Transparency, Accountability, Security

    The GDPR introduces a number of changes to data protection practices and will require the University to review and revise its approach to data handling. Key changes include:
     

    Privacy notices More detailed privacy notices are required, which explain the purpose and legal basis behind processing activities
    Accountability Stronger requirements to demonstrate compliance; record-keeping regarding all data processing activities
    Privacy by  Default Privacy by Design and Default should be the norm
    Data Protection Impact Assessments Data Protection Impact Assessments (DPIAs): mandatory for all new processing activities where privacy risks are high
    Sensitive personal data Now includes genetic and biometric data
    Personal data More broadly defined now including ID numbers, IP addresses and reversibly anonymised (‘pseudonymised’) data (any information that can be used in a process to uncover more personal data pertaining to that individual, eventually leading to their identification)
    Consent Must be ‘opt-in’ (rather than being assumed from lack of action), freely given, informed and specific to named processing activities; data subjects will be able to withdraw consent at any time
    Right of erasure Data subjects can request that their data is erased in some circumstances
    Subject Access Requests Individuals still have a right to request access to their personal data held by an organisation; this can no longer be charged for; the response time limit is reduced from 40 days to one month
    Child Data More restrictive rules around the use of child data: 

    • Restrictions to the age at which individuals can lawfully give consent,
    • Introduction of rules for the language used in consent requests targeted at children, 
    • Regulation for the way online services obtain children’s consent.
    International transfers New rules for data transfers outside the European Economic Area (EEA)
    Breach notification Data Protection Commissioner must be notified within 72 hours of becoming aware of a data protection breach
       

     

    Further Information:
    GDPR Presentation for Maynooth University: GDPR OVERVIEW PRESENTATION
    What GDPR means for organisations: dataprotection.ie/en/organisations

    Full text of the GDPR: https://gdpr-info.eu/
    Full text of the Data Protection Act 2018: https://www.irishstatutebook.ie/eli/2018/act/7/enacted/en/print.html