Data protection is all about protecting your personal data. But what does this really mean?
This guide is by Ian Long, solicitor and data protection specialist with more than 20 years’ experience in companies of all sizes, including AIB Bank, Aon Corp., Bank of Ireland Group, Griffith College, Groupon International, IAC Applications, Pepper Asset Servicing, and Ulster Bank.
- Author of leading text on GDPR compliance, Data Protection – The New Rules, published by Jordan Publishing, London.
A company or an organisation that handles any information about you must take certain steps to protect it and keep it safe. Otherwise the information could be used to harm you in all sorts of ways. It could be used to sell goods and services to you that you don’t want or, worse, to steal money from your bank account.
Examples of personal data are your name, email address, phone number and bank account number.
What is ‘GDPR’?
The General Data Protection Regulation (GDPR) is a legal framework that lays down the rules for the processing of personal data about individuals. It applies not just in Ireland but throughout the EU. The GDPR obliges all companies and organisations, or ‘data controllers’, that process your personal data to comply with the new rules.
‘Process’ includes just about everything to do with handling personal data. This means collection, organisation, storage, alteration, use, communication, disclosure, deletion and destruction of the data.
The GDPR aims to provide a level playing field for individuals across the EU in dealing with organisations that process their personal data. The new rules apply in every Member State of the European Union.
Principles of Data Protection
The rules are set out in the seven basic principles of data protection:
- Lawfulness, fairness and transparency – there must be a legal basis for the data processing, and it must be fair and obvious to you.
- Purpose limitation – the data can only be processed for the purpose(s) for which it was obtained from you.
- Data minimisation – only the minimum amount of data can be used for the purpose(s) of the data processing.
- Accuracy – the data must be accurate and up-to-date.
- Storage limitation – the data can only be kept for as long as necessary.
- Integrity and confidentiality – the data must be complete and secure.
- Accountability – the company or organisation that is processing your data is accountable to you, i.e. they must show they comply with all of these rules.
The principle of Consent
- One of the key requirements of the GDPR is that your consent must be obtained for any processing of your personal data.
- In order to give an informed consent, obviously you must be made aware of what’s being done. The data must be anonymous to the great extent possible, in order to protect your privacy.
- The data controller must notify the Data Protection Commission of any personal data breach, e.g. an unauthorised disclosure of your data.
- If the company or organisation is above a certain size, it must appoint a data protection officer to oversee compliance with GDPR requirements.
Defending your rights to privacy
The GDPR specifically provides that you have certain rights against the data controller to ensure the privacy and security of your data.
You have the right to:
- ask the data controller to transmit, or ‘port’, your data to another company or organisation;
- ask the data controller to delete your data in certain circumstances, e.g. if it’s no longer required (the ‘right to be forgotten’);
- be informed of what data is being processed and why;
- withdraw your consent to the data processing;
- ask for a copy of your data; and
- ask for your data to be corrected/updated.
Taking legal action for non-compliance
A data controller will pay dearly for non-compliance with these requirements.
The GDPR allows you to take legal action against the company or make a complaint to the Data Protection Commission. The Commission has wide-ranging powers and can impose a fine of up to €20 million or 4% of the company annual turnover, whichever is greater.
Get Legal Advice
If you you have a legal issue with respect to data privacy or protection, you can get in touch below.