Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Help regarding legal documents & privacy policies ect

Options
  • 30-03-2018 8:29pm
    #1
    steve_
    Registered Users Posts: 956 ✭✭✭


    Hey folks,

    I'm in the process of launching a new business but to be honest it's presenting me with problems i havent had to deal with before and i'm hoping i can get a little help from here.

    I run a production company here in Dublin and the new business idea came about due to the needs of one of our clients. Obviously when starting the video company it was all pretty straight forward. Get registered, get insurance, get an accountant and i was good to go. But this new venture deals with GDPR and requires the processing of CCTV footage which is classed as biometric data so the security issues are pretty hefty. But also there's certain legalese that i haven't the foggiest where to begin with. I'll need privacy policies for the website, terms of service, T's & C's and so on and so forth.

    I honestly don't even know where to start and what options are out there for getting the required documents drafted up and more importantly to be advised on the documents ill need to begin with.

    The software we've created is done and dusted and fully functional, so really the only thing holding us back is the legal side of things and getting the right structures in place.

    Hopefully you guys could give some advice on what to do.


Comments

  • Options
    #2
    pedroeibar1
    Closed Accounts Posts: 5,108 ✭✭✭pedroeibar1


    steve_ wrote: »
    .................. But this new venture deals with GDPR and requires the processing of CCTV footage which is classed as biometric data so the security issues are pretty hefty. ....
    The software we've created is done and dusted and fully functional, so really the only thing holding us back is the legal side of things and getting the right structures in place.
    Welcome to the costly world of heavy regulation. You’re coming late to the party, just 2 months to go. I’m reasonably up to date on GDPR but not on the biometric data side as it is outside my activities. Most here would be in the same position, as it is very niche.

    You say that you are/will be processing so you will be the data processor (DP). The data controller (DC - the person passing the data to you to process) must have a contract with you that sets out the type of data, the purpose and duration of the processing, and the obligations and rights of theDC and DP. Ask to DC for a copy of the proposed contract; that document would be a good place to start as it will set out the requirements and thus give you pointers on what you need to do.

    My understanding (just a passing knowledge) is that biometric data under GDPR has ‘special category’ status, so the starting-point is very onerous – i.e. processing broadly is prohibited. However it is recognised that there can be a need to process it for certain specific purposes. That can be done only if the data controller holds the explicit consent of the data subject(s) and the right to pass the data on to a data processor. The DC needs to have these consent forms drafted professionally and also have a system of storing/retrieving them.

    You also need to conduct privacy impact assessments when what you hold is likely to produce a risk to the rights s of data subjects. You need to create an entire management system to show what you are doing, why, where and how. Overlaid on that you need written procedures that cover all your activities, show monitoring events, who can access data, etc. You need to have a cyber-risk policy in place – e.g. is the data accessible via your website.

    One of the businesses I’m involved with is a third party processor. We started by looking at the type of data we do not need and then stripping that out to reduce our exposure/risk.

    The list is almost endless. Build up a knowledge base of what you need and then talk to a lawyer - it is too important for your business not to do so.


  • Options
    #3
    steve_
    Registered Users Posts: 956 ✭✭✭steve_


    Thank you for your reply. Would you mind if i sent you a PM detailing what our plans are for the business?


  • Options
    #4
    pedroeibar1
    Closed Accounts Posts: 5,108 ✭✭✭pedroeibar1


    steve_ wrote: »
    Thank you for your reply. Would you mind if i sent you a PM detailing what our plans are for the business?

    Got it Steve. Will reply later.
    P


  • Options
    #5
    pedroeibar1
    Closed Accounts Posts: 5,108 ✭✭✭pedroeibar1


    Another reply sent Steve. Boards is 'acting up ' so let me know if you did not get the message


  • Options
    #6
    dudara
    Registered Users Posts: 33,519 ✭✭✭✭dudara


    If you are dealing with sensitive data, then I absolutely recommend getting legal advice on the preparation of your privacy policies and GDPR/Privacy readiness.

    There are multiple elements to consider. If you had a live company, it would be about taking a risk-based approach to prepare for May 25th. Assuming that you do not yet have a live company, then you have time to line up your approach.

    Things to consider...

    Privacy policy and website statements
    Clauses in employment contacts
    Data processing agreements in third party contracts
    Inventory of personal data processing
    If transferring personal data outside the EEA, then taking adequate measures such as standard contractual clauses
    Data Privacy Impact Assessments
    Appropriate technical and organizational measure to protect personal data
    Appointment of a DPO - is it required for your organisation
    Consent - can you establish your legal basis for the processing of the data and do you require consent?
    Training and awareness amongst your staff


  • Advertisement
  • Options
    #7
    Vetch
    Closed Accounts Posts: 422 ✭✭Vetch


    If the OP is a processor rather than controller - DPIAs are to be done by controllers, not processors. The obligation of processors is to assist controllers in the carrying out of DPIAs.


  • Options
    #8
    pedroeibar1
    Closed Accounts Posts: 5,108 ✭✭✭pedroeibar1


    In his OP Steve is quite clear – the business is a start-up, he is a data processor.

    FWIW the data controllers meet the conditions to collect the data. They send the biometric data (images only, no personal data details) to the cloud where it is stored (transfer & storage are secure / encrypted, using a highly reputable/professional third party). He processes the data and then hands it back. He is not collecting / storing data or selling it. He is providing a once-off service although in a tiny number of incidences he can be re-sent some images and asked to ‘undo’ part of his process.

    What Steve needs to do is to keep records of his data processing activities (essentially a log), have appropriate security measures in place and notify the data controllers of any breach. Many of the valid points made by Dudara do not relate to his activity; others have been covered (by PM). From what he has told me his existing 'activity' would be compliant once it is put into writing.

    Steve’s issue is how to draft and examine procedures (reviewing his contracts with the data controllers and third party provider; reviewing / inserting appropriate clauses in employment contracts, and how to structure the framework for the good GDPR governance of his business. He has a business to run and drafting / review of procedures is not his forte. My feeling is that he needs a good GDPR person to do this for him. A specialist with IAPP accreditation would possibly be best, I’d hate to think what a large lawfirm would charge for the basic work, but I agree it would be advisable for a lawyer to review it when completed. The cost of compliance in many sectors has become a heavy burden.

    So if somebody has an appropriate contact please let him know.


  • Options
    #9
    Vetch
    Closed Accounts Posts: 422 ✭✭Vetch


    pedroeibar1 wrote: »
    In his OP Steve is quite clear – the business is a start-up, he is a data processor.

    FWIW the data controllers meet the conditions to collect the data. They send the biometric data (images only, no personal data details) to the cloud where it is stored (transfer & storage are secure / encrypted, using a highly reputable/professional third party). He processes the data and then hands it back. He is not collecting / storing data or selling it. He is providing a once-off service although in a tiny number of incidences he can be re-sent some images and asked to ‘undo’ part of his process.

    What Steve needs to do is to keep records of his data processing activities (essentially a log), have appropriate security measures in place and notify the data controllers of any breach. Many of the valid points made by Dudara do not relate to his activity; others have been covered (by PM). From what he has told me his existing 'activity' would be compliant once it is put into writing.

    Steve’s issue is how to draft and examine procedures (reviewing his contracts with the data controllers and third party provider; reviewing / inserting appropriate clauses in employment contracts, and how to structure the framework for the good GDPR governance of his business. He has a business to run and drafting / review of procedures is not his forte. My feeling is that he needs a good GDPR person to do this for him. A specialist with IAPP accreditation would possibly be best, I’d hate to think what a large lawfirm would charge for the basic work, but I agree it would be advisable for a lawyer to review it when completed. The cost of compliance in many sectors has become a heavy burden.

    So if somebody has an appropriate contact please let him know.

    Steve is unlikely to be a processor 100% of the time. The reference to employment contracts suggest that he's also a controller and Dudara's suggestions would be useful. He will also be subject to audits by controllers where he is a processor. If the core part of the business is the processing of biometric data, he will need to appoint a DPO.


  • Options
    #10
    dudara
    Registered Users Posts: 33,519 ✭✭✭✭dudara


    My experience in this area has uncovered complexities in processes that initially appeared simple. So I wouldn't initially assume a Controller to Processor relationship, not until the data flows have been analysed in some detail. Granted, I have not received the same information by PM as Pedro, so at this point, I am not informed enough to eliminate required activities.

    I agree with pedro that engaging a good specialist will help, as they should be able to guide you through the analysis and help you determine where you are a Controller or Processor, where Controller to Controller or Controller to Processor relationships apply, if you require a DPO, establish the legal basis for your processing activities etc, if you have international data transfers etc. Once everything is in place, it's a good idea to have a lawyer review.


Advertisement