4
1.0 Introduction and background
The purpose of this Policy is to outline how IGI has established measures to maintain compliance with the EU General Data Protection
Regulation (hereinafter referred to as the “GDPR”).
The Policy contains two components:
Section 2.0 – measures to re-enforce accountability and governance
Section 3.0 – measures to demonstrate the protection of information rights of the data subject.
1.1 Policy Principles
Article 5 of the GDPR requires that personal data shall be:
“a) processed lawfully, fairly and in a transparent manner in relation to individuals;
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those
purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical
purposes shall not be considered to be incompatible with the initial purposes;
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are
inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal
data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving
purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the
appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of
individuals; and
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
In addition, there is a requirement that:
“The controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
2.0 Accountability and governance
This Policy outlines comprehensive but proportionate governance measures designed to achieve and maintain compliance with the General
Data Protection Regulation. These measures have been designed to minimise the risk of breaches and uphold the protection of personal data.
This section on accountability and governance considers:
Roles and responsibilities – The responsibilities of the Board, Data Compliance Officers, information owners and general employees
Documentation – IGI’s requirements in respect of documenting processing
Data protection by design and default - IGI’s requirements for Data Protection Impact Assessments.
Lawful basis for processing – IGI’s Policy on determining the basis for processing.
Security – Security Policy measures designed to protect information confidentiality, integrity and availability.
Contracts – the measures that should be in place to ensure contractual relationships maintain GDPR compliance
International transfer – Oversight measures for international transfer of data.
Data breaches – Principles for detecting and responding to data breaches.
2.1 Roles and responsibilities
Background:
While the principles of accountability and transparency have previously been implicit requirements of data protection law, the GDPR's
emphasis elevates their significance. IGI is expected to put into place comprehensive but proportionate governance measures.
Policy requirements:
1. IGI has defined Michael Farah as the ‘Data Compliance Officer’.
2. The DCO’s responsibilities include:
o Informing and advising IGI and its employees about their obligations to comply with the GDPR and other data protection
laws.
o Monitoring compliance with the GDPR and other data protection laws, including managing internal data protection
activities, advise on data protection impact assessments; train staff and conduct internal audits.