The GDPR contains a much broader definition of what constitutes personal data than that which exists in the Irish Constitution. Now, personal data will be defined as any information relating to an identified or identifiable living person. For example, online identifiers now constitute personal data. The new rules will apply to both automated personal data and manual filing systems. The advice here is to encrypt all personal data to a good standard as even anonymous data can be included depending on the ease with which the data can be accessed and combined with other identifiers. All personal data which is stored will now need to be done only after confirming consent of the individual. Consent must be freely given, verifiable and confirmed through affirmative action. A pre-ticked box on a website will not legally constitute consent. The only situations in which it is permissible to share personal data without having consent will be in cases of national interest, or in the case of counselling services for children. A new definition within the GDPR is that of ‘sensitive personal data’. This is data such as race, ethnicity, sexual orientation, trade union memberships, religious beliefs or medical information. There are stricter rules in place for these forms of data, a higher standard of consent is required here.
Accountability is a key area in which the GDPR differs from previous regulation. Organisations are now required to demonstrate compliance with all GDPR principles. The best course of action is to take precautions to avoid a breach of regulations. When handling personal data take extra care with both standard and sensitive information. When asked to disclose any personal data be vigilant and ensure you identify the authority as legitimate.