General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) which came into effect in May 2018 gives individuals greater control over their personal data by setting out additional and more clearly defined rights for individuals whose personal data is collected and processed by organisations. The GDPR also imposes corresponding and greatly increased obligations on organisations that collect this data.
Personal data is any information that can identify an individual person. This includes a name, an ID number, a postal address, online browsing history, images or anything relating to the physical, physiological, genetic, mental, economic, cultural or social identity of a person.
The GDPR is based on the core principles of data protection which exist under the current law. These principles require organisations and businesses to:
- collect no more data than is necessary from an individual for the purpose for which it will be used;
- obtain personal data fairly from the individual by giving them notice of the collection and its specific purpose;
- retain the data for no longer than is necessary for that specified purpose;
- to keep data safe and secure; and
- provide an individual with a copy of his or her personal data if they request it.
Under the GDPR individuals have the significantly strengthened rights to:
- obtain details about how their data is processed by an organisation or business;
- obtain copies of personal data that an organisation holds on them;
- have incorrect or incomplete data corrected;
- have their data erased by an organisation, where, for example, the organisation has no legitimate reason for retaining the data;
- obtain their data from an organisation and to have that data transmitted to another organisation (Data Portability);
- object to the processing of their data by an organisation in certain circumstances;
- not to be subject to (with some exceptions) automated decision making, including profiling.
Organisations and businesses collecting and processing personal data are required to meet a very high standard in how they collect, use and importantly protect data. The University is responsible for ensuring that the rights of students, staff and members of the public about whom personal data are processed are sufficiently protected. All staff and students who are dealing with personal data should ensure that they take reasonable measures to keep that data safe and secure.
For organisations and businesses who breach the law, the Data Protection Commissioner has been given more robust powers to impose very substantial sanctions including the power to impose fines. The GDPR also permits individuals to seek compensation through the courts for breaches of their data privacy rights.
The Data Protection Officer can give advice and training on data protection issues. Inquiries about Data access Requests and notification of Data Protection Breaches should be made to the Data Protection Officer.
To ensure that you are GDPR compliant in your day-to-day handling of electronic personal data why not have a look at our GDPR IT Checklist.
General GDPR Information is available from the Data Protection Commissioners website.
- Personal Data: "Personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.
- Sensitive Data:"Sensitive Personal Data" are personal data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data.
- Data Controller: "Controller" means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by EU or Member State laws, the controller may be designated by those laws.
- Data Processor: "Processor" means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.
- Data breaches: "Data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
- Privacy by Design: All processing of personal data must be done with data protection and privacy in mind at every step. This includes internal projects, product development, software development, IT systems, and much more. In practice, this means that privacy must be built into a system during the whole life cycle of the system or process.
- Privacy by Default: When a product or service is released, the strictest privacy settings should apply by default, without any manual input from the end user. In addition, any personal data provided by the user to enable a product's optimal use should only be kept for the amount of time necessary to provide the product or service.
- Cloud Computing: "Cloud computing" is a method of delivering Information and Communication Technology (ICT) services where the customer pays to use, rather than necessarily own, the resources. These services are typically provided by third parties using Internet technologies.
- ISO 27001: is an international standard published by the International Standardization Organization it describes how to manage information security in a company. A company, IT Service or product can be independently certified as meeting this standard.