Posts

Data Protection, General Data Protection Regulation, EU, Law, GDPR

As the deluge of GDPR and “we have updated our privacy policy” emails begins to slow down somewhat and the dust settles on these new regulations thundering into our lives, and following on from our recent post, we thought it might be a good time to explore some of the key concepts associated with the new General Data Protection Regulations. In relation to GDPR, what are the rights of the individual and what constitutes a breach?

Two key terms that you will see time and time again in relation to the new regulations are Controller and Processor. Essentially, the organisation is the Controller who is responsible for deciding what data is processed and in what manner. The Controller is also responsible for ensuring compliance. The Processor on the other hand is the employee or individual who acts on the behalf of the Controller, and may generally be the person who deals with personal data on a day to day basis.

The below are the key rights of the individual in relation to their personal data:

  • The Right to be Informed – All individuals should be informed that their data is to be stored.
  • The Right of Access – Individuals should be able to request a viewing of the personal details held on them. The organisation has one month to comply with this request.
  • The Right to Rectification – Individuals are entitled to request changes to data that is incomplete or incorrect. Again, the organisation will have one month to comply.
  • The Right to Erasure – This is not an absolute right, in that it is not a guarantee, but the individual has the right to request all data be wiped on them.
  • The Right to Restrict Processing – The individual can request that processing be put on hold until they can verify accuracy.
  • The Right to Data Portability – The individual has the right to obtain and re-use their data across different devices. The information must be accessible to them.
  • The Right to Object – All individuals have the right to request that the organisation stop processing their data immediately, unless the data is proven to have legitimate contractual or legal basis to be stored and processed.

The issue with living in such a fast paced digital age is that data is always at risk of being breached and with these new regulations, a breach can result in a serious breach of human rights as well as a fine of up to €20m or 4% of annual turnover not to mention a loss of client confidence and damage to company reputation.

Interestingly, in terms of GDPR, access is not the only form of breach. A breach can take the form of an incorrect email or postal address resulting in details being sent to the wrong person, the destruction of personal data without consent, or the ultimate loss of the personal data whether digitally or manually. All changes made to personal data need to be consented to.

It is advisable to appoint a data protection officer for this role who is independent and able to report any incidences to the Board without interference. Should a serious data breach occur, the organisation has 72 hours to report it to the Data Protection Commission, and it is advised that everything be reported, even if there are only suspicions of a breach.

Should you require any help, advice or guidance on any financial or business matters, please don’t hesitate to get in touch with us here at EcovisDCA, where we will be happy to support you in getting your business to the next level.

– – –

DCA PARTNERSDECLAN DOLAN & EAMONN GARVEY

GDPR: What does it Mean?

It would be impossible to have missed the impending GDPR (General Data Protection Regulations) being implemented recently on 25/05/2018 as we are all flooded with emails regarding personal data and it became almost impossible to do anything without being informed of a changed privacy policy. This is all good news however as the GDPR will now mean that there are more strict standards across the board and create a new level of trust across a single digital economy. With these new standards and requirements now in place, there will be no grace period for companies to be eased in to the new standards due to the fact that the announcement was made in April 2016.We have briefly spoken about the GDPR before it came into effect and thought that today we would talk about some of the main changes and actions to be taken going forward.

The GDPR contains a much broader definition of what constitutes personal data than that which exists in the Irish Constitution. Now, personal data will be defined as any information relating to an identified or identifiable living person. For example, online identifiers now constitute personal data. The new rules will apply to both automated personal data and manual filing systems. The advice here is to encrypt all personal data to a good standard as even anonymous data can be included depending on the ease with which the data can be accessed and combined with other identifiers. All personal data which is stored will now need to be done only after confirming consent of the individual. Consent must be freely given, verifiable and confirmed through affirmative action. A pre-ticked box on a website will not legally constitute consent. The only situations in which it is permissible to share personal data without having consent will be in cases of national interest, or in the case of counselling services for children. A new definition within the GDPR is that of ‘sensitive personal data’. This is data such as race, ethnicity, sexual orientation, trade union memberships, religious beliefs or medical information. There are stricter rules in place for these forms of data, a higher standard of consent is required here.

Accountability is a key area in which the GDPR differs from previous regulation. Organisations are now required to demonstrate compliance with all GDPR principles. The best course of action is to take precautions to avoid a breach of regulations. When handling personal data take extra care with both standard and sensitive information. When asked to disclose any personal data be vigilant and ensure you identify the authority as legitimate.

Should you require any help, advice or guidance on any financial or business matters, please don’t hesitate to get in touch with us here at EcovisDCA, where we will be happy to support you in getting your business to the next level.

– – –

DCA PARTNERSDECLAN DOLAN & EAMONN GARVEY

Protect that Data

In light of recent revelations in terms of personal data in the realm of social media, data protection issues have become more of a common topic of conversation. New changes this month will ensure that these issues stay a hot topic. In April 2016, after a lengthy period of debate and preparation, the General Data Protection Regulation (GDPR) was approved by the European Union Parliament. This new regulation is set to come into force on the 25th of May 2018 and any companies found to be non-compliant may face rather severe fines. With that in mind we want to ensure that all of our clients and friends are well informed so today we will be discussing the main topics of note ahead of this enforcement date.

In essence, the GDPR will replace the existing Data Protection Directive 95/46/EC and has been formulated in order to standardise data protection and privacy laws across Europe. The regulation is also intended to empower organisations to take data privacy increasingly seriously and to fully understand the impact this can have on a business.

Regardless of the location of your company, if you are an entity which offers goods, services or data exchanges to EU subjects then the GDPR will apply to your company. For our British neighbours, there exists a level of uncertainty with Brexit continuing to loom, for all businesses having dealings in data with the UK it would be advisable to apply the same rules to data coming to and from the UK as data staying within the EU. There will likely be legislation put in place which may stay in line with the GDPR but in order to avoid issues, it is advisable to treat non EU entities and their data in the same strict manner.

It is important for companies to make themselves aware of what actually constitutes personal data. In its most common form personal data is any information on an individual which could identify them. Anything from photos, bank details, addresses, certificates etc. can constitute as personal data for which there must be consent given for this information to be retained. If your company in any way deals with personal data, it is essential that new actions be taken to protect this data in the wake of these new rules.

Penalties for non-compliance can be as severe as fines of 4% of annual global turnover, with the most serious infringements carrying a maximum fine of €20million. There will of course be a tiered system in terms of infringements.

For further information, we recommend visiting the website of our friends at Chartered Accountants Ireland, where they have put together a concise and informative booklet which will discuss everything you need to know about the GDPR.

Should you require any help, advice or guidance on any financial or business matters, please don’t hesitate to get in touch with us here at EcovisDCA, where we will be happy to support you in getting your business to the next level.

– – –

DCA PARTNERSDECLAN DOLAN & EAMONN GARVEY