When did GDPR come into effect?

The GDPR was approved and adopted by the EU Parliament in April 2016. The regulation took effect after a two-year transition period and, unlike a Directive, did not require any legislation to be passed by government. GDPR came into force on 25th May 2018.

Who does the GDPR affect?

The GDPR not only applies to organisations located within the EU but also applies to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all institutions processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.

What constitutes personal data? 

The GDPR applies to ‘personal data’, meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.

What is the difference between a regulation and a directive? 

A regulation is a binding legislative act. It must be applied in its entirety across the EU, while a directive is a legislative act that sets out a goal that all EU countries must achieve. However, it is up to the individual countries to decide how. It is important to note that the GDPR is a regulation, in contrast the the previous legislation, which is a directive.

How does GDPR affect policy surrounding data breaches? 

Proposed regulations surrounding data breaches primarily relate to the notification policies of institutions that have been breached. Data breaches which may pose a risk to individuals must be notified to the DPA within 72 hours and to affected individuals without undue delay. Please see the University Breach Procedure in this regard.

What does “processing” mean? 

The GDPR defines data processing as: "any operation or set of operations performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction."

What is the difference between a Data Controller and a Data Processor? 

A Data Controller is a person or organisation who controls the contents and use of personal data (e.g. the University is a data controller for the personal data it processes in relation to its staff and students. i.e. it decides what it will do with the data). A Data Processor is a third party who processes personal data on behalf of a Data Controller (e.g. institutions which provide services to the University, such as storage of records or destruction of confidential records, are data processors as they are performing this task/processing the data on behalf of the University. Employees of the Data Controller who process personal data in the course of their employment are not regarded as ‘Data Processors’.

Do data processors need ‘explicit’ or ‘unambiguous’ data subject consent – and what is the difference?

The conditions for consent have been strengthened, as institutions are no longer able to utilise long illegible terms and conditions full of legalese. The request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent, meaning it must be unambiguous. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.​  Explicit consent is required only for processing sensitive personal data – in this context, nothing short of “opt in” will suffice. However, for non-sensitive data, “unambiguous” consent will suffice.

What is Privacy by Design and Default? 

Privacy by Design means that the University needs to consider privacy at the initial design stages and throughout the complete development process of new products, processes or services that involve processing personal data. Privacy by Default means that when a system or service includes choices for the individual on how much personal data he/she shares with others, the default settings should be the most privacy friendly ones. 

How can the University manage student, staff and service users trust?

The University should perform either a Privacy by Design and Default(see above for details and separate tab on this NUI Galway Data Protection webpage) where required, or a data privacy impact assessment (DPIAs) where required to show how personally identifiable information (PII) is collected, used and shared by an organisation. The GDPR requires that an Impact Assessment should be carried out whenever new technologies for processing are to be used, where automated processing is involved, where there is a high risk to privacy involved in the processing, where profiling takes place, and where large amounts of sensitive personal data is being processed. The DPIAs assist in allowing Universities to ensure that privacy by design is default in a business. As personally identifiable information can be present across a range of platforms, such as cloud-based applications or internal tools, all personal data needs to be inventoried. Universities should demonstrate a risk-based approach to data protection – through the deletion, encryption or redaction of data, dependent on its sensitivity. See separate link on this webpage for further details on DPIAs.

How do data protection by design and by default link to data protection impact assessments (DPIAs)? 

A DPIA is a tool that we can use to identify and reduce the data protection risks of your processing activities. They can also help us to design more efficient and effective processes for handling personal data. DPIAs are an integral part of data protection by design and by default. For example, they can determine the type of technical and organisational measures we need in order to ensure our processing complies with the data protection principles. However, a DPIA is only required in certain circumstances, such as where the processing is likely to result in a risk to rights and freedoms. In contrast, data protection by design is a broader concept, as it applies organisationally and requires us to take certain considerations even before we do decide whether our processing is likely to result in a high risk or not.

 Can Data Subjects request their own data under the GDPR as they can do currently?

Under GDPR, the time frame for providing the information has been reduced from 40 days to one calendar month.

What other rights do individuals have?

While many of the main concepts and principles of GDPR are much the same as those in our current Data Protection Acts, GDPR introduces new elements and significant enhancements to individuals’ rights: 

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling.

Are videos and photographs of people regarded as personal data? 

If a video or photograph contains images of identifiable individuals, then it is regarded as personal data relating to those individuals.

What if a parent or guardian of a student contacts A University employee to request their son or daughter’s personal data (e.g. exam results, registration details, attendance at lectures)? 

A University employee should not release that data unless he/she have the written consent of the student to do so.

If a student is under 18 years of age, can I release information to a parent or guardian without the student’s permission?

Although those under 18 are regarded as minors under the law, they still have the right under the Data Protection Acts for information about them not to be disclosed without their consent or as otherwise permitted by the Data Protection Acts. This means that the University is not able to give information to parents or guardians regarding the student's progress, results or any other personal circumstances unless the student has given their specific consent or such disclosure would otherwise be in accordance with the Data Protection Acts.

In an emergency situation, can I disclose personal data without consent?

Personal data may be processed on the basis that it is necessary to protect the "vital interests" of the data subject (this essentially applies in "life‑or-death" scenarios). Under GDPR, the “vital interests” processing condition can extend to other individuals (e.g. children of the data subject).

Can I share personal data with colleagues in the course of performing University functions?

Yes – but make sure that you only share personal data with colleagues who need to know it.

How long should I keep records?

The Data Protection legislation does not specify timelines for records retention. NUI Galway has a Records Retention Policy and is presently updating records retention schedules. These will set out retention periods and disposal actions for records held in each area. As a general rule, records should only be kept for as long as the University needs to use them for.

When does my unit need to give a Data Protection Notice?

A Data Protection Notice should be provided at the point at which the data is collected from a person (e.g. when they are completing a form). If you get the data from another source (i.e. not from the person that the information relates to):

  • you must provide a notice at least one month after obtaining the data
  • if you use the data to communicate with the individual, you must give them a notice when you first contact them
  • if you plan to disclose the data to another person/body, you must provide a data protection notice when the data is first disclosed.

What information does a Unit need to provide in a Data Protection Notice?

Data Protection Notices must contain specific information (set out in the legislation) which informs data subjects of:

  • who is collecting the data (e.g. School of X, NUI Galway)
  • why it is being collected
  • what legal basis is being relied upon to process the data
  • how it will be processed
  • how long it will be kept for
  • who it will be disclosed to
  • what rights people have in relation to their own data
  • the right to lodge a complaint with the Data Protection Commission
  • the existence of automated decision making.

How does GDPR affect marketing strategies?

Data plays a critical part in both digital and direct marketing strategies and therefore marketers must ensure they have demonstrated clear compliance and consent. Employees or agents of the University who perform marketing on behalf of the University must demonstrate how the data subject has consented to the processing of their personal data. Marketing databases have to be cleansed and reviewed to ensure that the organisation can identify consent which has been granted lawfully and fairly. Please see this link for further details: https://www.dataprotection.ie/en/organisations/rules-electronic-and-direct-marketing

What are the main changes in the GDPR?

The main changes in the GDPR are:

i) that the legislation is now technology neutral, so it applies to personal data held in any format whether paper or electronic, held in files, on laptops, phones, cameras, video tapes, audio recordings etc
ii) the definition of Personal Data has changed to include location data and online identifiers
iii) the definition of Sensitive Personal Data has been extended to include genetic and biometric data but only for the purpose of uniquely identifying a living individual.
iv) the term Sensitive Personal Data itself changes to Sensitive Category Data (SCD)
v) that data subject rights are extended and improved
vi) the requirement to know and state – in fair processing notices – the lawful basis for all types of processing of personal and special category data, and for this to be made clear at all times
vii) the introduction of compulsory data breach notification
viii) increased fines for data, and notification, breaches
ix) the requirement for transparency and accountability
x) increased responsibility of data processors for data processing.

What are the lawful bases for processing personal data?

Whenever processing personal data, we have to have a legal basis for the processing. Under the GDPR these are:

  • that the data subject has given their consent to this processing
  • that the processing is necessary for the performance of a contract involving the data subject
  • the processing is necessary for compliance, by the data controller, with a legal obligation
  • that the processing is necessary in order to protect the vital interests of the data subject or another living individual
  • that the processing is necessary for the performance of a task carried out in the public interest of the data controller
  • that the processing is necessary or the legitimate interests of the data controller (although this legal basis has limited application)

When processing special category data, we also need to have a further lawful basis for processing from the following list:

  • that the data subject has given their explicit consent to the processing
  • that the processing by the data controller is necessary in the field of employment
  • that the processing is necessary to protect the vital interests of the data subject or another living individual, where the data subject is physically or legally incapable of giving consent
  • that the processing relates to personal data that has been made public by the data subject
  • that the processing is necessary for legal reasons
  • that the processing is in the substantial public interest
  • that the processing is necessary for occupational medicine
  • that the processing is necessary for reasons of public interest in the area of public health
  • that the processing is necessary for archiving purposes in the public interest, scientific or historical research or statistical purposes

Do emails contain personal data?

Personal data contained within emails does fall within the scope of current and future data protection legislation. Please remember that the information within emails will in many instances be personal data, and as a result requires a degree of management; as all of the data protection principles and many of the rights of individuals will apply, notably the right of subject access. As a reminder, personal data should be accurate, relevant and factually correct.

Does GDPR cover paper as well as digital information?

Yes if such paper records contain personal data.

Where else can I get advice?

Please consult: www.dataprotection.ie and the NUI Galway Resources and Training Page