Posts

Data Protection, General Data Protection Regulation, EU, Law, GDPR

As the deluge of GDPR and “we have updated our privacy policy” emails begins to slow down somewhat and the dust settles on these new regulations thundering into our lives, and following on from our recent post, we thought it might be a good time to explore some of the key concepts associated with the new General Data Protection Regulations. In relation to GDPR, what are the rights of the individual and what constitutes a breach?

Two key terms that you will see time and time again in relation to the new regulations are Controller and Processor. Essentially, the organisation is the Controller who is responsible for deciding what data is processed and in what manner. The Controller is also responsible for ensuring compliance. The Processor on the other hand is the employee or individual who acts on the behalf of the Controller, and may generally be the person who deals with personal data on a day to day basis.

The below are the key rights of the individual in relation to their personal data:

  • The Right to be Informed – All individuals should be informed that their data is to be stored.
  • The Right of Access – Individuals should be able to request a viewing of the personal details held on them. The organisation has one month to comply with this request.
  • The Right to Rectification – Individuals are entitled to request changes to data that is incomplete or incorrect. Again, the organisation will have one month to comply.
  • The Right to Erasure – This is not an absolute right, in that it is not a guarantee, but the individual has the right to request all data be wiped on them.
  • The Right to Restrict Processing – The individual can request that processing be put on hold until they can verify accuracy.
  • The Right to Data Portability – The individual has the right to obtain and re-use their data across different devices. The information must be accessible to them.
  • The Right to Object – All individuals have the right to request that the organisation stop processing their data immediately, unless the data is proven to have legitimate contractual or legal basis to be stored and processed.

The issue with living in such a fast paced digital age is that data is always at risk of being breached and with these new regulations, a breach can result in a serious breach of human rights as well as a fine of up to €20m or 4% of annual turnover not to mention a loss of client confidence and damage to company reputation.

Interestingly, in terms of GDPR, access is not the only form of breach. A breach can take the form of an incorrect email or postal address resulting in details being sent to the wrong person, the destruction of personal data without consent, or the ultimate loss of the personal data whether digitally or manually. All changes made to personal data need to be consented to.

It is advisable to appoint a data protection officer for this role who is independent and able to report any incidences to the Board without interference. Should a serious data breach occur, the organisation has 72 hours to report it to the Data Protection Commission, and it is advised that everything be reported, even if there are only suspicions of a breach.

Should you require any help, advice or guidance on any financial or business matters, please don’t hesitate to get in touch with us here at EcovisDCA, where we will be happy to support you in getting your business to the next level.

– – –

DCA PARTNERSDECLAN DOLAN & EAMONN GARVEY

GDPR: What does it Mean?

It would be impossible to have missed the impending GDPR (General Data Protection Regulations) being implemented recently on 25/05/2018 as we are all flooded with emails regarding personal data and it became almost impossible to do anything without being informed of a changed privacy policy. This is all good news however as the GDPR will now mean that there are more strict standards across the board and create a new level of trust across a single digital economy. With these new standards and requirements now in place, there will be no grace period for companies to be eased in to the new standards due to the fact that the announcement was made in April 2016.We have briefly spoken about the GDPR before it came into effect and thought that today we would talk about some of the main changes and actions to be taken going forward.

The GDPR contains a much broader definition of what constitutes personal data than that which exists in the Irish Constitution. Now, personal data will be defined as any information relating to an identified or identifiable living person. For example, online identifiers now constitute personal data. The new rules will apply to both automated personal data and manual filing systems. The advice here is to encrypt all personal data to a good standard as even anonymous data can be included depending on the ease with which the data can be accessed and combined with other identifiers. All personal data which is stored will now need to be done only after confirming consent of the individual. Consent must be freely given, verifiable and confirmed through affirmative action. A pre-ticked box on a website will not legally constitute consent. The only situations in which it is permissible to share personal data without having consent will be in cases of national interest, or in the case of counselling services for children. A new definition within the GDPR is that of ‘sensitive personal data’. This is data such as race, ethnicity, sexual orientation, trade union memberships, religious beliefs or medical information. There are stricter rules in place for these forms of data, a higher standard of consent is required here.

Accountability is a key area in which the GDPR differs from previous regulation. Organisations are now required to demonstrate compliance with all GDPR principles. The best course of action is to take precautions to avoid a breach of regulations. When handling personal data take extra care with both standard and sensitive information. When asked to disclose any personal data be vigilant and ensure you identify the authority as legitimate.

Should you require any help, advice or guidance on any financial or business matters, please don’t hesitate to get in touch with us here at EcovisDCA, where we will be happy to support you in getting your business to the next level.

– – –

DCA PARTNERSDECLAN DOLAN & EAMONN GARVEY

Protect that Data

In light of recent revelations in terms of personal data in the realm of social media, data protection issues have become more of a common topic of conversation. New changes this month will ensure that these issues stay a hot topic. In April 2016, after a lengthy period of debate and preparation, the General Data Protection Regulation (GDPR) was approved by the European Union Parliament. This new regulation is set to come into force on the 25th of May 2018 and any companies found to be non-compliant may face rather severe fines. With that in mind we want to ensure that all of our clients and friends are well informed so today we will be discussing the main topics of note ahead of this enforcement date.

In essence, the GDPR will replace the existing Data Protection Directive 95/46/EC and has been formulated in order to standardise data protection and privacy laws across Europe. The regulation is also intended to empower organisations to take data privacy increasingly seriously and to fully understand the impact this can have on a business.

Regardless of the location of your company, if you are an entity which offers goods, services or data exchanges to EU subjects then the GDPR will apply to your company. For our British neighbours, there exists a level of uncertainty with Brexit continuing to loom, for all businesses having dealings in data with the UK it would be advisable to apply the same rules to data coming to and from the UK as data staying within the EU. There will likely be legislation put in place which may stay in line with the GDPR but in order to avoid issues, it is advisable to treat non EU entities and their data in the same strict manner.

It is important for companies to make themselves aware of what actually constitutes personal data. In its most common form personal data is any information on an individual which could identify them. Anything from photos, bank details, addresses, certificates etc. can constitute as personal data for which there must be consent given for this information to be retained. If your company in any way deals with personal data, it is essential that new actions be taken to protect this data in the wake of these new rules.

Penalties for non-compliance can be as severe as fines of 4% of annual global turnover, with the most serious infringements carrying a maximum fine of €20million. There will of course be a tiered system in terms of infringements.

For further information, we recommend visiting the website of our friends at Chartered Accountants Ireland, where they have put together a concise and informative booklet which will discuss everything you need to know about the GDPR.

Should you require any help, advice or guidance on any financial or business matters, please don’t hesitate to get in touch with us here at EcovisDCA, where we will be happy to support you in getting your business to the next level.

– – –

DCA PARTNERSDECLAN DOLAN & EAMONN GARVEY

DATA PROTECTION FOR ME AND EU

We all know the age old saying “Fail to prepare, prepare to fail” as one that is consistently thrown around as a saying to live and work by. Here at DCA Accountants we are firm believers in planning ahead and the manner in which forward planning can have a tremendously positive effect on the day-to-day running of your business. Today we will be speaking about a new regulation, which won’t come into full effect until April 2018, but which will require thinking and planning ahead in order to ensure a smooth transition.

As of April 14th 2016, the EU has adopted the General Data Protection Regulation. This regulation is one by which is intended to strengthen and unify data protection regulations for all individuals within the EU. The regulation will also address the export of personal data outside of the EU, a clause which may have interesting repercussions for Ireland in the wake of Britain’s shock departure from the European Union. The EU aims to cut red tape for businesses in the EU by ensuring that there be one set of rules for all to follow. This new regulation will also aim to protect the data of all residents and workers of the European Union.

This regulation will require business owners to be aware and knowledgeable about its effects before finally coming into action in April 2018 following four years of negotiation. Under these new rules individuals will have more control over how their personal data is processed as data protection will now be as default and will require consent. What this means for business owners is that there will be a need for a higher level of vigilance in terms of dealing with the personal data of employees or clients as there will now be more accountability placed on companies regarding the use of personal data. The repercussions of a failure to comply can amount to a fine of up to 4% of the company’s global annual turnover, meaning that this is an issue which will need to be prepared for in order to avoid costly errors.

One highly recommended way to prepare for this incoming regulation would be to review the entire data protection plan for the business and create a new classification scheme in order to ensure that all personal data will be managed effectively and according to the new guidelines. This will also ensure a full and working knowledge about where this data is kept at all times. A risk-based approach is also recommended when dealing with personal data. This requires data sources to be separated into different risk categories in order to assess a better management system.

These new regulations have been a long time coming, and wont yet come into effect until April 2018, however it is important to have any possible data issues ironed out before this date in order to avoid penalties. Should you require any assistance or guidance on these or any other business matters, please don’t hesitate to contact us here at DCA Accountants, where we will be happy to assist and advise in any way possible.

 

– – – – –

DCA PARTNERSDECLAN DOLAN & EAMONN GARVEY