- Home
- Back to Data Protection
- GDPR Overview
- Key GDPR Changes
- Data Protection Notices
- UCC's GDPR Project
- Individual Rights
- Data Security Breaches
- Privacy by Design & Default
- Policy and Procedures
- Data Protection Impact Assessments (DPIA's)
- Frequently Asked Questions
- Training and Resources
- Data Protection Policy
- Contact Information
Key GDPR Changes
The GDPR introduces a number of changes to data protection practices and will require the University to review and revise its approach to data handling. Key changes include:
- Privacy notices: more detailed privacy notices are required, which explain the purpose and legal basis behind processing activities
- Accountability: stronger requirements to demonstrate compliance; record-keeping regarding all data processing activities;
- Privacy by Design and Default should be the norm;
- Data Protection Impact Assessments (DPIAs): mandatory for all new processing activities where privacy risks are high
- Sensitive personal data: now includes genetic and biometric data
- A broader definition of personal data: now includes ID numbers, IP addresses and reversibly anonymised (‘pseudonymised’) data
- Consent: must be ‘opt-in’ (rather than being assumed from lack of action), freely given, informed and specific to named processing activities; data subjects will be able to withdraw consent at any time
- Right to be forgotten: data subjects can request that their data is deleted in some circumstances
- Right to data portability: data subjects can request their data in a portable format, in order to move it to another data controller
- Subject Access Requests: individuals still have a right to request access to their personal data held by an organisation; this can no longer be charged for; the response time limit is reduced from 40 days to one month
- More restrictive rules around the use of child data: restricts the age at which individuals can lawfully give consent, introduces rules for the language used in consent requests targeted at children and regulates the way online services obtain children’s consent.
- International transfers: new rules for transfers outside the European Economic Area (EEA)
- Breach notification: must notify the Data Protection Commissioner within 72 hours of becoming aware of a data protection breach
- Fines: tougher financial penalties (fines of up to 4% of annual global turnover or €20 million (whichever is greater));