DRAFT: TASIS GDPR FAQs
against the rights and freedoms of the data subjects, their expectations at the time the data was collected, etc. Our new Records Retention Policy defines what data/records we should retain and for how long, please refer to it.
How does the GDPR change our response to personal data breaches?
The GDPR changes data protection requirements and makes stricter obligations for controllers and processors regarding notice of personal data breaches. Under the new regulation, the processor must notify the data controller of a personal data breach, after having become aware of it, without undue delay. Once aware of a personal data breach, the controller (the School) must notify the relevant data protection authority within 72 hours. If the breach is likely to result in a high risk to the rights and freedoms of individuals, controllers will also need to notify impacted individuals without undue delay. Please refer to our Data Breach procedure.
How can we prevent data breaches?
We must ensure that data is adequately protected to prevent loss or theft. Where a breach has taken place, we may need to notify individuals as well as face negative impact on the company’s brand and customer loyalty. Under the General Data Protection Regulation, we could face fines of up to €20 million or 4% of our annual turnover.
It is possible to minimise the risk of data breaches by following a number of best practices:
• Up-to-date Security Software - Ensure software is updated and patched regularly to avoid weak spots for hackers to exploit.
• Regular Risk Assessments - Carry out vulnerability assessments to review and address any changes or new risks in data protection. Consider all aspects, such as data storage and remote access for employees, and ensure that policies and procedures are adequate.
• Encryption and data backup - Personal data should at least be encrypted, including on work laptops issued to our staff. Instead of using backup tapes that can be lost or stolen, data can be backed up to remote services using the Internet. We should also be mindful of using our own devices and using methods (such as USB sticks) to transport data and information. Please refer to our Data Protection and E-Safety policies.
• Staff training and awareness – We train our staff and faculty to follow best practices, be aware of the importance of data security and how to avoid mistakes that could lead to breaches. Awareness of sensitive data and security should be a part of our culture. Please refer to Data Protection and E-Safety policies.
• Ensure vendors and partners maintain high data protection standards - When working with other companies that may be handling our personal data, make sure they also have adequate systems in place to protect data.
• Third party Data Security Evaluations - Having a third party carry out a risk evaluation allows an objective and outside view of the current breach risks. A Data Security expert can advise