The Data Protection Commission (DPC) have rebranded and launched a number of new sections on their website in relation to GDPR.
They have introduced a web form for businesses that have a Data Protection Officer (DPO). If you are unsure on whether you need a DPO please read our previous article here. For businesses that have appointed a DPO they are required under GDPR to inform the DPC who the person is and their contact details via the online webform.
Businesses can now report a data breach online if it poses a risk to the privacy rights of an individual. This must be done within 72 hours of becoming aware of the data breach. If the data breach does not pose a risk, businesses should still document it and detail why it did not need to be reported.
Our recommendation is to learn from and act upon those small data breaches to prevent further data breaches occurring. The DPC have provided examples of what the email should look like when reporting the data breach and they have provided information on data breaches that occurred before 25 May.
Another new section is information on data access requests. In 2017, 50% of all complaints made to the DPC were in relation to access requests so if you receive one do not ignore it. The DPC have provided an example of what an access request might look like, the rights of the individual and how they can make an access request with a business.
It is highly recommended that businesses read this section so that they are familiar with how they might be approached by an individual. The DPC advise individuals that they may be asked to verify their ID and we recommend that businesses confirm the identity of the individual before handing out any personal data. This section also covers access requests that were made before 25 May.
Finally, they have a section in relation to general queries or concerns and they have information on what individuals should supply for these queries so again it is worth taking a look at this section.
SFA have formed a GDPR discussion group that will meet four times a year. In the meeting we will share updates on what is happening with GDPR and the DPC. The group can also discuss how they managed particular issues under GDPR. Our first meeting will be on 21 June at 11.30am. If you would like to be a part of the group please contact Helen at firstname.lastname@example.org to be added to the GDPR discussion mailing group.
If you would like more information on GDPR or to discuss your requirements further, please contact Helen at SFA on 01 6051668 or at email@example.com or visit our GDPR section on www.sfa.ie/advice