Data Protection/GDPR Flashcards
What does GDPR stand for?
General Data Protection Reulation
What 2 protection Acts did the GDPR replace?
Data Protection Act (1988)
Data Protection Amendment Act (2003)
It protects your digital reputation
What is the focus of Data Privacy Day (28th January)
It is the international effort to create awareness about the importance of respecting privacy, safeguarding data and enabling trust
What does the Data Protection Commission carry out?
Surveys and consults widely
What are examples of unsolicited direct marketing
Phone calls
Texts
Emails
Postal communications
What has begun to interest people
Right of access to records held by employers
What are the top 3 most important matters relating to privacy
Medical records
Financial history
Credit card numbers
What % of people indicated that they would make a complaint about the invasion of their privacy to the Gardaí
30%
What % of people indicated that they would make a complaint about the invasion of their privacy to the Data Protection Commissioners Office
19%
What is Data Privacy
Protects living individuals who have data about them stored on computers, or in structured manual files. This covers all electronic and paper records
Who does GDPR apply to
All countries in the EU
When is it legal to process data
- By consent
- To carry out a contract
- In order for an organization to meet a legal obligation
- Where processing the personal data is necessary to protect the vital interests of a person
- Where processing the personal data is necessary for the performance of a task carried out in the public interest
- In legitimate interests of an organization
Limits to data processing
- Lawfulness, fairness and transparency
- Purpose Limitation
- Data minimization
- Accuracy
- Storage limitation
- Integrity and confidentiality
- Accountability
What data is considered particularly sensitive and has additional protection under GDPR
Racial or ethnic origin
Physical or mental health
Political opinions
Sexual life or sexual orientation
Religious or philosophical beliefs
Genetic data and biometric data
Trade union membership
Define personal data
It is information which refers to any living individual who is either identified or identifiable
Define data subject
It is the individual to whom the personal data refers to
Define data controller
It is a person, company or other body which decides the purposes and methods of processing personal data
Define data processor
It is a person, company or other body which processes personal data on behalf of a data controller
Data protection confers rights on data subjects such as…
Rights to be informed if, how, why and for how long your data is being processed
Right of access to be given a copy of information held within a month for no cost
Right to have your data corrected or supplemented if it is incorrect or incomplete
Right to have data erased when its use is over
Right to limit/restrict/object to the processing of your data
Right to complain to the data protection commissioner
To object to automated decision making right to claim compensation
What is the difference between data protection acts and GDPR
The need for organizations to demonstrate a pro-active data protection policy about fair obtaining and purpose specification
Define fair obtaining
To obtain personal information fairly and openly, disclosing the identity of the data controller and the uses of the data
Define purpose specification
Both the organization and the data subjects must be clear about the purposes for the data
Other obligations require adequate care, and clear policies about…
Use and disclosure of information
Security
Retention time
Ensuring that data is; accurate and up-to-date, adequate, relevant and not excessive
What do use and disclosure of information, security, retention time all require
Training and education
Co-ordination and compliance
Specific policies to cover areas such as;
Access requests
Data breaches
Registration with the DPC
What does the data protection commissioner do
Examines complaints
Conducts investigations and takes action
Can conduct privacy audits - “dawn raids”
Promotes compliance through guidance and “codes of good practice”
Check application for registration
Promotes public awareness of data protection
Makes an annual report to the Oireachtas which includes a selection of case studies
How do organizations comply with the Act
They should complete a data protection impact assessment answering:
Why are you holding it?
How did you get it?
Why was it originally gathered?
How long will you retain it?
How secure is it, both in terms of encryption and accessibility?
Do you ever share it with third parties and on what basis might you do so?