Data Protection Law (GDPR)
Data Protection law has been a hot topic for some time, but with the introduction of the General Data Protection Regulation (GDPR), it has become a number one priority for the vast majority of organisations.
As data protection law continues to evolve, it is important both businesses and individuals are aware of how data protection can impact upon them, and more importantly, how to minimise this impact.
When it comes to the use of personal information, consumers are more aware of their rights than ever and the compensation they may be entitled to. Organisations need to be able to demonstrate that they are collecting personal information ethically and treating such data with diligence and care. Under the GDPR, gathering and storing personal data can quickly become a contentious issue for organisations, no matter the size or the industry they are in.
At Clarke Jeffers LLP we understand the complexities involved when dealing with data protection matters. We help clients understand the duties and responsibilities they have when it comes to GDPR compliance. We advise clients in the event of the misuse or mistreatment of personal data and have represented both individuals and companies involved in data breaches and our knowledge and expertise in this area is unrivalled.
“Many companies struggle with data protection compliance and there are many individuals who have experienced the misuse of their personal information at one time of another. With data protection matters growing ever more complex, we have made it a key focus for our firm.”
-Victor Clarke, Managing Partner.
We advise clients in the following areas:
Glossary of GDPR Terms
Acts
(General Data Protection Regulations and Protection Act 2018) GDPR
Access Requests
A request made by an identifiable living individual for data held on that individual in any relevant format.
Automated individual decision making
Making a decision solely by automated means without any human involvement); and. profiling (automated processing of personal data to evaluate certain things about an individual).
Availability Breach
An accidental or unauthorised loss of access to/or destruction of personal data.
Appeals
It is possible to appeal against an administrative fine being levied by the ODPC. Such appeals are made to the Courts and must be made within 28 days from the date of notification of the decision to fine.
Breach
A personal data breach means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, transmitted, stored or otherwise processed.
Controller
Determines the purpose and means of the processing.
Computer Files
All files held on computer, electronically, on USB storage devices and including computers not on the main network (phones, laptops, IPAD’s etc.)
Confidentiality Breach
An unauthorised or accidental disclosure of, or access to, personal data.
Complaints
An individual has a right to complain to the Office of the Data Protection Commissioner (ODPC) for example if access to data is refused or not provided correctly/or at all.
Containment
Once a breach occurs the Controller must seek to contain the incident and asses the risk.
Confirmation Hearing
While the Data Protection Commissioner can levy a fine, the fine itself must be confirmed by the Court. This hearing is known as a Confirmation Hearing.
Compensation
A right to receive compensation from the Controller or Processor of data if damage suffered as a result of breach (although the GDPR allows any person affected by a data breach to claim compensation, this is limited in Ireland under the Data Protection Act to the subject access individual).
Corrective Power
The power of the supervisory authority to levy fines which shall in each individual case be effective, proportionate and dissuasive.
Data
Data is any information kept manually or electronically or by other means (such as CCTV etc.) relating to an identifiable living individual.
Data Request
A data request can be in writing (e-mail is also sufficient) and can be oral also. There is no need to mention GDPR or any other regulations, nor is there any set format or template that needs to be used.
Data Protection Commissioner
The Data Protection Commissioner and its Office (ODPC) are the supervising authority in Ireland for matters relating to data protection. (Currently Helen Dixon)
Data Litigation
The right to take action, to protect one’s own data etc.
Damage
The types of material and non-material damage that could result if a breach of data is not addressed in an appropriate and timely manner.
Data Subject Rights
Your rights include:
- Right to be informed (transparency in choice).
- Right to access.
- Right to rectification.
- Right to erasure.
- Right to restriction of processing.
- Right to data portability.
- Right to object.
Data Controller
The Data Controller determines the purpose for which, and the manner in which, personal data is processed. It can do this either on its own or jointly or in common with other organisations. This means that the Data Controller exercises overall control over the “why” and “how” of a data processing activity.
Data Processor Definition
Data Processor in relation to personal data means any person (other than an employee of the Data Controller) who processes the data on behalf of the Data Controller. Processing in relation to information or data means obtaining, recording or holding the information or data.
Electronic Request
A request made usually by e-mail. (In these circumstances and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic format).
Exceptions
Not all data must be supplied in response to a data access request. Such examples would include data which might give rise to a contempt of Court, data covered by legal professional privilege or litigation privilege etc.
Encrypted Data
Encrypted data is data which is protected by an encryption code. Such encryption can minimise the risk in the event that the data is lost.
Enforcement Notice
The power to issue reprimands to a Controller or Processor where processing operations have infringed provisions of the GDPR regulations.
Format of Request
Requests can be in writing, e-mail or orally made. There is no set format or template to be used and nor is there an applicable fee (unless the request is deemed repetitive or excessive).
Fees
There is no necessity (unlike the previous Data Protection Acts) to enclose a fee with your request. Fees will only arise if the request is deemed to be excessive or repetitive.
Filing Systems
Only relevant to manual data. Structured by reference to individuals and organised in such a way that specific information relating to a particular individual is readily accessible. (Such systems cover personal data and the individual’s name appears on the front of the file.)
Fines
There are two tiers of administrative fine that can be levied.
- Up to €10million or 2% annual global turnover – whichever is higher.
- Up to €20million or 4% annual global turnover – whichever is higher.
GDPR
The EU General Data Protection Regulations. Came into force on the 25th May 2018.
Harvesting
The collection of personal data on individuals.
Health Data
Health data is a special category of sensitive data. The Controller must not release health data without first checking with appropriate Health Practitioner whether release of data would cause serious harm to physical or mental health of data subject.
Habitual Residence
The member state where the data subject has his or her main residence.
Information to be supplied
The information to be supplied in the event of a data breach to the Office of the Data Protection Commissioner (broken into specific categories such as number of data subjects, type of data, type of individual affected etc.).
Identifiable Living Person
Data access requests relate to identifiable living persons.
Integrity Breach
An unauthorised or accidental alteration of personal data.
Investigations
The Data Protection Commissioner can investigate Data Controller’s handling of any request and has the power to access data relevant to the complaint.
Jurisdiction
While the Data Protection Commissioner has jurisdiction to investigate claims and levy fines, those fines can only be confirmed at a confirmation hearing through the Courts.
Judicial Review
A form of legal action which can be taken to review the handling or outcome of any complaint.
Keeping Data
The keeping of data imposes an obligation on the Controller to keep the data safe, not to keep the data for longer than is necessary for that purpose and to ensure that the appropriate notifications and action steps are taken in the event of a breach.
Key Principles
There are seven key principles under GDPR as follows:
- Lawful fair and transparent processing.
- Purpose Limitation.
- Data minimisation.
- Accurate and up to date processing.
- Limitation of storage in the form that permits identification.
- Confidential and secure.
- Accountability and liability.
Loss of Confidential or Personal Data
Refers to a situation where a Processor or Controller loses personal data by way of loss, ransom, unauthorised access, destruction etc.
Liability
Liability rests with the Controller for damage caused by processing which infringes GDPR. The Processor is only liable where they have not complied with specific processors obligations under GDPR or have acted outside or contrary to instructions of the Controller.
Legal Professional Privilege
Means privileged data which is subject to professional secrecy (specific communication providing legal advice between Solicitor and client for example).
Legislation
Data Protection Act, 2018 – signed into law on the 24th May 2018.
Mandatory Reporting
In a case of a personal data breach the Controller shall without undue delay (no later than 72 hours after having become aware of it) notify the personal data breach to the supervisory authority. If notification comes later than 72 hours then a detailed explanation for the delay must accompany that report.
Minors
Persons under the age of 18 years. This is relevant where a data request has been made by somebody under the age of 18 (or in the case of a Data access request being made by a parent on behalf of a child).
Manual Data
Data kept in manual format, such as files, paperwork etc.
Notifications
Notifications for data breaches to the Office of the Data Protection Commissioner must be made without delay and no later than 72 hours from the date of the breach. There is no general requirement to notify if the breach is considered “unlikely to result in risk”.
ODPC
The Office of Data Protection Commissioner in Ireland.
Organisational Measures
These are measures which are taken in order to protect data such as encryption, remote wiping etc.
Oral Requests
Oral requests by a data subject are now permitted.
Opinions
Confidential expressions of opinion may be exempt from being furnished under a data request. Generally a “but for test” is applied. (i.e. I would not have expressed this confidential opinion had I known that I would have to provide access to it). This is quite a subjective test and care needs to be applied.
Personal Data Breach
Means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes.
Personal Data
Examples of Personal Data might include employment files, medical records, credit card details, telephone calls, e-mails, CCTV, images, recordings of websites visited etc.
Processor
Processor processes data on behalf of Controller.
Profiling
The correlation of information based on an individual’s profile, trends, buying patterns etc.
Plain Language
All notices relating to personal data breaches issued to identifiable living individuals must be made in plain language (readily understandable etc.).
Public Communication
Where a data breach is significantly large in size the notification may be made by way of public communication (i.e. newspaper advertisement, television advertisement etc.).
Queries
Any queries which might be put to the Data Protection Commissioners Office in relation to any issue or aspect arising out of a subject access request.
Regulatory Guidance
Sources of regulatory guidance include (but are not limited to) Data Protection Commission Guidance on Access Rights and Responsibilities (published in April 2017).
Refusal
A refusal to provide data access on foot of a subject access request. A notification for refusal should issue with a statement of reasons for refusal and an indication that a complaint may be registered to the Data Protection Commission if applicant is not satisfied.
Redactions
Redactions are where information is deleted from data to be provided (usually by way of black marker). In the event that redactions are required (such as third party personal details information etc.) then a statement should be provided as to the fact that there is redactions and why the Controller / Processor feels that same were necessary.
Remedies
All individuals shall have a right to an effective judicial remedy where one considers their rights under the regulations have been infringed as a result of the processing of their personal data or non-compliance with the regulations. These rights may be against a Controller or a Processor. The remedy can be in general format such as compensation, rectification of data, right to be forgotten etc.
Risk
There are three types of risk. High, medium and low. These refer to the risk of damage or prejudice arising to an individual (or individuals) in the event of a data breach.
Representations
Defines the right to make representations at a confirmation hearing where a fine has been levied by the Office of Data Protection Commission. Such representations can be made even in the event that an appeal has not been lodged.
Statute
The Irish governing legislation in relation to data protection in Ireland is the Data Protection Act, 2018.
Sensitive Data
Sensitive data is any data that reveals racial or ethnic origin. Political opinions, religious or philosophical beliefs, Trade Union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Security
Security measures employed to protect data such as encryption, remote wiping etc.
Storage Period
Where possible it is the intended or predicted period for which the personal data will be stored. In the event that it is not possible to predict this term then the criteria used to determine that period should be supplied.
Types of Breach
There are various types of breach including:
- Confidentiality breach (where there is an unauthorised or accidental disclosure of, or access to personal data).
- Integrity breach (where there is an unauthorised or accidental alteration of personal data).
- Availability breach (where there is accidental or unauthorised loss of access to, or destruction of, personal data.
Tests
The tests applied to help decide whether a breach is reportable (the general test is whether the breach is a breach which is likely to result in a risk to the rights and freedoms of natural persons).
Third Party Requests
Refer to requests made by individuals on behalf of other individuals for personal data (examples might include parents, Solicitors, Accountants etc.). In general there should be some form of written consent by the subject access individual although there is an entitlement to accept the bona fides of a Solicitor. This can often be a tricky area when it comes to minors.
Timeframes
Timeframe for provision of requested data. Data must be provided without delay and in any event within one month of receipt of the request. (This one month period does not take into account Bank Holidays, Christmas etc.). The timeline can be extended by a period of up to two further months taking into account complexity, number of requests etc.
Timeframe for Appeals
In the event that a fine is levied by the Data Protection Commissioner then the Processor/Controller has 28 days from the date of that notification to appeal the decision.
Unlikely to Result in Risk
This is a data breach which even though it has occurred is unlikely to result in damage (for example a laptop has been lost containing personal data but is encrypted or is facilitated with remote wiping which has been activated).
Unfair Requests
Unfair requests or excessive requests relate to requests by individuals for data which are manifestly unfair or excessive.
United States
GDPR can affect businesses in the United States (or any other location) if information is held by that business in the EU. GDPR is concerned with information held within the EU as opposed to the nationality of any citizen it affects.
Victor Clarke
Who you should speak to in the event of a data query or breach… Get in touch
Web Browsing History
Refers to a record of web pages visited by an individual and maintained as data by a Controller or Processor.
Withheld Data
Data withheld on the basis of legitimate exemption (for example legal professional privilege).
WhatsApp Groups
At the time of writing WhatsApp is generally non-compliant for GDPR purposes. Care should be taken therefore in the creation of WhatsApp groups and particularly of those groups discuss sensitive or important personal information.
X-Rays
X-rays would be included as personal data (medical data). X-rays are in a special category of personal data which is subject to increased protection.
Your Rights
Your rights include:
- Right to be informed (transparency in choice).
- Right to access.
- Right to rectification.
- Right to erasure.
- Right to restriction of processing.
- Right to data portability.
- Right to object.
Z
If you can think of a “Z” let us know!!