Steps to be taken by Unit/School/Institute or Centre Heads to ensure Compliance with GDPR

Steps to be taken by unit/school/institute/centre heads to ensure compliance with GDPR:

1. Review and have your team review the University Data Protection Policy and related policies and procedures.

2. Take and have your team take University Data Protection Training which is advertised through HR Staff Training and Development.

3. In accordance with the University Data Protection Policy and related procedures, complete on an annual basis the University Template for records of processing available at: NUI Galway Unit Data Protection Records of Processing Template  In summary, this template  seeks to ascertain why your unit are holding the personal data? How did your unit obtain the personal data? What is the legal basis for processing the personal data? How long will your unit retain it? How secure is it, both in terms of encryption and accessibility? Does your unit ever share it with third parties and on what basis might it do so? How long are your unit keeping the personal data for and why? The following guide can be used as an aide to complete the template: NUIG Guide to completing Data Protection Records of Processing Template

4. If collecting personal data from any individuals directly ensure that they know who(i.e the University) is collecting it, for what purpose, what personal data is being collected, who is it being transferred to (if anyone), if there will be any transfers outside of the EU and include a link to the University Data Protection website so that the person from whom the data is being collected can be made aware of their data protection rights. 

5.  If you have a data breach in your unit, please follow the University Data Breach Procedure noting we only have 72 hours to respond to breaches. 

6. If your unit receives an personal data access request, please note you have only 30 days to provide the data to the requester.

7. If your unit are marketing externally, your unit/school/institute must have the consent of the individual and must be able to demonstrate that you have the consent.

8. If your unit/school/institute are processing personal data on a large scale, profiling individuals, or using a new technology which impacts on individuals then it must complete a data protection impact assessment using the University template available on the University website. Please consult with the University Data Protection Officer.

9. Privacy of the individual must be meaningfully at the core of any process or project you engage in. This means that you must consider the rights of the individual in every process and project you engage in. 

10. If you or a member of your team are engaged in Health Research you must abide by the Health Research Regulations, details of which are available on the University Data Protection webpage. 

11. If you are using a third party to process personal data then you must ensure that the third party abides by the University Data Processing Terms and Conditions copies of which are on the University Data Protection webpage.

Other practical tips:

Please click link for flyer with practical tips: GDPR ICT Best Practice

- Please ensure you and your team have taken ISS Security training available at:

-Ensure Office doors are locked and closed when leaving the office unless there are others still in the office.

-Do not leave doors ajar when leaving except in the cases of emergency or health and safety reasons.

-Staff access to closed offices must be reviewed with security.

-Ensure that personal data is kept secure and is not accessible to passers by.

-Do not leave personal data lying around.

-File personal data away appropriately.  

-Regularly review access to all systems, servers and directories and disable access or permissions as required.

-New colleagues must be inducted into unit GDPR Guidelines and University Policies and Procedures available on University webpage.

- Please ensure your team uses the secure NUI Galway systems available.

- Please ensure that each of your team use a strong password and regularly update it.

- Please ensure that each of your team enable auto lock on  phones and computers so that if a person steps away from their desk, the phone or computer password protects itself.

- Please ensure all log-off all computers before leaving the office for the evening.

- Do not use unencrypted portable devices such as usb memory sticks.

- Do not give password/pins to others and regularly change passwords and pins.

- When sharing personal data what personal data are you sharing and why does the recipient need to see this data?