![Example Association
GDPR Data Protection Policy
of __________________________[association], a[n]
_________[State] not-for-profit company.
Version 1.0
Date: May 25, 2018
Credits:
VincìWorks, GDPR Data Protection Policy Template, was used as the core framework to develop this
example of a U.S. based Association’s GDPR internal data protection policy. Please contact VincìWorks
for more information on their work, training, and customizable policy. (www.vinciworks.com |
training@vinciworks.com | +44 208 815 9308). I’ve found them to be extremely knowledgeable.
The UK Information Commissioner’s Office (ICO), Guide to the General Data Protection Regulation
(GDPR), was used as reference and for excerpts to add substantive materials in this example Association
GDPR internal data protection policy for a U.S. based association. That is a great resource.
Article 29 Working Group, Guidelines. This advisory body comprises representatives from the data
protection authority of each EU Member State, the European Data Protection Supervisor, and the
European Commission. The guidelines are very important.
Much of the policy language comes directly from or comprises paraphrasing of the GDPR.
Intersoft Consulting provides a very user friendly site (https://gdpr-info.eu/) with the contents of GDPR.
This document links to those reprinted GDPR Articles and Recitals.
Caveat: This example is presented as information only and not as legal advice or an offer of
representation. The laws and thinking about GDPR are new and developing. Experts should be
consulted.
© L. Murphy
No claim is made to works of VincìWorks or the ICO.](https://image.slidesharecdn.com/exampleassociationgdprpolicy-v1-180501190040/85/Example-Association-Internal-GDPR-Policy-1-320.jpg)
![Association GDPR Data Protection Policy Page 3
dissemination or otherwise making available, alignment or combination, restriction, erasure or
destruction. (Art. 4, GDPR, para. 2.)
Data minimization. Limiting data collection, storage, and processing to that which is adequate,
relevant, and necessary to successfully accomplish a task with a legitimate business purpose. (See Art. 5,
(1) c), GDPR.)
Pseudonymisation. The processing of personal data in such a manner that the personal data can no
longer be attributed to a specific person without the use of additional information (e.g. a key). Such
additional information must be kept separately and subject to technical and organisational measures to
ensure that the personal data are not attributed to an identified or identifiable natural person. (Art. 4,
GDPR, para. 5.)
Supervisory authority. This is the national body responsible for data protection. The supervisory
authority for a U.S. based company doing business almost entirely in the U.S. is determined by laws
outside of the U.S. and depends on the facts. (Art. 4, GDPR, para. 21.) “[C]ontrollers without any
establishment in the EU must deal with local supervisory authorities in every Member State they are
active in, through their local representative.” Art. 29 DP Working Group, Guidelines for identifying a
controller or processor’s lead supervisory authority, (Sec.3.3; April 5, 2017).
Scope
This policy applies to all staff, and each staff person must be familiar with this policy and comply with
its terms.
This policy supplements other Association policies relating to internet, data protection, email use, and
privacy. The Association may supplement or amend this policy with additional policies and guidelines
from time to time. New or modified policies will be circulated to staff after, upon, or prior to formal
adoption.
The GDPR rules are not applicable to personal or household activity or to data for deceased persons. The
rules apply to processing in the European Union (Union), which, for a U.S. based association with no
established Union presence, can mean processing done by outside contractors that have operations
making the contractor “established in the Union,” or the processing or controlling of data for subjects
who are in the Union (i.e. physically overseas) by a U.S. based association. (Art. 2 and Art. 3, GDPR; also
see Moyn Uddin, GDPR – The Data Subject, Citizen or Resident? (Jan, 29, 2017 accessed 4/23/2018)).
Oversight
The Association’s Director of Information Technology, (DIT) namely __________________, or their
successor, has overall responsibility for the day-to-day implementation of this policy. You should contact
the DIT for further information about this policy. Please refer to the company directory for contact
information for the DIT identified in this policy.
In addition to the DIT, law requires certain organizations to appoint a Data Protection Officer (DPO) to
carry out mandatory tasks. (Art. 37, GDPR (designation of DPO); Art. 38, GDPR (DPO position); Art. 39,
GDPR (DPO tasks)). The Association does not likely carryon operations defined in the GDPR as indicative
of a need for a DPO, such as carrying-on operations (1) as a public authority, (2) that comprise a nature
and scope requiring large scale monitoring, or (3) that comprise large scale processing of specialized
data. Therefore, the Association need not appoint a DPO. [Nonetheless, the Association voluntarily
appoints, _________________________________ as the Data Protection Officer for the Association. (Art.
37, GDPR (designation of DPO); Art. 38, GDPR (DPO position); Art. 39, GDPR (DPO tasks)).] (Note,
voluntary appointment of a DPO could lead to assumption of legal obligations.)
“Unless it is obvious that an organization is not required to designate a DPO, the WP29 [an official GDPR
advisory group] recommends that controllers and processors document the internal analysis carried out
to determine whether or not a DPO is to be appointed, in order to be able to demonstrate that the](https://image.slidesharecdn.com/exampleassociationgdprpolicy-v1-180501190040/85/Example-Association-Internal-GDPR-Policy-4-320.jpg)
![Association GDPR Data Protection Policy Page 4
relevant factors have been taken into account properly. This analysis is part of the documentation under
the accountability principle. It may be required by the supervisory authority and should be updated when
necessary, for example if the controllers or the processors undertake new activities or provide new
services that might fall within the cases listed in [other portions of the law]. When an organization
designates a DPO on a voluntary basis, the requirements under Articles 37 to 39 will apply to his or her
designation, position and tasks as if the designation had been mandatory.” Art. 29 WG, Guidelines on
Data Protection Officers ('DPOs') (wp243rev.01) (Apr. 5, 2017).
A DPO under the GDPR operates, in essence, as an auditor of an organization’s data processing related
activities. Where an Association does not appoint a DPO and one is not required by law, the DIT and his
assigns may audit operations on a voluntary basis.
Principles
The Association shall comply with the principles of data protection (the Principles) enumerated in the
GDPR to the extent required by law. The Principles are:
1. Lawful, fair, and transparent. Data processing must be fair, lawful, and transparent to the person
sharing their data as to how their data will be used. (Art. 5, (1) a), GDPR; and Art. 6, GDPR (lawfulness
defined).)
2. Limited for its purpose. Data can only be collected for a specified, explicit, legitimate purpose and
may not be repurposed for an inconsistent purpose. (Art. 5, (1) b), GDPR.)
2.1. Acceptable further processing. Further processing of legitimate data for archiving purposes in the
public interest, scientific or historical research purposes or statistical purposes is not considered
incompatible with the initial purposes, and is acceptable by law. (Art. 5, (1) b), GDPR.)
3. Data minimisation. Any data collection and processing must relevant and limited to what is necessary.
(Art. 5, (1) c), GDPR.)
4. Accurate. Data should be kept up to date where necessary; inaccurate data must be erased or
corrected. (Art. 5, (1) d), GDPR.)
5. Retention. Data in a form that identifies a person may not be kept longer than necessary. (Art. 5, (1)
e), GDPR.)
6. Integrity and confidentiality. Personal data must be protected against unauthorized or unlawful
processing and against accidental loss, destruction or damage, using appropriate technical or
organizational measures. (Art. 5, (1) f), GDPR.)
Accountability and Transparency
The Association must ensure accountability and transparency in all use of personal data. (Art. 5, (1) a),
GDPR (transparency); Art. 82 GDPR (liability); Art. 12, para. (1)(data subject’s rights). The Association
must be able to show authorities how staff complies with each Principle. (Art. 24, para. (1), GDPR).
Therefore, staff members are responsible for keeping a written record of how all data processing
activities comply with each of the Principles. (Art. 30, GDPR (record keeping).) Responsibility for
creating and maintaining the records lies with the staff member who requests, collects, or uses personal
data. Written compliance records must be kept up-to-date and must be approved by the DIT and DPO,
where a DPO has been appointed. (Art. 5, (2) GDPR (controller to demonstrate compliance). The DIT
shall establish and maintain the system for record keeping.
To comply with data protection laws and the accountability and transparency Principle of GDPR, the
Association must demonstrate compliance. (Art. 5, (2), GDPR). Each staff member is responsible for](https://image.slidesharecdn.com/exampleassociationgdprpolicy-v1-180501190040/85/Example-Association-Internal-GDPR-Policy-5-320.jpg)
![Association GDPR Data Protection Policy Page 6
agent is _______________________ within the Member State __________________________.] (Art. 27,
GDPR).
Controlling vs. processing data
The Association can likely be classified as a “data controller” and a “data processor” under the GDPR.
As a data processor, the Association must comply with its contractual obligations and act only on the
documented instructions of the data controller. If the Association at any point determines the purpose
and means of processing without the instructions of the controller, we shall be considered a data
controller and therefore breach our contract with the controller and have the same liability as the
controller. As a data processor, the Association must:
• Not use a sub-processor without written authorisation of the data controller (Art. 28, para. (2),
GDPR).
• Co-operate fully with a supervisory authority having jurisdiction (Art. 31, GDPR).
• Ensure the security of the processing (Art. 32, GDPR).
• Keep accurate records, where required by law, of processing activities (Art. 30, GDPR).
• Notify the controller of any personal data breaches within 72 hours. (Art. 33, GDPR).
• Notify data subjects of breaches. (Art. 34, GDPR).
Lawful basis for processing data
The Association must establish a lawful basis for processing data. Each staff person must ensure that any
data that they are responsible for managing has a written lawful basis approved by the DIT or DPO,
where appointed, and a proper recording is made in an auditable resource identified by the DIT. It is
each staffer’s responsibility to check the lawful basis for any data they are working with and ensure all
of their actions comply with the GDPR. At least one of the following justifications must apply whenever
the Association processes personal data: (See Art. 6, GDPR.)
1. Consent. The Association holds demonstrable, relevant, informed, unrevoked, and knowing
consent from the individual who provided their data for the individual’s data to be processed for
the specific purpose; (See Art. 6, para. (1) a), GDPR; and Art. 7, GDPR); or
2. Contract. The processing is necessary for the performance of a contract to which the data
subject is party or in order to take steps at the request of the data subject prior to entering into
a contract; (See Art. 6, para. (1) b), GDPR); or
3. Legal obligation. The Association has a legal obligation to process the data (excluding a
contract); (See Art. 6, para. (1) c), GDPR); or
4. Vital interests. Processing the data is necessary to protect a person’s life or in a medical
situation; (See Art. 6, para. (1) d), GDPR); or
5. Public function. Processing the data is necessary to carry out a public function, a task of public
interest or the function has a clear basis in law; (See Art. 6, para. (1) e), GDPR); or
6. Legitimate interest. The processing is necessary for the Association’s legitimate interests. This
condition does not apply if there is a good reason to protect the individual’s personal data which
overrides the legitimate interest. See Art. 6, para. (1) f), GDPR).
Justification based on items 2 through 6 warrant extra scrutiny regarding safeguards, consequences, and
original purposes of data collection as it relates to new processing. (See Art. 6, para. 4, GDPR).](https://image.slidesharecdn.com/exampleassociationgdprpolicy-v1-180501190040/85/Example-Association-Internal-GDPR-Policy-7-320.jpg)
![Association GDPR Data Protection Policy Page 17
A “personal data breach” is a breach of the Association’s security leading to the accidental or unlawful
destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored
or otherwise processed. (Art. 4 (12), GDPR). For guidance, see Art. 29 DP Working Group, Guidelines on
Personal data breach notification under Regulation 2016/679 (Feb. 6, 2018).
Notice to Individuals
If a breach is likely to result in a high risk to the rights and freedoms of natural persons, the Association
must give notice to that person “without undue delay.” (Art. 34 (1), GDPR). The notice must be in clear
and plain language and include (1) the nature of the breach, (2) Association contact information, (3)
likely consequences of the breach, and (4) measures planned or taken to mitigate damage. (Art. 34 (1)
and (2) and Art. 33, GDPR).
Exception to the reporting requirement arise in three scenarios. (Art. 34 (3), GDPR): (1) the data taken is
encrypted; (2) Association measures reduce the high risk to people’s rights, or (3) individual notice would
require disproportionate effort wherein a public notice serves the purpose effectively.
Notice to Supervisory Authority
Where the Association can identify a Supervisory Authority under the GDPR, the Association shall without
undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the
personal data breach to the supervisory authority, unless the personal data breach is unlikely to result in
a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority
is not made within 72 hours, it shall be accompanied by reasons for the delay. (Art. 33, GDPR).
As a U.S. based organization without any establishment in the EU and limited activity, the GDPR, as of
May 2018, fails to identify desired reporting procedures for such an organization.
With regard to a potential “Lead Supervisory Authority,” “[C]ontrollers without any establishment in the
EU must deal with local supervisory authorities in every Member State they are active in, through their
local representative.” Art. 29 DP Working Group, Guidelines for identifying a controller or processor’s
lead supervisory authority, (Sec.3.3; April 5, 2017).
The cyber insurer should be consulted immediately to assist with determining the best and proper
approach to sending notices under the law.
Failure to comply
We take compliance with this policy very seriously. Failure to comply puts both you and the organisation
at risk.
The importance of this policy means that failure to comply with any requirement may lead to disciplinary
action under our procedures which may result in dismissal.
If you have any questions or concerns about anything in this policy, do not hesitate to contact the DIT.](https://image.slidesharecdn.com/exampleassociationgdprpolicy-v1-180501190040/85/Example-Association-Internal-GDPR-Policy-18-320.jpg)
Example Association Internal GDPR Policy
- 1. Example Association GDPR Data Protection Policy of __________________________[association], a[n] _________[State] not-for-profit company. Version 1.0 Date: May 25, 2018 Credits: VincìWorks, GDPR Data Protection Policy Template, was used as the core framework to develop this example of a U.S. based Association’s GDPR internal data protection policy. Please contact VincìWorks for more information on their work, training, and customizable policy. (www.vinciworks.com | training@vinciworks.com | +44 208 815 9308). I’ve found them to be extremely knowledgeable. The UK Information Commissioner’s Office (ICO), Guide to the General Data Protection Regulation (GDPR), was used as reference and for excerpts to add substantive materials in this example Association GDPR internal data protection policy for a U.S. based association. That is a great resource. Article 29 Working Group, Guidelines. This advisory body comprises representatives from the data protection authority of each EU Member State, the European Data Protection Supervisor, and the European Commission. The guidelines are very important. Much of the policy language comes directly from or comprises paraphrasing of the GDPR. Intersoft Consulting provides a very user friendly site (https://gdpr-info.eu/) with the contents of GDPR. This document links to those reprinted GDPR Articles and Recitals. Caveat: This example is presented as information only and not as legal advice or an offer of representation. The laws and thinking about GDPR are new and developing. Experts should be consulted. © L. Murphy No claim is made to works of VincìWorks or the ICO.
- 2. Association GDPR Data Protection Policy Page 1 Procedural Information Prepared by: _______________________ Approved by Board/Management on: _______________ Effective Date: _________________________ Annual Review Date: ________________________ Forward This policy and the data protection laws upon which it is based are lengthy and complex. However, the essence of the GDPR is that we, as employees of our Association, must not take the electronic collection, transfer, storage, and use of personal data of others lightly. As an organization, we need to be mindful and protective. What is your responsibility in a nutshell? As employees of the Association, we should, first, think about what we truly need from personal data. Then, only collect and use what we absolutely need and no extras. We should clearly have permission or an honest-to-goodness need to collect or use personal data. A person giving permission to use their data should be told why we need the data and be asked to expressly say, yes. We should not recycle the use of personal data for new and different purposes. We should be prepared with writings that unabashedly explain and justify why and what we’ve done. Lastly, we should safely keep and protect the data we possess and properly discard of it when finished or when properly asked. Introduction The Association is committed to protecting the rights and freedoms of data subjects and safely and securely processing their data in accordance with its legal obligations. This policy only applies where legally required; otherwise, requirements are voluntary by the Association and no legal liability or obligations are assumed. No defenses are waived. The Association holds personal data about prospective, current, and past employees, members, member company employees, sponsor representatives, exhibitor representatives, speakers, presenters, conference and event registrants, volunteers, service provider representatives, and other individuals for a variety of business purposes. This policy sets out how the Association seeks to protect personal data and outlines the Association staff’s important role in following the rules governing the collection and use of the personal data in the workplace. This policy requires staff to ensure that the Director of Information Technology for the Association or the Data Protection Officer, if appointed, is consulted before any significant new data processing activity is initiated to ensure that relevant compliance steps are addressed. (Art. 24, para. (2), GDPR (policies required)). Definitions Association (or the Association). ___________________________________ GDPR. European Union General Data Protection Regulation. (GDPR). DIT. Director of Information Technology for the Association.
- 3. Association GDPR Data Protection Policy Page 2 DPO. A Data Protection Officer required to be appointed under the law by many but not all organizations that control or process data. In essence, the DPO operates as an auditor with regard to personal data collection and use. (Art. 38 and Art. 39, GDPR). The DPO should have no duties which conflict with the monitoring obligations of the GDPR. (Schidl, et. al., Can in house counsel serve as DPO? (accessed 4/13/2018)). The DPO may be a member of staff or an outside professional knowledgeable in the field of data security and privacy. (Art. 37, GDPR.) Business purposes. The purposes for which personal data may be used by an Association such as for personnel, administrative, financial, regulatory, payroll, operational, fundraising, marketing, legal, and business development. Business purposes include but are not limited to the following: - Compliance with legal and corporate governance obligations; - Gathering information for legal proceedings or requests and responding to subpoenas; - Operational reasons, such as recording transactions, accounting, preparing reports, or due diligence; - Investigating complaints; - Human resources and benefits administration; - Obtaining insurance and processing claims; - Facilitating networking; - Monitoring staff conduct, disciplinary matters; - Security; - Marketing Association business; - Providing member services; - Providing usage reports; - Administering continuing education; - Delivering content; - Communications; - Operating live and virtual meetings, sessions, conferences, and expos; - Providing live and electronic networking opportunities; - Verifying hotel obligations; - Improving services. Personal data. Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal data we gather may include: individuals' phone number, email address, educational background, financial and pay details, details of certificates and diplomas, education and skills, marital status, nationality, job title, licenses, business affiliations, information preferences, and CV. (Art. 4, GDPR, para. 1.) Special categories of personal data. Special categories of data include information about an individual's racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership (or non- membership), physical or mental health or condition, criminal offences, or related proceedings, and genetic and biometric information. (Art. 4, GDPR, para. 12, 13, 14 (biometric, health, genetic).) Data controller. The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. (Art. 4, GDPR, para. 7.) Data processor. A natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller. (Art. 4, GDPR, para. 8.) Processing. Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission,
- 4. Association GDPR Data Protection Policy Page 3 dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. (Art. 4, GDPR, para. 2.) Data minimization. Limiting data collection, storage, and processing to that which is adequate, relevant, and necessary to successfully accomplish a task with a legitimate business purpose. (See Art. 5, (1) c), GDPR.) Pseudonymisation. The processing of personal data in such a manner that the personal data can no longer be attributed to a specific person without the use of additional information (e.g. a key). Such additional information must be kept separately and subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. (Art. 4, GDPR, para. 5.) Supervisory authority. This is the national body responsible for data protection. The supervisory authority for a U.S. based company doing business almost entirely in the U.S. is determined by laws outside of the U.S. and depends on the facts. (Art. 4, GDPR, para. 21.) “[C]ontrollers without any establishment in the EU must deal with local supervisory authorities in every Member State they are active in, through their local representative.” Art. 29 DP Working Group, Guidelines for identifying a controller or processor’s lead supervisory authority, (Sec.3.3; April 5, 2017). Scope This policy applies to all staff, and each staff person must be familiar with this policy and comply with its terms. This policy supplements other Association policies relating to internet, data protection, email use, and privacy. The Association may supplement or amend this policy with additional policies and guidelines from time to time. New or modified policies will be circulated to staff after, upon, or prior to formal adoption. The GDPR rules are not applicable to personal or household activity or to data for deceased persons. The rules apply to processing in the European Union (Union), which, for a U.S. based association with no established Union presence, can mean processing done by outside contractors that have operations making the contractor “established in the Union,” or the processing or controlling of data for subjects who are in the Union (i.e. physically overseas) by a U.S. based association. (Art. 2 and Art. 3, GDPR; also see Moyn Uddin, GDPR – The Data Subject, Citizen or Resident? (Jan, 29, 2017 accessed 4/23/2018)). Oversight The Association’s Director of Information Technology, (DIT) namely __________________, or their successor, has overall responsibility for the day-to-day implementation of this policy. You should contact the DIT for further information about this policy. Please refer to the company directory for contact information for the DIT identified in this policy. In addition to the DIT, law requires certain organizations to appoint a Data Protection Officer (DPO) to carry out mandatory tasks. (Art. 37, GDPR (designation of DPO); Art. 38, GDPR (DPO position); Art. 39, GDPR (DPO tasks)). The Association does not likely carryon operations defined in the GDPR as indicative of a need for a DPO, such as carrying-on operations (1) as a public authority, (2) that comprise a nature and scope requiring large scale monitoring, or (3) that comprise large scale processing of specialized data. Therefore, the Association need not appoint a DPO. [Nonetheless, the Association voluntarily appoints, _________________________________ as the Data Protection Officer for the Association. (Art. 37, GDPR (designation of DPO); Art. 38, GDPR (DPO position); Art. 39, GDPR (DPO tasks)).] (Note, voluntary appointment of a DPO could lead to assumption of legal obligations.) “Unless it is obvious that an organization is not required to designate a DPO, the WP29 [an official GDPR advisory group] recommends that controllers and processors document the internal analysis carried out to determine whether or not a DPO is to be appointed, in order to be able to demonstrate that the
- 5. Association GDPR Data Protection Policy Page 4 relevant factors have been taken into account properly. This analysis is part of the documentation under the accountability principle. It may be required by the supervisory authority and should be updated when necessary, for example if the controllers or the processors undertake new activities or provide new services that might fall within the cases listed in [other portions of the law]. When an organization designates a DPO on a voluntary basis, the requirements under Articles 37 to 39 will apply to his or her designation, position and tasks as if the designation had been mandatory.” Art. 29 WG, Guidelines on Data Protection Officers ('DPOs') (wp243rev.01) (Apr. 5, 2017). A DPO under the GDPR operates, in essence, as an auditor of an organization’s data processing related activities. Where an Association does not appoint a DPO and one is not required by law, the DIT and his assigns may audit operations on a voluntary basis. Principles The Association shall comply with the principles of data protection (the Principles) enumerated in the GDPR to the extent required by law. The Principles are: 1. Lawful, fair, and transparent. Data processing must be fair, lawful, and transparent to the person sharing their data as to how their data will be used. (Art. 5, (1) a), GDPR; and Art. 6, GDPR (lawfulness defined).) 2. Limited for its purpose. Data can only be collected for a specified, explicit, legitimate purpose and may not be repurposed for an inconsistent purpose. (Art. 5, (1) b), GDPR.) 2.1. Acceptable further processing. Further processing of legitimate data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes is not considered incompatible with the initial purposes, and is acceptable by law. (Art. 5, (1) b), GDPR.) 3. Data minimisation. Any data collection and processing must relevant and limited to what is necessary. (Art. 5, (1) c), GDPR.) 4. Accurate. Data should be kept up to date where necessary; inaccurate data must be erased or corrected. (Art. 5, (1) d), GDPR.) 5. Retention. Data in a form that identifies a person may not be kept longer than necessary. (Art. 5, (1) e), GDPR.) 6. Integrity and confidentiality. Personal data must be protected against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures. (Art. 5, (1) f), GDPR.) Accountability and Transparency The Association must ensure accountability and transparency in all use of personal data. (Art. 5, (1) a), GDPR (transparency); Art. 82 GDPR (liability); Art. 12, para. (1)(data subject’s rights). The Association must be able to show authorities how staff complies with each Principle. (Art. 24, para. (1), GDPR). Therefore, staff members are responsible for keeping a written record of how all data processing activities comply with each of the Principles. (Art. 30, GDPR (record keeping).) Responsibility for creating and maintaining the records lies with the staff member who requests, collects, or uses personal data. Written compliance records must be kept up-to-date and must be approved by the DIT and DPO, where a DPO has been appointed. (Art. 5, (2) GDPR (controller to demonstrate compliance). The DIT shall establish and maintain the system for record keeping. To comply with data protection laws and the accountability and transparency Principle of GDPR, the Association must demonstrate compliance. (Art. 5, (2), GDPR). Each staff member is responsible for
- 6. Association GDPR Data Protection Policy Page 5 understanding their responsibilities to ensure the Association meets the following data protection obligations: • Fully implement all appropriate technical and organizational measures. (Art. 25 (2), GDPR.) • Maintain up-to-date and relevant documentation on all processing activities. (Art. 30, GDPR (records); and Art. 24 (1), GDPR (update processes)). • Conduct Data Protection Impact Assessments where appropriate. (Art. 35, GDPR). • Implement measures to ensure privacy by design and default, including: (Art. 25 GDPR). o Data minimisation (Art. 5, (1) c), GDPR). o Pseudonymisation (Art. 4, para. 5, GDPR). o Transparency (Art. 5, (1) a), GDPR); Art. 12, para. (1)(data subject’s rights). o Necessity of processing (Art. 25, Para. (2), GDPR). o Allowing individuals to obtain confirmation and information regarding processing their data (Art. 15, GDPR.) o Creating and improving security and enhanced privacy procedures on an ongoing basis (Art. 30, GDPR (security)). Written Records Exception The law requires written records be kept of all processing activity. (Art. 30, GDPR). However, the law provides an exception to this requirement where the Association, being a small employer, defined as on having less than 250 employees, conducts occasional non-risky processing where data is not within any specially protected category. (Art. 30, para (5), GDPR (exception)). Staff should consult with the DIT and obtain approval prior to relying on the written records exception. The conservative approach is to not rely upon the exception. Procedures Fair and lawful processing The Association must process personal data fairly and lawfully in accordance with individuals’ rights under the first Principle. (Art. 5, (1) a), GDPR; and Art. 6, GDPR (lawfulness defined)). This means that where consent is the legal justification for collecting data, for example, the Association should not process personal data unless the individual whose details are being processed has demonstrably and uncontrovertibly consented to the processing. In many other contexts, such as for human resources or providing member services pursuant to contract, the justifiable bases would likely be due to needs related to fulfillment of contractual obligations or pursuant to documented legitimate Association interests, and these justifications should be made known to the person providing their information. If the Association cannot prove that it established a “lawful basis” to collect and process data as defined in the GDPR, processing could be deemed unlawful. (Art. 6, GDPR). Data subjects have the right to have any unlawfully processed data erased. (Art. 17, para. (1) d), GDPR). Registered Agent As an organization outside the European Union and with no establishment in the European Union, the Association does not have and is not required to have a “registered agent” because of the express exception for occasional, less than large scale, low risk processing. (Art. 27, para.(2)(a), GDPR). In addition, with regard to possible registration with the Information Commissioners Office (ICO), the Association, as a not-for-profit with limited activities, falls within the registration exception. (ICO registration self-assessment.) [Alternative: The Association routinely offers goods and services in theses member states: _______________________________________________________________. The Association’s registered
- 7. Association GDPR Data Protection Policy Page 6 agent is _______________________ within the Member State __________________________.] (Art. 27, GDPR). Controlling vs. processing data The Association can likely be classified as a “data controller” and a “data processor” under the GDPR. As a data processor, the Association must comply with its contractual obligations and act only on the documented instructions of the data controller. If the Association at any point determines the purpose and means of processing without the instructions of the controller, we shall be considered a data controller and therefore breach our contract with the controller and have the same liability as the controller. As a data processor, the Association must: • Not use a sub-processor without written authorisation of the data controller (Art. 28, para. (2), GDPR). • Co-operate fully with a supervisory authority having jurisdiction (Art. 31, GDPR). • Ensure the security of the processing (Art. 32, GDPR). • Keep accurate records, where required by law, of processing activities (Art. 30, GDPR). • Notify the controller of any personal data breaches within 72 hours. (Art. 33, GDPR). • Notify data subjects of breaches. (Art. 34, GDPR). Lawful basis for processing data The Association must establish a lawful basis for processing data. Each staff person must ensure that any data that they are responsible for managing has a written lawful basis approved by the DIT or DPO, where appointed, and a proper recording is made in an auditable resource identified by the DIT. It is each staffer’s responsibility to check the lawful basis for any data they are working with and ensure all of their actions comply with the GDPR. At least one of the following justifications must apply whenever the Association processes personal data: (See Art. 6, GDPR.) 1. Consent. The Association holds demonstrable, relevant, informed, unrevoked, and knowing consent from the individual who provided their data for the individual’s data to be processed for the specific purpose; (See Art. 6, para. (1) a), GDPR; and Art. 7, GDPR); or 2. Contract. The processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (See Art. 6, para. (1) b), GDPR); or 3. Legal obligation. The Association has a legal obligation to process the data (excluding a contract); (See Art. 6, para. (1) c), GDPR); or 4. Vital interests. Processing the data is necessary to protect a person’s life or in a medical situation; (See Art. 6, para. (1) d), GDPR); or 5. Public function. Processing the data is necessary to carry out a public function, a task of public interest or the function has a clear basis in law; (See Art. 6, para. (1) e), GDPR); or 6. Legitimate interest. The processing is necessary for the Association’s legitimate interests. This condition does not apply if there is a good reason to protect the individual’s personal data which overrides the legitimate interest. See Art. 6, para. (1) f), GDPR). Justification based on items 2 through 6 warrant extra scrutiny regarding safeguards, consequences, and original purposes of data collection as it relates to new processing. (See Art. 6, para. 4, GDPR).
- 8. Association GDPR Data Protection Policy Page 7 Choosing a lawful basis When making an assessment of the lawful basis, each staffer must first establish that the processing is necessary. (Art. 25, Para. (2), GDPR). This means that the processing must be a targeted, appropriate way of achieving a stated purpose. (Art. 5, (1) b) and c), GDPR). Note that staff’s reliance upon on a lawful basis could be deemed void and improper if the staff could have reasonably achieved the same business purpose by some other means. Therefore, necessity is primary. More than one basis may apply, and staff should rely on what will best fit the purpose, not what is easiest. Consider the following listed factors and document the answers. (See UK Information Commissioner’s Office (ICO), Guide to the General Data Protection Regulation (GDPR), Lawful Basis for Processing (accessed 4/12/2018).) General Considerations • What is the purpose for processing the data? (Art. 30 (1) b), GDPR). • Can it reasonably be done in a different way? (Art. 25, Paras. (1) and (2), GDPR). • Does the Association truly need to process the data? (Art. 5, (1) c), GDPR). When Comparing Legitimate Interest vs. Consent • Is the collection and processing for purely marketing and sales for which “consent” seems more likely as appropriate? (gdpr.org, Legitimate Interest, (accessed 4/24/2018)(e.g. ad placement; behavior tracking; mailers, etc.)). • Is the collection or processing needed to serve a client or customer as they expect, which tends to show “legitimate interest?” (gdpr.org, Legitimate Interest, (accessed 4/24/2018)(example: collecting an address to deliver a pizza as legitimate interest vs. consent)). • Would individuals expect this processing to take place? If so, this would be important as support for “legitimate interest?” • Is access to quality news content, for example, contingent on agreeing to accept third-party advertising? If so, legitimate interest rather than consent would likely be the better choice for legal basis. (gdpr.org, Consent, (accessed 4/24/2018)(e.g. news, etc.)). • Is the Association in a position of power over the data subject which might make “consent” illusory and an indefensible justification? • Would the data subject be likely to object to the processing? (Art. 21, GDPR (right to objection); Art. 22, GDPR (profiling)). • Are you able (meaning it won’t impact normal business operations such as providing benefits to an employee) to stop the processing at any time on request, which could be required if “consent” is the basis? When Considering Consent • Consent notice must be prominent and separate from boilerplate terms and conditions • Users must positively opt in. • Pre-ticked boxes or any other type of default consent mechanisms are unacceptable. • Notice must be in clear, plain language that is easy to understand. • Notice must specify why we want the data and what we’re going to do with it. • Consent options should be individual (‘granular’) options to consent separately to different purposes and types of processing. • Notice includes the Association name and any third-party controllers who will be relying on the consent. • Notice must advise individuals that they can withdraw their consent. • Individuals can refuse to consent without detriment.
- 9. Association GDPR Data Protection Policy Page 8 • Consent is a not a precondition of unrelated services. For most online marketing messages, marketing calls, online tracking methods including the use of cookies, apps, or other software, consent is likely required. Art. 29 DP Working Group, Guidelines on Consent under 2016/679, page 5, para. 1 (wp259rev 1.0)(Nov. 28, 2017). Otherwise, alternative legal bses will likely be more appropriate. Employment and human resources materials will frequently be based on contract or legitimate interest. Id. at page 8. Processing credit cards for registrations, membership, sponsorship, and booth fees are based in contract. Id. at page 9. (See ICO, Guide to GDPR, Consent (accessed 4/13/2018); and Art. 29 DP Working Group, Guidelines on Consent under 2016/679 (wp259rev 1.0) (Nov. 28, 2017). A commitment to the first Principle requires that the Association document this evaluation process and show that staff considered which lawful basis best applies to each processing purpose, and fully justify these decisions. Decisions can be revisited, but changes could violate accountability and transparency and would require approval of the DIT or DPO, where appointed. The Association must also ensure that individuals whose data is being processed are informed of the lawful basis for processing their data, as well as the intended purpose. This should occur via a privacy notice plus other available means (such as on-screen tool tips) where appropriate. This applies whether the Association collected the data directly from the individual or from another source. If you are responsible for making an assessment of the lawful basis and implementing the privacy notice for the processing activity, you must have this approved by the DIT or DPO, where appointed. Special categories of personal data What are special categories of personal data? Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation is prohibited with limited exceptions. (Art. 9, GDPR). If a potential need arises regarding potential processing of such special categories of data, consultation with the DIT or DPO, where appointed, and legal counsel should be made to determine if exceptions apply. Responsibilities Association responsibilities • Develop and implement a GDPR compliance policy, • Maintain custody of proper documentation for the personal data held by and processed for the Association, • Develop and enforce procedures in accordance with the GDPR to ensure protection of all the rights of data subjects, • Require staff identification of the lawful basis for processing data, • Ensure consent procedures are lawful, • Implement and review procedures to detect, report, and investigate personal data breaches, • Store, process, and transfer data in safe and secure ways, • Honor rights of data subjects under the DGPR, and
- 10. Association GDPR Data Protection Policy Page 9 • Assess the risk that could be posed to individual rights and freedoms should data be compromised. Staff responsibilities • Learn the data protection obligations of the Association, • Check that data processing activities you see, manage, or handle comply with the Association policy and are justified, • Avoid use of data in any unlawful way, • Avoid storing or enabling others to store data improperly, • Avoid being careless with personal data or otherwise cause a breach of data protection laws and Association policies through your actions, • Comply with this policy, • Raise concerns, notify the DIT of any breaches or errors, and report anything suspicious or contradictory to this policy or legal obligations without delay to the DIT or DPO, where appointed, • Assist with providing prompts response and compliance to data subject requests for access, portability, correction, deletion, and other rights, • Assist with data protection impact assessments, and • Update and maintain departmental GDPR documentation in the Association’s GDPR database/spreadsheet. Responsibilities of the DIT • Oversee design and implementation of controls built into the Association systems that automate and reinforce the principles of this policy such as data minimization, automatic expirations, security measures, pseudonymisation, transparency in user interfaces, self-help intefaces for data subjects requesting their data, and much more; • Implement measures to reduce human error that can lead to violations of the principles; • Monitor staff compliance with record keeping in the Association’s GDPR documentation database/spreadsheet; • Keep the Board of Directors updated about data protection responsibilities, risks, and issues; • Review all data protection procedures and policies regularly; • Arrange data protection training and provide advice for all staff members and those included in this policy; • Answer questions on data protection from staff, board members, and other stakeholders; • Respond to individuals such as clients and employees who wish to know which data is being held on them by the Association; and • Check and approve third parties that handle the company’s data including review of contracts or agreement regarding data processing. Responsibilities of the DPO (if appointed) • Work independently and autonomously to ensure compliance without fear of reprisal; • Report to the President and CEO of the Association; • Advise employees on obligations under the GDPR; • Complete compliance audits; and • Work with Supervisory Authorities.
- 11. Association GDPR Data Protection Policy Page 10 Responsibilities of the IT and Web Managers • Ensure all systems, services, software, and equipment meet acceptable security standards; (Art. 32, GDPR (security)); • Design and implement controls built into the Association systems and vendor systems that automate and reinforce the principles of this policy such as data minimization, automatic expirations, security measures, pseudonymisation, transparency in user interfaces, and much more; • Create “privacy dashboards” for data subjects that (1) facilitate refreshing consent at appropriate intervals, (2) includes preference-management tools for privacy options, (3) makes it easy for individuals to withdraw their consent at any time and publicizes how to do so, (4) provides a method to request information on data possessed, and (5) delete or transfer data a person’s data if permissible and required under the law. • Devise methods facilitating IT to act on disclosure requests regarding data subject’s information as well as changing or withdrawal consents, plus rights to be forgotten, including plans for third- parties and disaster recovery backup files. (See ICO, Guide to GDPR, Consent (accessed 4/13/2018); Frank Kyazze, GDPR: What is the right to erasure? (Feb. 2018 (accessed 4/25/2018).) • Make available to designated staff a departmental GDPR documentation database/spreadsheet for the Association; • Design, implement, and offer systems that provide remote access to a secure self-service system which would provide individuals with direct access to their information to satisfy access and portability tests. (Recital 63, sentence 4, GDPR). • Check and scan security hardware and software regularly to ensure it is functioning properly; (Art. 32, GDPR (security)); and • Research and vet third-party services, such as cloud services the company is considering using to store or process data. Collective Responsibilities Accuracy and relevance. We will ensure that any personal data we process is accurate, adequate, relevant and not excessive, given the purpose for which it was obtained. We will not process personal data obtained for one purpose for any unconnected purpose unless the individual concerned has agreed to this, would otherwise reasonably expect this, or legally obligated to process. Individuals may ask that we correct inaccurate personal data relating to them. If you believe that information is inaccurate you should record the fact that the accuracy of the information is disputed and inform the DIT or DPO, where appointed. Data security You must keep personal data secure against loss or misuse. (Art. 5, (1) f), GDPR); (Art. 32, GDPR (security)). Where other organizations process personal data as a service on behalf of the Association, the DIT or DPO, where appointed, will establish what, if any, additional specific data security arrangements need to be implemented in contracts with those third-party organizations. Data should be encrypted. (Art. 32, GDPR.
- 12. Association GDPR Data Protection Policy Page 11 Storing data securely • In cases when data is stored on printed paper, it should be kept in a secure place where unauthorized personnel cannot access it. • Printed data should be shredded when it is no longer needed or discarded using an approved vendor. • The Association IT Antivirus Policy must be followed. • The Association Information Security Training Policy must be followed. • The Association Password Policy must be followed. • The Association Patch Management Policy must be followed. • The Association Vendor Management Policy must be followed. • All computers and data accessible by computer should be protected by strong passwords that are changed regularly. • Data stored on CDs or memory sticks or other portable storage devices must be encrypted or password protected and locked away securely when they are not being used. • The DIT must approve any cloud based storage media used to store data. • Servers containing personal data must be kept in a secure location. • Data should be regularly backed up in line with the company’s backup procedures. • Data should never be saved directly to mobile devices such as laptops, tablets or smartphones. • All servers containing sensitive data must be approved and protected by security software. • Disaster recovery systems and plans are required. • Testing, assessing, and evaluating of system should be completed regularly. • All feasible technical and practical measures must be put in place to keep data secure. See (Art. 32, GDPR (security)). Data retention The Association must retain personal data for no longer than is necessary. (Art. 5, (1) e), GDPR). What is necessary will depend on the circumstances of each case taking into account the reasons that the personal data was obtained, but should be determined in a manner consistent with the Association data retention policy and the law. Transferring data internationally There are restrictions on international transfers of personal data. The Association must not transfer personal data abroad or anywhere else outside of normal rules and procedures without express permission from the DIT or DPO, where appointed. (Ch. 5, GDPR.) Rights of individuals Individuals have rights to their data which the Association staff must respect to the best of our ability in accordance with detailed requirements in the law. In broad terms, the Association must ensure individuals can exercise their rights in the following ways: 1. Right to be informed. The law requires transparency, meaning that the Association must plainly disclose who the Association is and what personal data is being collected in no uncertain terms. The Association must also make disclosures to a data subject when information is received from others concerning the data subject. The disclosures must meet the detailed requirements of the law. With regard to all rights of the data subject as enumerated below, they have a right to responsiveness to their requests of the Association without “undue delay” and absolutely no longer than 30 days. In general, responses must be free of charge. (Art. 12, GDPR (transparency, responsiveness, timeframe to
- 13. Association GDPR Data Protection Policy Page 12 respond); Art. 13, GDPR (data provided by the subject); Art. 14, GDPR (data provided by others).) See ICO, Right to be informed, (accessed 4/25/2018). 2. Right of access. Where requested by a subject, the Association must promptly disclose whether it is processing data on the subject, what the data is, and the legal basis for the usage. (Art. 15, GDPR.) The disclosure must set forth specific details enumerated in the GDPR. See ICO, Right of access, (accessed 4/25/2018). 3. Right to rectification. A data subject has the right to have inaccurate personal data promptly corrected and incomplete personal data completed. (Art. 16, GDPR). See ICO, Right to rectification, (accessed 4/25/2018). 4. Right to erasure. This is also known as the “right to be forgotten.” A data subject has the right to ask the Association to erase and cease using their information. (Art. 17, GDPR). The Association is expected to use technological means to make this happen and make reasonable efforts to prevent others from processing the data where it was made public. The right is not absolute; exceptions include justifiable reasons to keep the data, such as for a contract or pursuant to a litigation hold, etc. (See ICO, Right to Erasure, (accessed 4/25/2018). 5. Right to restrict processing. In some situations, complete erasure goes too far or does not adequately meet interests of a data subject. For instance, limitations can be appropriate during accuracy checks, litigation holds, and objections to scope of use of the data under the GDPR. As middle ground, a data subject has a right to have restrictions put on the processing of data either permanently or for time needed for legal and practical reasons. (Art. 18, GDPR; see ICO, Right to restrict processing, (accessed 4/25/2018)). 6. Right to data portability. The Association must provide a method for a data subject to easily electronically download or transfer their data to another controller. (Art. 20, GDPR.) The data must be in a readily readable format that can be fed into other systems, including online systems. A CSV file could be compliant; however, an encrypted, uncopiable pdf version would not likely suffice. See ICO, Right to Data Portability, (accessed 4/26/2018). 7. Right to object. In many instances, an Association’s lawful basis for processing data will be based on “legitimate interest.” The Association must forthrightly alert a data subject of their right to object to processing on that basis. Upon, receiving an objection, the Association must cease processing until it provides compelling legitimate grounds for processing the data. (Art. 21, GDPR). Next, where an Association is processing data for direct marketing or profiling, the Association must cease processing upon receiving an objection from the data subject. (Art. 21, GDPR). Again, the Association must provide notice of the right to object at the outset. (Art. 21, GDPR); also see ICO, Right to object, (accessed 4/26/2018). 8. Rights in relation to automated decision making and profiling. The Association must notify data subjects where automated systems (e.g. AI) evaluate or make judgments about them and about their right to object to such profiling and rights to request human intervention. (Art. 22, GDPR). Automated processing requires increased internal scrutiny and written justification including an official Data Processing Impact Assessment. ICO, Rights related to automated decision making including profiling, (accessed 4/26/2018)(useful checklists provided). Examples include an employment screening aptitude test or characteristic profiling. Also see Art. 29 WG, Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 (Feb. 6, 2018). Privacy notices A privacy notice is a statement that the Association shares with others to describe how the Association collects, uses, retains, and discloses personal data. The Association must provide the notice at the time of collection of the data. (Art. 13 (1), GDPR). If the Association obtains data from a third-party, privacy notices must be provided within a reasonable time. (Art. 14, GDPR).
- 14. Association GDPR Data Protection Policy Page 13 The Association will have many privacy notices wherein each is customized to the needs of the user and based on the information within the Associations GDPR documentation database/spreadsheet. Privacy notices are not just for website or app usage. Notice requirements also apply to paper forms and phone services, for example. What’s not okay One-size-fits-all, boilerplate, lengthy, take-it-or-leave-it type notices are unacceptable. Likewise, notices that are vague, fail to explain what happens to information, fails to explain with whom information is shared, and fails to advise users about how to access their information are unacceptable. Key concepts A big goal of GDPR is transparency (Art. 5 (1) a, GDPR). User’s rights must be spelled out in a concise, transparent, intelligible and easily accessible form, using clear and plain language, (Art. 12 (1), GDPR). To facilitate this, the law promotes using standardized icons in order to give an easily visible, intelligible, and meaningful overview of the intended processing. Where the icons are presented electronically they must be machine-readable. (Art. 12 (7), GDPR) The notices must be free of charge. (Art. 12 (5), GDPR). Good practices Good design practices include the following. - Specificity: notice targeted to each piece of data - Layering: provide key notice points immediately in a clean easy to read format with a link to the detailed information. - Just in time notices: provide notices in tooltips for text input fields. - Icons and symbols: provide just in time information using a popup from an icon (e.g. question mark icon or small “i” icon); use themed icons to represent concepts. See ICO, Right to be informed (accessed 4/27/2018); and Art. 29 WP, Guidelines on Transparency under Regulation 2016/679 (wp260rev.01) (accessed 5/1/2018). The 15 components of Privacy Notices The following information must be included in the comprehensive Association privacy notices. 1. The name and contact information for the Association and DPO, where appointed. (Art. 13 (1), GDPR). 2. The data being collected. 3. All purposes for which the data will be used. (Art. 13 (1) and (3), GDPR). 4. The “lawful basis” or bases for collecting each piece of data. (Art. 13 (1), GDPR). 5. Where a lawful basis is “legitimate interests,” an explanation of those legitimate interests. (Art. 13 (1), GDPR). 6. Any recipients or categories of recipients of the data. (Art. 13 (1), GDPR). 7. Any plans to share the data abroad. (Art. 13 (1), GDPR). 8. The retention period or criteria defining the retention period for which data will be stored. (Art. 13 (2), GDPR). 9. Rights of the data subject to access, rectification, erasure, restriction, objection, and data portability along with methods to exercise those rights. (Art. 13 (2), GDPR). 10. If consent was the lawful basis for data collection, the right to withdraw consent without repercussions. (Art. 13 (2), GDPR).
- 15. Association GDPR Data Protection Policy Page 14 11. Any rights to complain to a Supervisory Authority and methods to exercise those rights. (Art. 13 (2), GDPR). 12. If the “lawful basis” is contractual or legal obligation (e.g. statutory), possible consequences for any failure to provide the data. (Art. 13 (2), GDPR). 13. Any existence of automated decision making, including profiling and information about how those decisions are made, their significances and consequences to the data subject. (Art. 13 (2), GDPR.). For personal data provided to the Association by others, the privacy notice must also include the following items. 1. The category of the personal data. (Art. 14, GDPR). 2. The source of the personal data, and whether it came from publicly available sources. (Art. 14, GDPR). The law provides exceptions where the data subject already has the information above or disproportionate effort would be required to deliver the notice. (Art. 13 (4) and Art. 14 (5), GDPR.) For more information, see ICO, Right to be informed (accessed 4/27/2018). Subject Requests Self-service systems Where possible and economically feasible, the Association should design, implement, and offer systems that provide remote access to a secure self-service system in real time which would provide individuals with free direct access to their information to satisfy access, erasure, correction, objection, and portability requests. (Recital 63, sentence 4, GDPR); (Art. 15 (3)(free), GDPR.). The Association should use reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers; the Association should not retain personal data for the sole purpose of being able to react to potential requests. (Recital 64, GDPR.) Request accommodation without self-service systems Requests by data subjects to enforce their rights under GDPR need not come in any special form. Responses must be in writing unless the subject requests otherwise. (Art. 15, (1) GDPR). Staff must make best efforts to respond to requests from data subjects regarding any of their data being used by the association. (Art. 15, GDPR.) The first step is to use reasonable means to verify the identity of the requestor. (Recital 64, GDPR; and (Art. 12 (2) and (6), GDPR). Once the identity has been reasonably identified, staff must promptly disclose whether it is processing the data or has access to it. (Art. 12 and Art. 15, GDPR). Where the Association is storing or processing data, the Association must provide an individual with a copy of the information free of charge. (Art. 12 (5), GDPR); (Art. 15 (3)(free), GDPR). This must occur without delay, and within one month of receipt. (Art. 12 (3) and (4), GDPR). The Association should provide access to information in a commonly used electronic format unless requested otherwise. (Art. 12 (3), GDPR). If complying with the request is complex or numerous, the deadline can be extended by two months, but the individual must be informed within one month. (Art. 12 (3), GDPR). You must obtain approval from the DIT, or DPO if elected, before extending the deadline. The Association can refuse to respond to certain requests, and can, in circumstances of the request being manifestly unfounded or excessive, charge a fee. (Art. 12 (5), GDPR). If the request is for a large quantity of data, that Association can request the individual specify the information they are requesting. (Recital 63, sentence 7, GDPR). Once a subject access request has been made, staff must not change or amend any of the data that has been requested. Doing so could be civil or criminal offence.
- 16. Association GDPR Data Protection Policy Page 15 Subject Access Requests A subject has the right to request that the Association promptly disclose whether it is processing data on the subject, what the data is, and the legal basis for the usage. (Art. 15, GDPR.) The disclosure must set forth specific details enumerated in the GDPR. See ICO, Right of access, (accessed 4/25/2018). The subject also has the right to take the data and reuse it. (Art. 20, GDPR.) The data must be in a readily readable format that can be fed into other systems, including online systems. A CSV file could be complaint; however, an encrypted, uncopiable pdf version would not likely suffice. See ICO, Right to Data Portability, (accessed 4/26/2018). Preferably, requests will be handled by self-service electronic means. Otherwise, staff must respond in accordance with this policy. Data portability requests The Association must provide the data requested in a structured, commonly used and machine-readable format. (Art. 20, GDPR). This would normally be a CSV file, although other formats are acceptable. The Association must provide this data either to the individual who has requested it, or to the data controller they have requested it be sent to. (Art. 20, GDPR). This must be done free of charge and without delay, and no later than one month. (Art. 12 (3), GDPR). This can be extended to two months for complex or numerous requests, but the individual must be informed of the extension within one month and you must receive express permission from the DIT or DPO, if appointed, first. (Art. 12 (3), GDPR). Preferably, requests will be handled by self-service electronic means. Otherwise, staff must respond in accordance with this policy. See Art. 29 WG, Guidelines on the right to data portability (Apr. 5, 2017). Erase and restriction requests Subject to important exceptions, individuals have a right to have their data erased and for processing to cease or for restrictions to be placed on processing. (Art. 17 and Art. 18, GDPR). Exceptions include justifiable reasons to keep the data, such as for a contract or pursuant to a litigation hold, etc. (See ICO, Right to Erasure, (accessed 4/25/2018). Preferably, requests will be handled by self-service electronic means. Otherwise, staff must respond in accordance with this policy. Where restrictions are lifted, the data subject must be notified. (Art. 18 (3), GDPR). If data has been made public and fell into the hands of other controllers, the Association must, taking into account available technology and the cost of implementation, take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data. (Art. 17, (2) GDPR). Also, if the Association disclosed data to others and the subjects requests erasure or restrictions, those requests must be forwarded to everyone to whom the data was shared, unless it is impossible to do so. (Art. 19, GDPR). Objections Individuals have the right to object to their data being used processing based on legitimate interests, profiling, direct marketing, and research and statistics. (Art. 21, GDPR); also see ICO, Right to object, (accessed 4/26/2018). The Association must cease processing unless the organization can either show a compelling legitimate interest or legal reasons. If possible, requests will be handled by self-service electronic means. Otherwise, staff must respond in accordance with this policy. Third-party controllers and processors
- 17. Association GDPR Data Protection Policy Page 16 As a data controller and data processor, the Association must have written contracts in place with any third-party data controllers or data processors that the Association engages. (Art. 28 (3), GDPR). The contract must contain specific clauses which set out liabilities, obligations and responsibilities under the GDPR including agreements to: a) process the personal data only on documented instructions from the controller, b) only authorize persons to process the personal data who have committed themselves to confidentiality; c) take all measures required pursuant to GDPR Article 32 on security; d) obtain the Associations permission to engage subcontractors for the work and ensure the same obligations apply to subcontractors; e) make best efforts to help the Association respond to data subject’s rights; f) assist in compliance obligations pursuant to GDPR Articles 32 to 36; g) delete or return all the personal data to the controller after the end of the provision of services relating to processing, and delete existing copies unless law requires storage of the personal data; and h) make available to the controller all information necessary to demonstrate compliance with the obligations GDPR Article 32. Criminal record checks The Association may only carryout criminal records checks where permissible by law. Processing of personal data relating to criminal convictions and offences must provide for appropriate safeguards for the rights and freedoms of data subjects. (Art. 10, GDPR). Audits, monitoring and training Data audits Regular data audits will be conducted by the DIT to manage and mitigate risks. Monitoring All staff must observe this policy. The DIT has overall responsibility for this policy. The Association will keep this policy under review and amend or change it as required. Staff must notify the DIT and DPO, where appointed, of any breaches of this policy. Training Staff will receive adequate training on provisions of data protection law specific for each person’s role. Staff must complete all training as requested. If a staffer changes roles or responsibilities, responsibility lies with that person to requesting new data protection training relevant to the new role or responsibilities. If you require additional training on data protection matters, contact the DIT. Reporting breaches
- 18. Association GDPR Data Protection Policy Page 17 A “personal data breach” is a breach of the Association’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. (Art. 4 (12), GDPR). For guidance, see Art. 29 DP Working Group, Guidelines on Personal data breach notification under Regulation 2016/679 (Feb. 6, 2018). Notice to Individuals If a breach is likely to result in a high risk to the rights and freedoms of natural persons, the Association must give notice to that person “without undue delay.” (Art. 34 (1), GDPR). The notice must be in clear and plain language and include (1) the nature of the breach, (2) Association contact information, (3) likely consequences of the breach, and (4) measures planned or taken to mitigate damage. (Art. 34 (1) and (2) and Art. 33, GDPR). Exception to the reporting requirement arise in three scenarios. (Art. 34 (3), GDPR): (1) the data taken is encrypted; (2) Association measures reduce the high risk to people’s rights, or (3) individual notice would require disproportionate effort wherein a public notice serves the purpose effectively. Notice to Supervisory Authority Where the Association can identify a Supervisory Authority under the GDPR, the Association shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay. (Art. 33, GDPR). As a U.S. based organization without any establishment in the EU and limited activity, the GDPR, as of May 2018, fails to identify desired reporting procedures for such an organization. With regard to a potential “Lead Supervisory Authority,” “[C]ontrollers without any establishment in the EU must deal with local supervisory authorities in every Member State they are active in, through their local representative.” Art. 29 DP Working Group, Guidelines for identifying a controller or processor’s lead supervisory authority, (Sec.3.3; April 5, 2017). The cyber insurer should be consulted immediately to assist with determining the best and proper approach to sending notices under the law. Failure to comply We take compliance with this policy very seriously. Failure to comply puts both you and the organisation at risk. The importance of this policy means that failure to comply with any requirement may lead to disciplinary action under our procedures which may result in dismissal. If you have any questions or concerns about anything in this policy, do not hesitate to contact the DIT.