Gdpr services Galway

What it is, how we implement GDPR on the site / blog / online store and what GDPR should contain

A directive a European Union has started to make waves among website owners, bloggers and especially among companies that own online shops or other platforms that involve collecting, storage and data manipulation with personal character / confidential user.

What is GDPR (General Data Protection Regulation)?

introduction GDPR (General Data Protection Regulation) from 25 to 2018, implies major changes in terms of the storage of personal data and its handling by organizations and companies. For everyone’s sake, the new regulation requires strict rules for companies and individuals who store personal data of customers, users or business partners, etc. people interacting. The law applies both online and offline, providing more transparency and control over people whose data is stored and processed.
With the introduction of GDPR, any person has the right to know if a company processes their personal data, the purpose for which they have used si how to secure these data in order not to reach third parties or entities. At the same time, people are given access to stored information with the possible modification thereof or even deletion.

GDPR: Consent on data storage and the purposes for which it will be used

According to GDPR, people need to be well informed when they give their consent to data processing. The processor has to inform the person both the data that will be stored and the consent for each data sphere.

Prior to GDPR, things were totally different. A simple check mark provided by default allowed the processor to use our personal data for what purposes he wanted without being held accountable.
If you have been in a situation to be contacted by N firms health insurance or other types of insurance after you have an open account with a bank, this will not happen after GDPR’s entry into force unless you specifically specify that you want offers from the bank’s collaborators and partners. If you have given your consent and after a while, you have changed your mind, the processor must provide support by which you can withdraw it very easily at any time.
In the next period, banks will also have to send notifications to all clients asking them to store and process their personal carriage data.

Same Consent must also be obtained from online stores, websites that store personal information, forums, or other online platforms that involve the storage of user data.
If we take the case online, first and foremost, even if you do not own the online store, you will be informed from the first time about your stored data. Types of HTTP cookies retained by a website, codes tracking online behaviour (Google Analytics, Google AdSense, Facebook, etc.) logs in which your IP is stored and other information about everything related to your identity online.
When choosing to order a product, the company that owns the online store will not ask for it more personal data than needed to process your order and will not use your email address or phone number in marketing purposes if you do not get your consent for these practices. If you created an account when you made an order, you have the right to access your personal account information at any time, modify it or delete it.
Subscribe to newsletters it will be done only with the explicit consent of the user, with the option of unsubscribing at any time.
Another important requirement of GDPR is the period during which personal data can be stored. It can no longer be stored indefinitely as it used to be but over an exact period of time.

GDPR: Security of personal data

GDPR places great emphasis on the privacy of users’ privacy. The company must ensure high-security standards based on the sensitivity of stored data. Pseudonymization, encryption and clear appointment of staff who will have access to personal data. The company will notify the authorities of the persons designated to process and manipulate personal data.
In the case of a security breach, the company will announce within 72 hours both the authorized authorities and the persons affected by this information leak. An Impact Report will also be carried out assessing the risks and damages to persons whose information has been stolen/evaded to third parties.

DPO – Data Protection Officer

As many girls knew so far, “DPO” does not mean “Days Past Ovulation” or “Data Protection Officer”. The name is very pompous, but all companies have to designate one DPO which will make sure the data is correctly collected, stored, used for the purposes for which the consent was obtained and that they are kept safe. Practically, this DPO must ensure that the organization that contracted it complies with the rules imposed by GDPR. It will also be the link between the organization and state control authorities.

Who can be DPO? Well, from what we understand, the DPO cannot be a person inside the company because it is a conflict of interest. I need to have a person outside the company, to have a thorough knowledge of European legislation, internal legislation and IT data storage techniques. He may be an IT lawyer or a server administrator who learns legislation.
With regard to DPO / GDPR, many “specialized” companies have emerged overnight online in this legislation. Some with “experience” for years in implementing regulations that did not even exist until 2016.
Greater attention should be given to companies that receive such offers from these firms or people who recommend them as GDPR and DPO experts. Most are just created to speculate this new regulation for revenue-enhancing purposes. So beware if you represent a company and you have received such offers.

Sanctions in case of non-compliance with GDPR regulations

Sanctions apply equally to all countries within the European Union area by the competent administrations of each country. These sanctions will be applied gradually depending on the severity and impact of non-compliance with the GDPR regulation. As far as we can see, these sanctions can go up to 4% of your turnover of the company targeted by the sanction. Sanctions may be appealed and may be the subject of legal proceedings.

GDPR on-line – Blogs, Online Stores or other websites

A recent update of WordPress aimed to bring all those who use this platform online for legitimacy. Every website that stores personal data must have a “Terms and conditions“And a”Privacy policy” To bring users to the following:

  1. Who owns the website or the online store
  2. What personal data are collected and why they are collected
  3. Cookies – lists the cookies that the website uses, including social and analysis networks. (Facebook, Google Analytics, Twitter, etc.)
  4. Who are the third parties who have access to personal data and for what purposes?
  5. The contact details of the company owning the website / online store
  6. The amount of time that personal data is stored
  7. Simple methods for users to delete or export their personal data on the site
  8. How is personal data stored?
  9. Rights and obligations of users

All of these points should be held by each website in the “Privacy policy

Regulation (EU) 2016 / 679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95 / 46 / CE (General Regulation on data protection)

What are personal data

Any information by which a person becomes identifiable such as name, phone number, email address, location, IP address of the computer/smartphone/tablet, MAC address of the network card, physical, physiological, genetic, psychic, economic, cultural, social, political and other.

gdpr website services galway

Auditing your GDPR compliance

The EU General Data Protection Regulation (GDPR) has imposed many new obligations on organisations that process EU residents’ personal data. An audit will assess whether your organisation is meeting these obligations. 

However, before an external auditor assesses the measures you’ve taken to comply with the Regulation, it’s worth conducting an internal audit to review whether your controls, policies and procedures are adequate, and, if not, where they need to be improved. 

Here are ten essential areas of the GDPR that you will need to consider. 

1. Data protection governance 

To what extent are data protection accountability, responsibility, policies and procedures, performance measurement controls, and reporting mechanisms to monitor compliance in place and operating throughout your organisation? 

2. Risk management 

Is privacy risk included in your corporate risk register? What corporate arrangements are in place for privacy risk management across your organisation? To what extent does the corporate risk regime incorporate information-specific risks? Which risks to the rights and freedoms of natural persons are addressed? 

3. GDPR project 

To what extent is an appropriately staffed, funded and supported GDPR project in place and capable of delivering realistic objectives? 

4. Data protection officer (DPO) 

Is a DPO mandatory, has one been appointed, is the role positioned appropriately and is the individual capable of delivering against the GDPR’s requirements? 

5. Roles and responsibilities 

To what extent are the roles and responsibilities defined and established throughout your organisation, including necessary training and awareness? 

6. Scope of compliance 

It is essential that the scope of compliance is clearly defined, taking account of all the data processing in which your organisation has a role, whether as a data controller or as a data processor, as well as any data-sharing activity. In order to determine the scope of compliance, you also need to identify all the databases that hold personal data, as well as all extraterritorial/cross-border processing.  

7. Process analysis 

It is essential to identify, for each process that involves personal data, the extent to which each of the data processing principles are established. The lawful basis for processing is a key area of consideration. Are there any processes for which a data protection impact assessment (DPIA) is mandatory, and for which processes might a DPIA help establish data protection by design and by default? 

8. Personal information management system (PIMS) 

There is a wide range of documentation required to ensure that your organisation is able to effect and to demonstrate compliance with the GDPR, such as a data protection policy, a data breach notification procedure, subject access request forms and procedures, DPIAs and consent forms. The scale of the documentation should be appropriate to the size and complexity of your organisation. The PIMS should also address staff training and awareness. 

9. Information security management system (ISMS) 

Are appropriate technical and organisational measures in place to ensure that there is adequate security of personal data held in hard copy or electronic form, or processed through your organisation’s systems? This should include a review of methodologies for testing security, and established cyber security certifications, standards and codes of practice. 

10. Rights of data subjects 

Your organisation will need processes that will enable it to both facilitate and respond to data subjects exercising any or all of their rights, including the right to access. 

Maintaining appropriate documentation 

Documentation is a large part of GDPR compliance. Data controllers and, where applicable, their representatives will be required to keep the following records: 

  • The name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the DPO. 
  • The purposes of the processing. 
  • A description of the categories of data subjects and of the categories of personal data. 
  • The categories of recipients to whom the personal data has been or will be disclosed. 
  • Where applicable, international transfers of personal data and the documentation of appropriate safeguards. 
  • Where possible, the envisaged time limits for erasure of the different categories of data. 
  • Where possible, a general description of the technical and organisational security measures implemented. 

Note that these record-keeping obligations do not apply to organisations that employ fewer than 250 people unless: 

  • The processing is likely to result in a risk to the rights and freedoms of data subjects; 
  • The processing is not occasional; or 
  • The processing includes special categories of data or data relating to criminal convictions and offences. 

However, even if you have fewer than 250 employees, record-keeping is an essential part of facilitating data subjects’ rights, so you will need to do it even if you are not technically obliged to. 

We also advise keeping records of lawful bases for processing and data processor agreements. 

GDPR Web Ready Package

Data Subjects Rights

Data Subjects Rights…

GDPR provides the following rights for Data Subjects i.e. individuals:

  1. The right to be informed about what data is being held about them
  2. The right of access to their personal data
  3. The right to rectify their personal data
  4. The right to erase their personal data
  5. The right to restrict the processing of their personal data
  6. The right to data portability i.e. transferral between Data Protection Controllers
  7. The right to object to their personal data being used
  8. Rights in relation to automated decision making and profiling of their personal data

Data Subjects have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR. As an organisation, you must provide individuals with information such as your purposes for processing their personal data; your retention periods for that personal data, and who it will be shared with. This is called ‘privacy information’.

You must provide this privacy information to Data Subjects at the time you collect their personal data from them. If you obtain personal data from other sources, you must provide Data Subjects with privacy information within a reasonable period of obtaining the data and within one month.

There are a few circumstances when you do not need to provide Data Subjects with privacy information, such as if a Data Subject already has the information or if it would involve a disproportionate effort to provide it to them. The information you provide to Data Subjects must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language.

You must regularly review, and where necessary, update your privacy information. You must bring any new uses of a Data Subject’s personal data to their attention before you start processing it.

Getting the right to be informed correctly can help you to comply with other aspects of the GDPR and build trust with Data Subjects, but getting it wrong can leave you open to possible fines and reputational damage.