by an accredited body If Code is breached, may be suspended from the Code and reported to the DPC

Some scenarios Q&A

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback