Common GDPR Questions…
The EU General Data Protection Regulation (GDPR) was introduced to replace the Data Protection Directive 95/46/EC. It standardises data protection laws across the EU and aims to improve citizens’ privacy and more strictly regulate how organisations acquire and use your personal information.
The GDPR comes into effect on 25th May 2018. It does not require any further legislation; it will immediately be in effect on that date.
The maximum penalty under the GDPR legislation is 4% of annual turnover, or €20 Million – whichever is lowest. Less serious breaches can still bring a fine of 2% or €10 Million.
Examples of serious breaches of compliance might be not having customer’s consent to process information or failure to notify the regulating authority and data subject in the event of a breach.
In order to comply with the GDPR you should ensure that
- personal data you collect is processed lawfully, fairly and in a transparent manner
- it is ollected only for specified, explicit and legitimate purposes
- it is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
- it is accurate and kept up to date and that every reasonable step is taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay
- it is held only for the absolute time necessary and no longer
- Processed in a manner that ensures appropriate security of the personal data
Under the GDPR you must appoint a Data Protection Officer if
- Are a public authority (except for courts acting in their judicial capacity);
- Undertake large scale systematic monitoring of individuals;
- Carry out large scale processing of special categories of data or data relating to criminal convictions and offences.
Any organisation may appoint a DPO. Whether you do or not, it is important that your staff know their responsibilities with respect to the GDPR.
Under Article 39, the minimum tasks of a DPO are:
- To train staff with regard to their responsibilities under the GDPR
- To monitor compliance with the GDPR.
- To act as the first point of contact for authorities and individuals whose personal data is processed
The DPO must report to the highest management level in the organisation. The must operate independently and must not be penalised for doing their job.
Sensitive data is data which uniquely identifies a person, such as DNA or other bio-metric information. Under the GDPR, individuals must give explicit (opt-in) consent to the use of sensitive data.
Data Subject: A natural person
Personal Data: Any information which can be used to identify a data subject, such as photographs, email addresses, bank details, social media posts, etc.
Data Controller: The individual or entity with responsibility for the retention and use of personal data. Data controllers have legal responsibilities, therefore it is important that you know whether or not you are a Data Controller. Examples of Data Controllers are doctors, banks, clubs and societies, etc.
Data Processor: A Data Processor holds personal information but does not control it, merely processes it on behalf of the data controller. Examples might be accountants or market research companies.
Under the GDPR, companies will be required to request consent clearly and unambiguously, in a manner that is easy to understand. Legal jargon is to be avoided. Withdrawal of consent must be as easy to achieve as granting it.
In the case of sensitive data, only explicit consent will suffice, i.e. the customer must explicitly ‘opt-in’.
If you have multiple websites, you need a pack for each site. If they are closely related, one pack will cover all of them. For example, if you have two sites A. tomstractorsgalway.com and B. tomstractorsdublin.com – then one web pack can be used on both sites.
If however the sites are not closely related then you will need a separate pack for each site. For example A. tomstractorsgalway.com and B. peterskitchenknives.com – these sites are not related and as such are treated as separate businesses. Therefore you will require a pack for each site.
Simply put, No! Once your documents have been added to your site we then register your domain with our copyright and plagiarism system. Should anyone attempt to use your unique documents, we will be alerted straight away!
We will contact the offending site with instructions to remove your policy content from their site.