Dear Colleagues,

You may have heard about the General Data Protection Regulation (GDPR), which comes into effect on 25 May 2018 in Europe. The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified by reference to it. Personal data includes names, ID number, addresses, origin, biometric data; contact information: email addresses, telephone numbers; sensitive data: health, financial to list a few. The GDPR requires that personal data be processed lawfully, fairly and in a transparent manner, and that personal data be collected for specified and legitimate purposes. Hefty fines may be imposed on organizations that do not comply.

Following its enactment, the CGIAR has also developed a GDPR-compliant System wide Data protection and Privacy Policy for mandatory adoption by all Centers.

I am writing to explain ILRI’s actions and measures to implement and comply with the GDPR by the 25th of May 2018 and beyond.

How We are Preparing for the GDPR

ILRI collects and processes personal data from staff (past and present) and their dependents, all other categories of staff, contractors, consultants, students, trainees, event participants, partners, donors etc., in order to carry out its operations and to fulfill its contractual obligations to its staff as the employer.

ILRI is committed to ensuring the security and protection of the personal information that we process, including a compliant and consistent approach to data protection. While we have always had a robust and effective data protection systems, we recognize our obligations in updating and expanding this to meet the demands of the GDPR and the CGIAR Privacy & Data Protection Policy. In compliance with the GDPR, we have made the following changes to our procedures, controls and policies.

Information Audit

· We have carried out an institute-wide information audit to identify the nature of personal data ILRI holds, how it is processed, who has access to it, existing security measures, contractual arrangements with third party processors of such data, with a view to streamlining compliance and security measures.

· Legal basis for processing – we are reviewing all processing activities to ensure that each basis for collecting personal information is appropriate and the level of detail of personal data justified for the activity it relates to.

Your ‘personal data’ rights as Staff

• In compliance with the GDPR, ILRI as your employer, is required to provide you with a P&OD Staff Data Privacy Notice ( https://cgspace.cgiar.org/handle/10568/92867) explaining in detail the “personal data” the People and Organizational Development Directorate (P&OD) collects from staff (and dependents), how it is used, the parties to whom your data is disclosed, how ILRI protects your data from illegal access (data breaches) and your legal rights in relation to such data (including the right to request information of what personal data ILRI holds, purpose, third party recipients, duration of holding such data, the right to correct such data, the right to request erasure of such data if applicable, and the right to lodge a complaint if a member of staff feels aggrieved. The said notice now forms part of your employment contract and automatically applies to all existing contracts. All new contracts and renewals will include the privacy notice as an annex henceforth.The P&OD induction process will also henceforth include information on staff data privacy protection.

· Processor Agreements – where we use third-party service providers to process personal information on ILRI’s behalf (i.e. payroll, pension, insurance, recruitments, appraisals etc), we are now required to ensure such third parties are GDPR compliant, including carrying out due diligence on their technical and organisational measures in place regarding data security and confidentiality.

Data Privacy notice on ILRI website, blogs and other online platforms

• ILRI’s websites, blogs and other platforms have now have a privacy notice to comply with the GDPR, ensuring that all individuals whose personal information we process have been informed of why we need it, how it is used, what their rights are, who the information is disclosed to and what safeguarding measures are in place to protect their information, including their consent.

ICT – Privacy, data protection and data breach procedures

• For data filing systems over which ILRI has control, a breach notification system and process is now in place guaranteeing notification to management of any breaches/attempted breaches within 72 hours (or less) of becoming aware of such breach. ILRI has robust mitigation and monitoring in place to prevent and/or identify a breach when it occurs. Where ILRI stores or transfers personal information outside its Headquarters or global offices, we have robust procedures and safeguarding measures in place to secure, encrypt and maintain the integrity of the data. Our procedures include standard data protection clauses and strict due diligence checks with all recipients of personal data to assess and verify that they have appropriate safeguards in place to protect the information.

Policies

• The IP & Legal Unit (Legal) has developed a draft ILRI data protection and privacy policy for review by IMC, approval by the board following which it will be rolled out.
• Legal will update our data retention and erasure policy to ensure that we meet the ‘data minimisation’ and ‘storage limitation’ principles and that personal information is stored, archived and destroyed compliantly and ethically.

Contracts

• Legal is in the process of updating the various contract templates for GDPR compliance, to be approved by IMC and rolled out.

We shall continue to monitor the evolving interpretation and implementation of the GDPR to ensure adequate compliance measures are in place.

Regards,

Jimmy Smith | Director General
International Livestock Research Institute |ilri.org