What you should include in a Subject Access Request

What you should include in a Subject Access Request

Information to Include in a Subject Access Request You have 30 days to respond to a subject access request and you must also log details for all subject access requests. Don't forget to validate the requestor! Include the following in subject access responses; Identity and contact details of the data controller (and/or the controller’s representative); Contact details of the Data Protection Officer (person with responsibility for data protection matters within your organization); Purpose(s) of the processing and the lawful basis for the processing; Where processing is based on the legitimate interests of the controller or a third party, the legitimate interests of the controller. Any other recipient(s) of the personal data; Where applicable, details of any intended transfers to a third country (non-EU member state) or international organization and details of adequacy decisions and safeguards; The retention period (how long your organization holds onto data) or, if that is not possible, the criteria used to determine the retention period; Their rights; Right of access ...
Read More
Are you ready for a Data Audit?

Are you ready for a Data Audit?

How do you prove that you are compliant with the GDPR? This is a list of probable questions that you will have to answer if your company is audited under the GDPR. If you can answer the following questions with a Yes then you can be reasonably sure that you are compliant in the stated area, where you answer  No then you need to start addressing this area. Fair Obtaining At the time we collect information about individuals are they made aware of the uses of that information? Are people made aware of any disclosures of their data to third parties Have we gained peoples consent for any secondary uses of their personal data, which may not be obvious to them? Can we describe our data collection processes as open, transparent and up-front? Purpose Specification Are we clear about the purpose (or purposes) for which we keep personal information? Are the individuals in our database also clear about this purpose? If we are...
Read More
GDPR Certified! Fraudulent claims of GDPR certification on the rise

GDPR Certified! Fraudulent claims of GDPR certification on the rise

GDPR Certified! Fraudulent claims of GDPR certification on the rise. As the Data Protection Commissioner of Ireland has not currently stated what the criteria for Certification and Accreditation are any Company or Individual claiming to be GDPR certified are making Fraudulent Claims. There is currently no certifications available for the GDPR or accredited certification bodies.   Would you hire a self-proclaimed fraud to guide your business? Would you knowingly hire a Fraud to guide your business? Not only the online courses but the Talks being given around the country by people that claim to be Certified should be taken with a grain of salt. GDPR is not an IT or Legal problem, it is a business problem and should be treated as such. While they may have valid knowledge and be of help the fact that they claim False Credentials really should be taken into account. Government bodies in particular, should pay attention and not set up series of Talks around...
Read More
Is my Business affected by the GDPR?

Is my Business affected by the GDPR?

All Business is covered by GDPR - No Exceptions Many small business owners are not aware that they are affected by the GDPR and have not yet prepared. The obligations in the new EU General Data Protection Regulation (GDPR) apply directly to every organization in Ireland from May 25, 2018. All public, private and voluntary organizations of every size need to be familiar with the requirements around what information must be given to all individuals when their personal data is being collected, used and stored and with the rights individuals have in relation to controlling how their personal data is treated. If you have staff you are a Data Controller If you have staff then you are a Data Controller when dealing with your staff's personal information and you need to be compliant with the GDPR. A survey carried out in the UK found that over a third of people will request their data from former employers. As you have only 30 days to respond...
Read More
GDPR for the CEO with deadline looming.

GDPR for the CEO with deadline looming.

Box ticking exercise or shift in mindset? As we get nearer to the GDPR deadline of May 25th its time to really look into your approach to GDPR. A lot of Companies are approaching GDPR as a box-ticking exercise, this demonstrates a fundamental failure to grasp the basics of the GDPR.  To successfully implement GDPR and gain the benefits for your Company, a mind-shift on how you deal with personal data is required. This needs to be a Top-down exercise as bottom-up won't work. Benefits for Companys The benefits to the Company will include; a streamlining of their processes. a culling of dead weight from their current data systems. avoidance of fines. Avoidance of Reputational damage. With a more comprehensive view of data currently held there is a huge spectrum of opportunities that can be explored and your business will be in a better place to take advantage of these insights. So not only can you benefit from savings and efficiencies but you will be in a position to identify new opportunities and expand your business. Avoid fines and...
Read More
GDPR Data Mapping what it is and how to do it ?

GDPR Data Mapping what it is and how to do it ?

What is Data Mapping for GDPR? Data mapping also referred to as a data inventory is the way in which Company's can map out the flow of data within their company. A data map will contain the different categories of data that are used by different business sections in a company and how that data is processed and shared within the company and with external parties. Why should my company create a data map for the GDPR? A data map will not only allow you to comply with many of the GDPR requirement it can also be a valuable business asset. It can help company's to improve business processes, IT systems and use data in a way that's beneficial for the business. If you don't understand what data you hold, where it comes from and where it flows to you will never be in a position to meet your GDPR requirements. A well planned and structured data map will let a company meet with the...
Read More
Am I a Data Controller or a Data Processor?

Am I a Data Controller or a Data Processor?

Data Controller or Data Processor ?   Data Controller You are a Data Controller if you collect, keep or process information about a living person If your company decides what personal information is going to be kept and what use its put to then they are a Data Controller. Data Controllers need to register with the Data Protection Commissioner   Data Processor You are a Data Processor if you process data on behalf of a Data Controller - how ever you should remember that if you have employees you could be both a data controller and a data processor  ...
Read More

What does my company have to do to achieve GDPR compliance?

Identify if you are a Controller or Processor Document the Data you currently hold. Document your Policies and Procedures for handling personal data. Put in place Procedures for Subject Access Requests including how you will verify the identity of the requestor Document your security procedures in relation to Personal Data Document your Data Breach Notification Policy and Procedures Revisit your Privacy Notices to make sure they are compliant Identify your legal basis for processing personal data Check your Consent mechanisms (current and historical)  and ensure they are in compliance with the GDPR Check your Third party processing Obligations Check your contractual agreements to ensure they are in line with the GDPR Check if your Legitimate Interests for Processing overrides  the individuals rights under the GDPR Carry out a Risk Assessment  on the personal data you hold Prepare to run a Privacy impact Assessment on any future projects - referred to as DIPA (Data Impact Privacy Assessment) Educate your Staff about the GDPR and how it will impact their roles. If dealing with Children - check...
Read More

What is a Data Subject?

A data subject is classed as any natural living person. What rights apply to data subjects? Data subjects have the following rights. Information Access Rectification Erasure Restrictions on processing Data portability Objection Revision of automated decisions or profiling What is a Subject Access Request? This refers to a Data Subject exercising their rights under the GDPR. A Subject Access Request must be responded to within 30 Days. Companies need to have documented procedures in place detailing how they will respond to Subject Access Requests....
Read More
12