Material for reading "Awareness of EU General Data Protection Regulation"
4.1 Understand and explain GDPR to female learners
The General Data Protection
Regulation (GDPR), agreed upon by the European Parliament and Council in April
2016, will replace the Data Protection Directive 95/46/EC in Spring 2018 as the
primary law regulating how companies protect EU citizens' personal data.
The purpose of the GDPR is to impose a uniform data security law on all EU members, so that each member state no longer needs to write its own data protection laws and laws are consistent across the entire EU. In addition to EU members, it is important to note that any company that markets goods or services to EU residents, regardless of its location, is subject to the regulation. As a result, GDPR will have an impact on data protection requirements globally.
The GDPR itself contains 11 chapters and 91 articles. The following are some of the chapters and articles that have the greatest potential impact on security operations:
● Articles 17 & 18 – Articles 17 and 18 of the GDPR give data subjects more control over personal data that is processed automatically. The result is that data subjects may transfer their personal data between service providers more easily (also called the “right to portability”), and they may direct a controller to erase their personal data under certain circumstances (also called the “right to erasure”).
● Articles 23 & 30 – Articles 23 and 30 require companies to implement reasonable data protection measures to protect consumers’ personal data and privacy against loss or exposure.
● Articles 31 & 32 – Data breach notifications play a large role in the GDPR text. Article 31 specifies requirements for single data breaches: controllers must notify Supervising Authorities (SA)s of a personal data breach within 72 hours of learning of the breach and must provide specific details of the breach such as the nature of it and the approximate number of data subjects affected. Article 32 requires data controllers to notify data subjects as quickly as possible of breaches when the breaches place their rights and freedoms at high risk.
● Articles 33 & 33a – Articles 33 and 33a require companies to perform Data Protection Impact Assessments to identify risks to consumer data and Data Protection Compliance Reviews to ensure those risks are addressed.
● Article 35 – Article 35 requires that certain companies appoint data protection officers. Specifically, any company that processes data revealing a subject’s genetic data, health, racial or ethnic origin, religious beliefs, etc. must designate a data protection officer; these officers serve to advise companies about compliance with the regulation and act as a point of contact with SAs. Some companies may be subjected to this aspect of the GDPR simply because they collect personal information about their employees as part of human resources processes.
● Articles 36 & 37 – Articles 36 and 37 outline the data protection officer position and its responsibilities in ensuring GDPR compliance as well as reporting to Supervisory Authorities and data subjects.
● Article 45 – Article 45 extends data protection requirements to international companies that collect or process EU citizens’ personal data, subjecting them to the same requirements and penalties as EU-based companies.
● Article 79 – Article 79 outlines the penalties for GDPR non-compliance, which can be up to 4% of the violating company’s global annual revenue depending on the nature of the violation.
What are the Main Principles?
- Transparency: You must ensure that your data collecting processes are transparent. That means it must be easy for your clients and visitors to find out where you store their data, what you do with their data and how they can either delete your copy or get a record of it.
- Lawful Collection and Usage: It is important to obtain data about your clients legally, but what some people might not realise is that once you have that data you can only use it for the purposes for which it was collected. So for example, you can’t collect data on your clients when they sign up for a specific workshop, then use it to create a mailing list for an event you are running with a colleague on another topic.
- Permission: Again, goes without saying, but you must have permission to collect someone’s data. This means you can’t “buy” a mailing list off someone else or add people to your mailing list when they are actually signing up for your free eBook without asking them. And that last part is the important bit – you MUST include a checkbox on all your forms that specifically ask people to consent (and it can’t be pre-ticked).
- The Right to Leave: You must have provision for people to remove themselves from your mailing list and your database and it must be EASY to do so.
Link for the self-learning
Complete Guide to GDPR Compliance
GDPR Principles for Processing Personal Data
4.2. Apply GDPR to coaching and maintain confidentiality
As far as coaching is concerned, any information held should not:
● be linked to further details of clients
● contain any images of clients
● be shared with others
As a coach, know what
information you process, identify and mitigate risks and ensure you embed
privacy and transparency into your processes.
If information is held on paper, there is no requirement to register with the GDPR. For those that hold information on a computer there is still no need to register as long as any profit is not used to enrich others and only:
● process information necessary to establish or maintain support
● share client information with client consent
● keep the information as long as necessary
GDPR Principles for Processing Personal Data
- Lawful, Fairness and Transparency: An organization must demonstrate a lawful basis for obtaining personal data to process it. Must meet criteria for at least one (1) of six (6) conditions for processing, referred to as 'lawful bases'. Collection of personal data must be conducted in a fair manner, ensuring it was not obtained under false pretense. Processing personal data must be done with fairness to the individual, satisfying reasonable expectations as to how the data will be used. An organisation must be clear and honest with individuals regarding the reasons why they are collecting personal data and how they intend to process it. Transparency, aside from its inclusion as a principle for processing, is further extended into data subjects' 'right to be informed'. To satisfy this principle an organization must meet expectations for all three (3) criteria: lawfulness, fairness and transparency
- Purpose Limitation: A specific and legitimate reason is needed for any personal data that is collected. Personal data can only be used for the specified reasons Exceptions could be made if further processing is for any of the following purposes: archiving in the public interest; scientific or historical research; statistical reasons.
- Data Minimisation: The organizational practice of minimizing the overall amount of personal data collected. Only collecting personal data that is adequate, relevant, and limited to what is necessary for specified purposes. Deletion or masking of personal data, either no longer needed or unnecessary to perform specified purposes. Must be able to demonstrate appropriate data minimization practices. Periodic check-ups should be made to ensure the adequacy and relevance of the data collected.
- Data Accuracy: Organizations must take necessary and reasonable steps to ensure the accuracy of personal data collected from data subjects. Organizations must identify essential steps, depending on the purpose of processing, to erase or rectify inaccurate data without delay. Closely related to data subjects' rights to rectification. Data standard principle, similar to standard principles of data minimization and storage limitation. Highlights clear differences between personal data and historical data. Personal data may change, but should not adversely affect historical data in use
- Storage Limitation: Organizations should not keep personal data for longer than needed. Storage limitation is a form of data standardization, similar to data minimization and accuracy principles. Organizations should perform periodic reviews to identify, and address, data stored beyond the intended use. Storing personal data beyond the initially stated purpose is allowed if keeping for public interest archiving, scientific or historical research, or statistical purposes. In order to store personal data beyond initial purpose, for compatible purposes or other, different measures, such as anonymization or pseudonymization, should be applied to safeguard data subject rights.
- Integrity and Confidentiality: Organizations (data controllers) are responsible for the security of the personal data they collect and store. Either technology or organizational measures should be utilized to ensure the security of personal data. Security measures need to protect against: Unauthorized or unlawful processing; Accidental loss; Destruction or damage.
As far as the confidentiality principle is concerned, coaches should follow some fundamental steps.
The first and essential step is to run an information risk assessment using data discovery tools to interrogate personal data across all data repositories within an organization.
Data Discovery
● define what personal data the organization needs to investigate
● locate all the places your organization is storing the data
● create an inventory of who is using or has access to the data
After data discovery is complete, the organization should carefully evaluate results to address business vulnerabilities to sensitive personal data.
Remediation
● enforce user access controls based upon data discovery results
● either apply encryption or data masking to sensitive personal data
After remediating existing personal data, the organization should apply continuous monitoring tools to ensure that the security measures the organization applies to the data continue to remain intact.
Continuous Monitoring
● apply monitoring tools to ensure the organization is protecting new and existing data
● enable breach detection tools to alert suspicious activity
What organizational measures should you adopt?
Organizations should start with an information risk assessment, using data discovery tools to identify and remediate personal data vulnerabilities. Assign a point person within the organization (a data protection officer, DPO, for example) to manage day-to-day information security. Ensure the assigned team members have the appropriate resources and authority to enforce data security measures. Lastly, work toward adopting an overall culture of security awareness within the organization.
What factors should you consider when determining the level of data security needed?
The type of risks each data has associated with it must comply with the kind of security measures which should be dealing with it.
You should also take account of factors such as:
● the nature and extent of your organization’s premises and computer systems
● the number of staff you have and the extent of access provided them to personal data
● any personal data held or used by a data processor acting on your behalf
Link for the self-learning
GDPR In A Nutshell For Therapists, Writers & Life Coaches
What coaches need to know about GDPR
Data Collection Best Practice: The Basics
Data Protection Compliance Checklist
Data Protection Training: Things to Teach Every Employee