Understanding General Data Protection Regulation (GDPR)
GDPR is a legal framework implemented in May 2018 to enhance data protection rights and increase obligations for data controllers and processors. It requires compliance in processing personal data and imposes strict rules on handling data breaches. Key definitions, including personal data categories and processing operations, are outlined to ensure understanding and adherence.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
General Data Protection Regulation (GDPR) GDPR is a legal framework In force since May 2018 It enhances the data protection rights of individuals Places greater obligations on data controllers and data processors Gives greater enforcement powers to authorities Any possible data breaches: contact Data Protection Unit immediately, and we ll help data.protection@dcu.ie there is only a 72 hour window to respond to a breach Compliance with GDPR is a mandatory legal requirement not optional! Everyone processing personal data must do so in compliance with GDPR Failure to do so, may mean that the processing is unlawful
Key Definitions (GDPR Article 4) Term Term Term Term Term Term Term Term Meaning Meaning Meaning Meaning Meaning Meaning Meaning Meaning Personal Data Personal Data Personal Data Personal Data Personal Data Personal Data Personal Data Any information relating to an identified or identifiable natural person Race / ethnicity Any information relating to an identified or identifiable natural person Race / ethnicity Political opinions Political opinions Any information relating to an identified or identifiable natural person Race / ethnicity Political opinions Religious or philosophical beliefs Trade union membership Genetic data / Biometric data Health data Health data Health data Health data Health data Health data Any information relating to an identified or identifiable natural person Race / ethnicity Political opinions Religious or philosophical beliefs Trade union membership Genetic data / Biometric data Health data Sexual Life / Health / Orientation Sexual Life / Health / Orientation Sexual Life / Health / Orientation Sexual Life / Health / Orientation Sexual Life / Health / Orientation Sexual Life / Health / Orientation Sexual Life / Health / Orientation Any information relating to an identified or identifiable natural person Race / ethnicity Political opinions Religious or philosophical beliefs Trade union membership Trade union membership Trade union membership Trade union membership Any information relating to an identified or identifiable natural person Race / ethnicity Political opinions Religious or philosophical beliefs Religious or philosophical beliefs Religious or philosophical beliefs Any information relating to an identified or identifiable natural person Race / ethnicity Political opinions Religious or philosophical beliefs Trade union membership Genetic data / Biometric data Genetic data / Biometric data Genetic data / Biometric data Genetic data / Biometric data Genetic data / Biometric data Special Categories of Personal Data Special Categories of Personal Data Special Categories of Personal Data Special Categories of Personal Data Special Categories of Personal Data Special Categories of Personal Data Special Categories of Personal Data Processing Processing Processing Processing Processing Processing Processing Performing any operation on personal data, whether or not by automated means automated means automated means automated means automated means automated means automated means Performing any operation on personal data, whether or not by Performing any operation on personal data, whether or not by Performing any operation on personal data, whether or not by Performing any operation on personal data, whether or not by Performing any operation on personal data, whether or not by Performing any operation on personal data, whether or not by Data Subject Data Subject Data Subject Data Subject Data Subject Data Subject Data Subject The individual to whom the personal data relates The individual to whom the personal data relates The individual to whom the personal data relates The individual to whom the personal data relates The individual to whom the personal data relates The individual to whom the personal data relates The individual to whom the personal data relates Data Controller Data Controller Data Controller Data Controller Data Controller Data Controller Data Controller Natural/legal person who determines purposes & means of processing Natural/legal person who determines purposes & means of processing Natural/legal person who determines purposes & means of processing Natural/legal person who determines purposes & means of processing Natural/legal person who determines purposes & means of processing Natural/legal person who determines purposes & means of processing Natural/legal person who determines purposes & means of processing Data Processor Data Processor Data Processor Data Processor Data Processor Data Processor Data Processor Natural/legal person who processes personal data on behalf of Controller Natural/legal person who processes personal data on behalf of Controller Natural/legal person who processes personal data on behalf of Controller Natural/legal person who processes personal data on behalf of Controller Natural/legal person who processes personal data on behalf of Controller Natural/legal person who processes personal data on behalf of Controller Natural/legal person who processes personal data on behalf of Controller
Principles (GDPR Article 5) Principle Principle Principle Principle Principle Principle Principle Principle Principle Explanations Explanations Explanations Explanations Explanations Explanations Explanations Explanations Explanations Lawfulness, fairness & transparency Lawfulness, fairness & transparency Lawfulness, fairness & transparency Lawfulness, fairness & transparency Lawfulness, fairness & transparency Lawfulness, fairness & transparency Lawfulness, fairness & transparency Lawfulness, fairness & transparency e.g. At the point of collection: state who you are, for what purpose(s) personal data will be used/processed, the legal bases for processing, personal data will be used/processed, the legal bases for processing, personal data will be used/processed, the legal bases for processing, personal data will be used/processed, the legal bases for processing, personal data will be used/processed, the legal bases for processing, personal data will be used/processed, the legal bases for processing, personal data will be used/processed, the legal bases for processing, e.g. At the point of collection: state who you are, for what purpose(s) e.g. At the point of collection: state who you are, for what purpose(s) e.g. At the point of collection: state who you are, for what purpose(s) e.g. At the point of collection: state who you are, for what purpose(s) e.g. At the point of collection: state who you are, for what purpose(s) e.g. At the point of collection: state who you are, for what purpose(s) e.g. At the point of collection: state who you are, for what purpose(s) personal data will be used/processed, the legal bases for processing, with whom it will be shared, etc. (Legal bases: GDPR Article 6) with whom it will be shared, etc. (Legal bases: GDPR Article 6) with whom it will be shared, etc. (Legal bases: GDPR Article 6) with whom it will be shared, etc. (Legal bases: GDPR Article 6) with whom it will be shared, etc. (Legal bases: GDPR Article 6) with whom it will be shared, etc. (Legal bases: GDPR Article 6) with whom it will be shared, etc. (Legal bases: GDPR Article 6) with whom it will be shared, etc. (Legal bases: GDPR Article 6) Purpose limitation Purpose limitation Purpose limitation Purpose limitation Purpose limitation Purpose limitation Purpose limitation Purpose limitation Only process personal data for the specified purpose(s) for which it was originally collected. originally collected. originally collected. originally collected. originally collected. originally collected. originally collected. originally collected. Only process personal data for the specified purpose(s) for which it was Only process personal data for the specified purpose(s) for which it was Only process personal data for the specified purpose(s) for which it was Only process personal data for the specified purpose(s) for which it was Only process personal data for the specified purpose(s) for which it was Only process personal data for the specified purpose(s) for which it was Only process personal data for the specified purpose(s) for which it was Data minimisation Data minimisation Data minimisation Data minimisation Data minimisation Data minimisation Data minimisation Data minimisation Limit personal data collected and use only to what is adequate, Limit personal data collected and use only to what is adequate, Limit personal data collected and use only to what is adequate, Limit personal data collected and use only to what is adequate, Limit personal data collected and use only to what is adequate, Limit personal data collected and use only to what is adequate, Limit personal data collected and use only to what is adequate, Limit personal data collected and use only to what is adequate, necessary and relevant to the purpose(s) for which it was collected. necessary and relevant to the purpose(s) for which it was collected. necessary and relevant to the purpose(s) for which it was collected. necessary and relevant to the purpose(s) for which it was collected. necessary and relevant to the purpose(s) for which it was collected. necessary and relevant to the purpose(s) for which it was collected. necessary and relevant to the purpose(s) for which it was collected. necessary and relevant to the purpose(s) for which it was collected. Accuracy Accuracy Accuracy Accuracy Accuracy Accuracy Accuracy Accuracy Personal data must be accurate, and where necessary, kept up to date. Inaccurate personal data should be erased or rectified. Inaccurate personal data should be erased or rectified. Inaccurate personal data should be erased or rectified. Inaccurate personal data should be erased or rectified. Inaccurate personal data should be erased or rectified. Inaccurate personal data should be erased or rectified. Inaccurate personal data should be erased or rectified. Inaccurate personal data should be erased or rectified. Personal data must be accurate, and where necessary, kept up to date. Personal data must be accurate, and where necessary, kept up to date. Personal data must be accurate, and where necessary, kept up to date. Personal data must be accurate, and where necessary, kept up to date. Personal data must be accurate, and where necessary, kept up to date. Personal data must be accurate, and where necessary, kept up to date. Personal data must be accurate, and where necessary, kept up to date. Storage limitation Storage limitation Storage limitation Storage limitation Storage limitation Storage limitation Storage limitation Storage limitation Personal data is not to be held for any longer than the original purpose(s) for which it was collected. purpose(s) for which it was collected. purpose(s) for which it was collected. purpose(s) for which it was collected. purpose(s) for which it was collected. purpose(s) for which it was collected. purpose(s) for which it was collected. purpose(s) for which it was collected. Personal data is not to be held for any longer than the original Personal data is not to be held for any longer than the original Personal data is not to be held for any longer than the original Personal data is not to be held for any longer than the original Personal data is not to be held for any longer than the original Personal data is not to be held for any longer than the original Personal data is not to be held for any longer than the original Integrity and confidentiality Integrity and confidentiality Integrity and confidentiality Integrity and confidentiality Integrity and confidentiality Integrity and confidentiality Integrity and confidentiality Integrity and confidentiality Implement technical & organisational security measures to keep the Implement technical & organisational security measures to keep the Implement technical & organisational security measures to keep the Implement technical & organisational security measures to keep the Implement technical & organisational security measures to keep the Implement technical & organisational security measures to keep the Implement technical & organisational security measures to keep the Implement technical & organisational security measures to keep the personal data safe & secure. personal data safe & secure. personal data safe & secure. personal data safe & secure. personal data safe & secure. personal data safe & secure. personal data safe & secure. personal data safe & secure. Accountability Accountability Accountability Accountability Accountability Accountability Accountability Accountability Demonstrate compliance with each of your obligations under GDPR. Demonstrate compliance with each of your obligations under GDPR. Demonstrate compliance with each of your obligations under GDPR. Demonstrate compliance with each of your obligations under GDPR. Demonstrate compliance with each of your obligations under GDPR. Demonstrate compliance with each of your obligations under GDPR. Demonstrate compliance with each of your obligations under GDPR. Demonstrate compliance with each of your obligations under GDPR.
Non-Compliance / Data Breaches Penalties A person whose data protection rights have been infringed has the right to take court proceedings this means legal costs, court costs, and potential damages. The regulator, the Data Protection Commission, has the power to carry out investigations and audits, and to impose large fines. Other considerations Non-compliance may also mean reputational damage to you and to DCU. Compliance drives good information handling practices: Improved data quality and records management
Supports & DCU Data Protection Unit GDPR Advocates (School/Faculty): dcu.ie/ocoo/data-protection-policies-guides-protocols-and-templates Data Protection Unit (DPU) A Unit within the Office of the Chief Operations Officer (OCOO) DPU email address: data.protection@dcu.ie Information and resources: dcu.ie/ocoo/data-protection Staff - name and role Contact details Martin Ward DCU Data Protection Officer martin.ward@dcu.ie Joan O Connell DCU Data Protection Co-ordinator joan.m.oconnell@dcu.ie Noel Prior DCU Risk & Compliance Officer Noel.Prior@dcu.ie