The General Data Protection Regulation (GDPR) is the new data protection law that takes effect on May 25, 2018. GDPR embodies the privacy principles of transparency, fairness, and accountability. The new regulation replaces the existing data protection directives and national legislation, bringing consistency to the data protection requirements across the European Economic Area (EEA). GDPR is setting an international benchmark and many countries are following suit with equivalent regulation.
The GDPR focus is the protection, collection and management of personal data, (i.e. data about living individuals) and it applies to all businesses who hold or process personal data of people in the EEA, however, the GDPR has wide implications for every business worldwide. IRATA is required to comply, by law, with the GDPR requirements and this will have implications for all IRATA members, whether based in the EEA or otherwise.
As an organisation providing certification services worldwide, we have a responsibility to protect all personal information that is entrusted to us, regardless of where the holders or processors of such information are located. We are committed to helping our service users and members by protecting and respecting personal data, no matter where it is from or where it flows.
What is IRATA doing
As part of our continued focus on information security and data privacy, we are preparing for GDPR compliance through a managed programme of activities in the following areas:
IRATA has information security measures in place, however, we will be working closely with our partners to ensure that our security framework is effective by reviewing the mechanisms that assure data confidentiality, integrity and availability; and how we respond to security breaches.
Privacy by Design
We are updating our manual and digital systems and integrating data protection, privacy and security standards, where required. Our IRATA Operating System (IOS) is undergoing improvements and users can expect to see changes in the way the system is used.
In future, IRATA candidates will need to supply their personal information directly to IRATA electronically. We are also working on a system that will enable our Assessors to submit assessment records online. This should not only improve the security of the information but also speed up the certification process by reducing the time it takes to transfer information. We aim to make the new interfaces user friendly and will communicate clear instructions to those who use our systems.
Policies and Procedures
We are reviewing all of our policies, processes and records, and defining the personal information lifecycle in order to ensure transparency, accuracy, accessibility, completeness, security and consistency.
Extended Information Management
We will need to work closely with our members, suppliers and other partners who help us deliver our services, to ensure that our joint obligations, with respect to data privacy, are met. Transparent arrangements will need to be established through information sharing and data protection agreements. We all have an important role to play!
We are mapping our data workflows and identifying what we have, what we do with it, where it is, where it flows and who has access to it. We classify data based on risk and sensitivity in context. In order to act on our findings without delay, we will need to implement some short-term measures until long term solutions are developed. We will be communicating these changes to all relevant parties shortly.
WHAT TO EXPECT NEXT
As data controllers we are responsible for complying with the relevant requirements under the GDPR in respect of the personal data that we hold in connection with our members, suppliers and other partners. We are taking steps to meet the GDPR requirements and as our work progresses we will provide updates with key information, including:
- Refinements to our IOS, the related processes and restriction of access to certain information.
- Changes to how we obtain personal information e.g. personal data directly from Technicians.
- Changes to the assessment record form (Form 025) which will involve some short-term changes followed by phase in of a digital system to collect this data.
- Changes to the way we collect and manage medical information (Form 014).
- Instructions on how and when to remove historic records that contain personal data.
- Contracts to ensure 3rd parties look after your data too.
- Request to reconfirm, update and gain consent to use personal data, where appropriate.
- Changes to the membership requirements (Form 039), which is currently under review, the updated version will incorporate provisions for data protection.
The General Data Protection Regulation is a new, European Economic Area (EEA) -wide law that replaces the Data Protection Act 1998 covering the United Kingdom. It places greater obligations on how organisations handle personal data and comes into effect on 25 May 2018.
The GDPR applies to ‘personal data’, which means any information relating to an identifiable person who can be directly or indirectly identified, in particular, by reference to an identifier.
By definition GDPR does not cover information relating to companies, it specifically covers information regarding living persons.
A Controller determines the purposes and means of processing personal data. A Processor is responsible for processing personal data on behalf of a Controller.
If you are a Processor, the GDPR places new and specific legal obligations on you. You will have legal liability if you are responsible for a breach.
If you are a Controller, you share the responsibility of GDPR compliance with all Processors who process data on your behalf and should put measures in place to control this relationship.
The GDPR applies to processing carried out by organisations operating within the European Economic Area (EEA). It also applies to organisations outside the EEA that offer goods or services to individuals in the EEA.
IRATA is a Data Controller and is therefore responsible for information collected directly on its behalf for IRATA certification purposes.
The GDPR does not apply to all data processing activities including processing covered by law enforcement, processing for national security purposes and processing carried out by individuals purely for personal/household activities.
‘Personal data’ means any information relating to an identifiable person who can be directly or indirectly identified, in particular, by reference to an identifier.
This definition provides for a wide range of personal identifiers to constitute personal data, examples of personal data are (but not limited to):
- medical details
- banking details
- identification number
- location data
The GDPR applies to both automated personal data and to manual filing systems where personal data is accessible according to specific criteria.
The GDPR refers to sensitive personal data as a “special category” of personal data.
Examples of sensitive personal data are (but not limited to):
- racial or ethnic origin
- political opinions
- sexual orientation
The special categories also specifically include information like genetic data, and biometric data where processed to uniquely identify an individual.
Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing.