Do you know if you are GDPR compliant ?
If not, you may be breaking the law
With all the talk about preparing for the introduction of the General Data Protection Regulation on 25th May 2018, you would expect that the answer would always be yes, I am GDPR compliant. Well unfortunately many businesses have still not found the time to bring their business up to date with the comprehensive new Data Protection legislation. Others are not sure where to begin the process of checking whether or not they are GDPR compliant. This article looks at what the busy business owner needs to do in order to comply with the General Data Protection Rules.
What are my obligations under GDPR as an employer and a business owner?
As the majority of employers and businesses in Ireland are microenterprises , we will look at the obligations placed on microenterprises by the GDPR. A microenterprise is defined as a business employing 10 or less employees and having an annual turnover or balance sheet below 2 million Euro.
The key to success in the world of GDPR is transparency. You must be clear about how you are obtaining, using and safeguarding personal data. This is at the heart of all of the procedures and processes that follow fron the GDPR legislation.
What's the difference between a Data Controller and a Data Processor ?
Article 4 of the GDPR defines a Data Controller as a natural or legal person, that determines, alone or jointly with others, the purposes and means of the processing of personal data.
A Data processor is defined as a natural or legal person that processes personal data on behalf of a Data controller. A natural person is an individual. A legal person is usually a company.
Does the GDPR only apply to the EU ?
If your business is established in the EU the GDPR apply to your processing of personal data in the area of its acitivities.
If your business is not established in the EU, the legislation applys to your processing of personal data of individuals in the Eu in respect of the offering of goods and/or services and the monitoring of an individual's behaviour as it occurs within the EU.
Be data aware
As a microenterprise you should check the personal data you process to ascertain what personal data you hold any any special categories thereof.
"Personal Data" is defined as any information relating to an identified or identifiable natural person (a “data subject”) Article 4 GDPR.
"Special categories of personal data" is defined as data relating to an individual's :
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
- genetic data
- biometric data
- data concerning health
- data concerning sex life or sexual orientation
(Article 9 GDPR)
What principles must I stick to ?
You must consider the following , whether you are processing personal data:
- in a lawful, fair and transparent way
- for specified, legitimate and explicit purposes
- in a manner which reflects data minimisation
- in a way which keeps the data up to date and accurate
- in such a way that identification of the data subject is permitted for no longer than is necessary for the purposes of processing
- so that it is kept secure in an appropriate environment
What if I outsource to a data processor ?
If you use the services of an outside data processor to process the personal data you must ensure that:
- Article 28 of the GDPR is complied with
- The data processor has adequate security procedures
- You must actively enquire as to the appropriate security measures being implimented by the data processor and be satisfied that they are adequate.
How secure is the data ?
Data controllers and data processors are obliged to implement technical and organisational measures to ensure an appropriate level of security in relation to the risks which may arise when processing the data.
An appropriate level of security must include consideration of the following :
- The current "state of the art"
- The scope of implementation and its cost
- The purpose and context of the processing
- What risks it poses to the rights of individuals
You must consider the technical security, the physical security and the organisational security of the data processing. You are obliged to have robust data collection and retention policies. Data collection and retention should be assessed in the context of business needs and minimised.
What do I need if I use a Data Processor ?
As a microenterprise, you need a written agreement defining the responsibilities, security measures and guarantees. Use a data processor that is properly qualified and certified. Review arrangements regularily.
Data in the Cloud. Steps to ensure it doesn't rain on your GDPR parade
Many organisations make daily use of "The Cloud" for their information flow. While it has many benefits there are also many risks. The Data Protection Commissioner has listed five
key ways organisations can secure their Cloud-Based environments to mitigate their risk of a personal data breach.
Organisations should implement strong password polices to ensure that users accessing personal data within Cloud-Based environments do so in a secure manner.
Organisations should implement two-factor authentication. Two-factor authentication is an effective way to further enhance Cloud-Based security and is available from most Cloud-Based providers.
Organisations should be aware of and document user access privileges within their Cloud-Based environments. User access control is particularly important where group mailboxes or shared folders are utilised. Organisations should also document each user’s specific access requirements and ensure that these are supported by an appropriate change control process.
Security measures applied by an organisation must be supported by regular reviews of user access to ensure that all authorised access to personal data is strictly necessary and justifiable for the performance of a specific function.
Organisations should not rely on Cloud-Based service providers’ default security settings. Organisations should review the Cloud-Based security features available from the Cloud-Based service provider to ensure that they are applied appropriately and in a layered manner. Examples of security settings and controls provided by Cloud-Based service providers often include:
Centralised administration tools
Mobile device management
Encryption during message send and receive
Encryption of message content
Account activity monitoring and alerts
Data loss prevention
Spam and spoofing protection
Organisations should also be aware that Cloud-Based services might be publically accessible and organisations should review and implement the appropriate security settings to secure remote access.
For more on GDPR see
For more on appointing a Data Protection Officer see
This article is a short summary of the areas of which all businesses in Ireland should be aware, in relation the the General Data Protection Regulation. It does not purport to be a definitive guide to GDPR. If you would like to obtain more information please contact us using the blue button and we will get in touch at a time that suits.
Spread the knowledge. If you found this article useful, please like and share using any of the social buttons below.