# GDPR training 1 ## History GDPR started (originally) with teh (EU) declaration of rights More specialised over time Privacy in written communications From: Written coms protected from gov yo Digital coms protected from corps ## Personal data Dead folks dont count for GDPR userID would count as identifiable information. Some data is protected, except under certain conditions such as criminal convictions ## Principals * Must be fairly and lawfully processed * 6 recognised means you can choose to gather and store data * Concent trumps all other means * Contractual and legal obligations are tied * Obliged to gather * public interest Wolves is joint controllers Committees are also joint controllers * Rights of data subjects * Right to be informed * Right of access * Human has to be involved ## Enforcement The office of the Data commissioner got bumped up in funding and manpower Most of the big corpos are headquartered in Ireland (for a variety of reasons) fines got bumped, to big number and a % of revenue More power than revenue commissioners. DPC are looking at a broad spectrum of organisations Loosing access to data counts as a breach * Leak * Hack * Accidental deletion * ransomware * .... Technically having former committee with access to teh gcloud could ahve counted. ## Compliance A creche may need to keep data of a 3 year old till they are 25 7 year timer starts once they turn 18 18+7=25 Main areas of action: * Data breaches * ye have 72 hrs to report it * Find out what happened * Fix the issue * Mitigate issue * If high risk to members then they have to e notified * Data Access * One calendar month (28 days?) ## Misc ### Why We (committees) are controllers of data. ### Questions #### Skynet bot Had a good chat, will send email. #### Old data from before GDPR (home dirs and emails) Basically as long as ye want. Best to keep teh data until either they contact ius or we contact them. Give a clear options on what to do with it. #### Logging bot on discord Not a good idea ***Ask for slides***