The EU General Data Protection Regulation (“GDPR”) came into force across the European Union on 25th May 2018 and brings with it the most significant changes to data protection law in two decades. Based on privacy by design and taking a risk-based approach, the GDPR has been designed to meet the requirements of the digital age.
The 21st Century brings with it broader use of technology, new definitions of what constitutes personal data, and a vast increase in cross-border processing. The new Regulation aims to standardise data protection laws and processing across the EU; affording data.
Our Commitment CyberSafeIreland (‘we’ or ‘us’ or ‘our’) is committed to ensuring the security and protection of the personal data that we process, and to provide a compliant and consistent approach to data protection. We will endeavour to have a robust and effective data protection policy and practice in place, which complies with existing law and abides by the data protection principles. However, we recognise our obligations in updating and expanding this policy to meet the demands of the General Data Protection Regulation (GDPR) 2018, the Irish Data Protection Act (1988), and the Irish Data Protection (Amendment) Act (2003).
CyberSafeIreland is dedicated to safeguarding the personal data under our remit and in developing a data protection regime that is effective, fit for purpose and demonstrates an understanding of, and appreciation for the new Regulation, we will adhere to the 8 Rules of Data Protection outlined below.
- Obtain and process information fairly 2. Keep it only for one or more specified, explicit and lawful purposes 3. Use and disclose it only in ways compatible with these purposes 4. Keep it safe and secure 5. Keep it accurate, complete and up-to-date 6. Ensure that it is adequate, relevant and not excessive 7. Retain it for no longer than is necessary for the purpose or purposes 8. Give a copy of his/her personal data to the individual on request.
As part of our adherence to the 8 rules we will do the following:
- Staff Training - We will ensure all new staff are given a proper briefing on GDPR and we will provide annual training on any updates on GDPR
- Clean Desk policy: we are committed to ensuring all desks are clean at the end of the working day and that any paperwork is filed away or disposed of as appropriate.
- Storing hardcopy data and laptops: we will keep a locked filing cabinet in the office and the key will be held by the CEO and the administrator. Any laptops or confidential documents will be locked in the drawer overnight.
- Access to the office: our office will be accessed via a key pad and is locked outside office hours.
- Email addresses:
o Schools will be contacted via the official schools list available on the Department of Education’s website: https://www.education.ie/en/find-a- school o Specific email addresses from schools obtained via bookings will be held on
our system for no more than a year. o Mailing list: this will be stored on Mailchimp and an opt-out option is always provided. Any address not used in more than a year will be deleted. No hardcopy data from the mailing list will be held. o No specific identifying data (name, address, date of birth) is held on any individual child. General data (age, gender) is held electronically via the online survey. Access to this folder is limited to the specific staff members.
- Obtaining Consent – our mailing list is targeted at parents and consent is clearly given when signing up to this list. Opt-out options are always provided. Mailchimp is our preferred form of communication, we use a 2-factor authentication with a clear opt-out option provided. If we haven’t used data in more than 12 months we will remove it from the list.
- Human Resources: all personal data will be held electronically and in some cases, in hard copy in a locked office. Only the CEO has access to the HR folder. Any data held on a staff member, volunteer, or contract worker will be removed within 12 months of their departure.
- Data Breaches – our breach procedures ensure that we have safeguards and measures in place to identify, assess, investigate and report any personal data breach at the earliest possible time. In the event of any data loss we will immediately inform the affected individuals and report the loss to the Commissioner within the mandated 72 hour period.
- Subject Access Request (SAR) –we will provide the requested data within the 30-day timeframe.
Approved at the Board Meeting on 24.10.18