Two key terms that you will see time and time again in relation to the new regulations are Controller and Processor. Essentially, the organisation is the Controller who is responsible for deciding what data is processed and in what manner. The Controller is also responsible for ensuring compliance. The Processor on the other hand is the employee or individual who acts on the behalf of the Controller, and may generally be the person who deals with personal data on a day to day basis.
The below are the key rights of the individual in relation to their personal data:
- The Right to be Informed – All individuals should be informed that their data is to be stored.
- The Right of Access – Individuals should be able to request a viewing of the personal details held on them. The organisation has one month to comply with this request.
- The Right to Rectification – Individuals are entitled to request changes to data that is incomplete or incorrect. Again, the organisation will have one month to comply.
- The Right to Erasure – This is not an absolute right, in that it is not a guarantee, but the individual has the right to request all data be wiped on them.
- The Right to Restrict Processing – The individual can request that processing be put on hold until they can verify accuracy.
- The Right to Data Portability – The individual has the right to obtain and re-use their data across different devices. The information must be accessible to them.
- The Right to Object – All individuals have the right to request that the organisation stop processing their data immediately, unless the data is proven to have legitimate contractual or legal basis to be stored and processed.
The issue with living in such a fast paced digital age is that data is always at risk of being breached and with these new regulations, a breach can result in a serious breach of human rights as well as a fine of up to €20m or 4% of annual turnover not to mention a loss of client confidence and damage to company reputation.
Interestingly, in terms of GDPR, access is not the only form of breach. A breach can take the form of an incorrect email or postal address resulting in details being sent to the wrong person, the destruction of personal data without consent, or the ultimate loss of the personal data whether digitally or manually. All changes made to personal data need to be consented to.
It is advisable to appoint a data protection officer for this role who is independent and able to report any incidences to the Board without interference. Should a serious data breach occur, the organisation has 72 hours to report it to the Data Protection Commission, and it is advised that everything be reported, even if there are only suspicions of a breach.
Should you require any help, advice or guidance on any financial or business matters, please don’t hesitate to get in touch with us here at EcovisDCA, where we will be happy to support you in getting your business to the next level.