GDPR POLICY (Data Protection and Access to Information)
Effective Date: May 2018
ZHERO rigorously complies with the EU General Data Protection Regulation (GDPR). The GDPR uses a Privacy by Design approach in which data protection is implemented throughout the entire lifecycle of any project. Under the GDPR, organisations in breach can be fined up to 4% of annual turnover or €20 million, whichever amount is greater.
Any personal or sensitive information on an individual which the Company holds is covered by this legislation. This includes emails too. If you receive a subject access request, you should refer this immediately to your line manager.
If you are a user of such information you need to be sure that you are not breaching any data protection rules when you store or use information and when you write and send emails. This could include but is not limited to:
- Using data which has not been kept up to date.
- Passing on or processing personal information about an individual without their consent.
- Keeping personal information longer than necessary.
- Sending personal information outside the country.
If any breach of data protection rules is discovered such as the leaking or hacking of personal or sensitive data, this should be reported immediately to your HOD, and any immediate action should be taken to close down such leaks. Your HOD will ensure this is properly investigated and the appropriate reporting actions taken if necessary.
Employees can request access to the information held on them by the Company. All requests by employees to gain access to such records should be made in writing. There is no charge for this service.
The protection of client data and security of our networks is imperative for ZHERO to operate effectively and avoid litigation. Sensitive client data is a critical asset and you are required to be alert to this fact, both in the office and when working off-site.
Please also ensure that an NDA is issued, signed and countersigned for all contractor or partners where liaising potential sensitive data might occur.
Part of ZHERO’s data protection compliance means that you will be required to sign a Non-Disclosure Agreement (NDA) for all projects that involve the processing of sensitive and confidential client and company data. Ensure that the NDA is countersigned by your HOD. The NDA protects client data which may not be disclosed to third parties under any circumstances.
WHAT IS THE GDPR?
The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union and the UK. It also addresses the export of personal data outside the EU and the UK. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business.
Because GDPR is a regulation, not a directive, it does not require national governments to pass any enabling legislation and is directly binding and applicable.
TO WHOM DOES THE GDPR APPLY?
The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
WHAT CONSTITUTES PERSONAL DATA?
Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
PRINCIPLES OF THE GDPR
To comply to GDPR, organisations broadly speaking need to embed six privacy principles within their operations:
- Lawfulness, fairness and transparency
- Transparency: Tell the subject what data processing will be done.
- Fair: What is processed must match up with how it has been described.
- Lawful: Processing must meet the tests described in GDPR.
- Purpose limitations
- Personal data can only be obtained for “specified, explicit and legitimate purposes
- Data can only be used for a specific processing purpose that the subject has been made aware of and no other, without further consent.
- Data minimisation
- Data collected on a subject should be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”
- In other words, no more than the minimum amount of data should be kept for specific processing.
- Data must be “accurate and where necessary kept up to date”
- Data holders should build rectification processes into data management / archiving activities for subject data.
- Storage limitations
- Personal data must be “kept in a form which permits identification of data subjects for no longer than necessary”
- In summary, data no longer required should be removed.
- Integrity and confidentiality
- Requires processors to handle data “in a manner ensuring appropriate security of the personal data including protection against unlawful processing or accidental loss, destruction or damage”.
The GDPR requires that the data controller provides the data subject with information about his/her personal data processing in a concise, transparent and intelligible manner, which is easily accessible, distinct from other undertakings between the controller and the data subject, using clear and plain language.
Transparency is achieved by keeping the individual informed and this should be done before data is collected and where any subsequent changes are made.
There are six available lawful bases for processing. No single basis is better or more important than the others. The basis that is most appropriate will depend on your purpose for processing and relationship with the individual.
The six lawful bases are:
the individual has given clear consent for you to process their personal data for a specific purpose.
the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
- Legal obligation:
the processing is necessary for you to comply with the law (not including contractual obligations).
- Vital interests:
the processing is necessary to protect someone’s life.
- Public task:
the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
- Legitimate interests:
the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those.
The GDPR states that data controllers must be able to demonstrate compliance with the other principles. This is a short sentence with major implications. It is not enough to comply; you have to be seen to be complying.
The range of processes that organisations have to put in place to demonstrate compliance will vary depending on the complexity of the processing but may include:
- assessing current practice and developing a data privacy governance structure which may include appointing a Data Protection Officer
- creating a personal data inventory
- implementing appropriate privacy notices
- obtaining appropriate consents
- using appropriate organisational and technical measures to ensure compliance with the data protection principles
- putting written contracts in place with organisations that process personal data on your behalf
- maintaining documentation of your processing activities
- implementing appropriate security measures
- using Privacy Impact Assessments
- creating a breach reporting mechanism
Being accountable can help you to build trust with individuals and may help you mitigate enforcement action.
Individuals have the right to be informed in a clear and concise way about the collection and use of their personal data. This is a key transparency requirement under the GDPR.
The GDPR provides the following rights for individuals:
- The right to be informed
Individuals need to know that you are collecting their data, why you are processing it and entities with whom you are sharing it.
- The right of access
Individuals have the right to obtain:
- confirmation that you are processing their data
- access to their personal data
- other supplementary information
- The right to rectification
Individuals have the right to have personal data rectified if it is inaccurate or completed if it is incomplete.
- The right to erasure (‘right to be forgotten’)
Individuals have the right to have data about them removed and can request the erasure of personal data
- The right to restrict processing
Individuals have a right to block or restrict the processing of their personal data
- The right to data portability
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes
- The right to object
Individuals have a right to object to the processing of their personal data in certain circumstances
- Rights in relation to automated decision making and profiling
The GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention
All requests regarding Personal Data should be logged via the ticketing system. You should respond to a request without delay and at least within one month of receipt.
Employees/contractors should email firstname.lastname@example.org to lodge a request regarding their own personal data held by the company. Your request will be treated with the same respect and importance as that that of a customer.
If you object to any of the data processing procedures, please email email@example.com clearly explaining the procedure/s involved and the reason/s for your objection.
One of the aims of GDPR is “accountability” and this is emphasised when it comes to personal data breaches – i.e. breaches of security which lead to damage.
Under the GDPR, a “personal data breach” is classified as a breach of security that causes the accidental or unlawful destruction, loss, modification, unauthorized access, or unauthorized disclosure of personal data that is being held, transmitted, or processed.
This can include anything from misplacing a USB drive or an HDD crash, to leaving your monitor unattended and so allowing an unauthorised person access, to an unknown individual hacking, breaching the firewall and other security measures and gaining access to private data.
The potential damage includes “discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality”.
Clearly the main objective of the new Regulation is to protect against a data breach but, if the worst happens, you must know what to do.
Serious breaches need to be notified to the ICO within 72 hours, so delay is not an option!
If you suspect a breach has occurred notify the Operations Manager immediately via the email address firstname.lastname@example.org, thus enabling them to take the necessary steps.
[ZHERO JULY 2023]