Registers of Personal Data
GDPR introduces a new principle of ‘accountability’: “The Controller shall be responsible for, and be able to demonstrate compliance with Data Protection Principles/Concepts”. There are specific requirements for internal records of processing activities. The University must be able to demonstrate that it knows:
- What personal data we process
- Why we hold it
- How it was obtained
- Legal basis for processing
- Where/ how it is stored
- Security measures in place
- Who can access it
- How long we retain it
UCC is required to hold a central personal data register of data it holds as a data controller. It is also required to hold a register of personal data it holds as a data processor.
In 2012/2013 the Information Compliance Office, in conjunction with nominated Data Protection champions, compiled a Central Register of Personal Data for UCC which detailed all personal data UCC holds as a data controller. To comply with GDPR, this Register must now be updated to reflect any changes such as new personal data being held, data no longer held and amendments to any details. New requirements for GDPR also require additional information to be held on the Register of Personal Data. A new register must be compiled which captures the same information for personal data where UCC acts as the data processor.
The information captured within the personal data registers informs the need for new or amended Data Protection notices and will be one of the first tasks completed by the project.