GDPR frequently asked questions
How does RedmineUP help me comply?
RedmineUP provides tools and documentation to support your GDPR accountability including support for Data Subject Rights, performing your own Data Protection Impact Assessments, and working together to resolve personal data breaches.
Who are data controllers, processors and sub-processors?
A data controller is the entity/person that determines purposes and means of processing personal data of the EU resident. For eg. RedmineUP is a data processor and RedmineUP’ customers are controllers of the EU resident's data.
The GDPR applies to both data controllers and processors. Controllers collect data from the end-user that is the EU resident, for purposes clearly stated and with appropriate consent. Data processors provide services to the controller in accordance with each controller's instructions. Processors also use data collected to perform benchmarking analysis, so that it can sell further services allowing controllers to compare their data to industry averages.
Who is a Data Protection Officer (DPO) and does my business need one?
The DPO is responsible for informing employees of their compliance obligations as well as conducting monitoring, training, and audits required by the GDPR. A DPO needs to be appointed if you:
process large amounts of personal data carry out large scale systematic monitoring of individuals or, are a public sector authority
What do you mean by Right to be forgotten?
Individuals have the right to have their personal data deleted, in the event that it is no longer needed. ‘Right to be forgotten’ is in support of - freedom of expression.
Does GDPR require EU data to stay in the EU?
No, the GDPR does not require EU personal data to stay in the EU, nor does it place any new restrictions on transfer of personal data outside the EU.
Data transfers from the EU to outside can be legitimized in many ways including
EU-US Privacy Shield Model or Contractual clauses Binding Corporate Rules (BCR)
As the UK voted to leave the EU, does the GDPR still apply?
Yes, post Brexit the GDPR still applies to the UK. On the 24th of October 2016, the Secretary of State Karen Bradley MP said:
“We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public.”
Elizabeth Denham, the ICO’s Information Commissioner commented: “I acknowledge that there may still be questions about how the GDPR would work on the UK leaving the EU but this should not distract from the important task of compliance with GDPR by 2018.
“We’ll be working with government to stay at the centre of these conversations about the long-term future of UK data protection law and to provide our advice and counsel where appropriate.”
What are the key things I should consider when handling personal data?
Article 5 of the GDPR states that personal data shall be:
Processed lawfully, fairly and transparently Collected for specified, explicit and legitimate purposes Adequate, relevant and confined to what is necessary Accurate and kept up to date Held for no longer than necessary Processed in a manner that ensures appropriate security, i.e. guards against: Unauthorised or unlawful processing Accidental loss, destruction or damage Organisations are required to demonstrate compliance with the above principles.
What rights do individuals have under the GDPR?
Here they are in brief view:
The right to be informed
Organisations need to be clear on how they use personal data, typically through a privacy notice.
The right of access
Under the GDPR, individuals are entitled to know what information is held about them and how it’s processed.
The right to rectification
Individuals are entitled to have their personal data corrected if it’s inaccurate or incomplete.
The right to erasure – also known as the right to be forgotten
Individuals have the right to request the removal of personal data where there is no compelling reason for its continued processing.
The right to restrict processing
Individuals’ rights to block or suppress processing of their personal data.
The right to data portability
This allows individuals to transfer or copy their personal data from one IT environment to another, safely and securely.