What is Data Protection?
Data protection is a prominent feature in the modern-day running of a business. The General Data Protection Regulation (GDPR) came into force in 2018 and increased the obligations and responsibilities for businesses in how they collect, use and protect personal data. We can give you guidance on the best practices to use to ensure you are meeting your obligations in being fully transparent about how you are using and safeguarding personal data, and demonstrating accountability for your data processing activities.
It is important for you as a business to understand what personal data is. It is data that relates to or can identify an individual either by itself or together with other available information and it can include a name, address, contact details, an identification number, CCTV footage, audio recordings of a person and location data. It is also advisable to have an idea of the key terms used to describe the parties involved. The business you run which handles this data is known as the controller, the individual who processes the information on behalf of you as the data controller is known as a processor and the data subject is the individual which the personal data relates to. There are a number of obligations, outlined below, that you have when handling their information that we can advise you on.
Data Protection Obligations
The obligation to lawfully process personal data:
Your business may only use or keep personal data where there is a lawful reason and there are six standard lawful reasons which you can use. These include that you have been given free and informed consent from the individual, the processing is necessary for you to carry out a contract for example, a delivery of a product, the processing is necessary for you to comply with a legal obligation like the collection of details for anti-money laundering purposes. We can offer advice if you are unsure whether your reason for processing personal data falls under the six reasons set out by the GDPR.
The obligation to design and operate appropriate processing systems:
Data protection measures must be included when any system is being designed by your business and systems you set up should be data protection friendly. Essentially, you should ensure only necessary personal data is collected, that it is kept for the minimum period necessary and that an individual is not automatically opted-in to any unnecessary processing. You can apply for certification in Ireland from the Data Protection Commission, which will demonstrate that your business processes are designed to comply with the GDPR.
The obligation to use processors that meet the requirements of the legislation:
If processing is carried out by a processor and not your business, the controller, you must use only processors who guarantee that their systems of processing meet the requirements of the Regulation. Examples of processors include payroll companies, accountants and market research companies. You must have a contract with the processor setting out the scope of the processing required. We can also assist in drawing up such a contract.
The obligation to keep records:
If your business has more than 250 employees, or it processes sensitive information, you must keep a record of the processing activities and they can be inspected by the Data Protection Commission on request.
The obligation to keep data secure:
As the title suggests, you have an obligation to keep personal data secure. You must also ensure that any employees do not access or process any data unless they are required to do so. You should consider implementing modern security measures to combat the risks involved in this area.
The obligation to report data breaches:
You must notify the Data Protection Commission of a personal data breach where it is a likely to result in a risk to the rights and freedoms of the data subject, where bank details are stolen for example. Notification should be made within 72 hours. You must also notify a data subject of the breach in clear language.
The obligation to carry out data protection impact assessments:
If you intend to carry out high-risk processing, you must first carry out a data protection impact assessment. This type of processing can include using new technology and processing large amounts of sensitive personal data.
The obligation to appoint data protection officers:
Data protection officers must be appointed if your business’ core activities consist of processing that requires regular and systematic monitoring of data subjects on a large scale or of special categories of personal data or data relating to criminal convictions and offences. There are a number of requirements for these data protection officers to meet and tasks they must complete which we can guide you on.
There are also obligations to comply with codes of conduct and certification and relating to transferring data outside the EU which we offer advice on. Your convenience is important to us and we aim to minimise the amount of time you have to spend on the process. We offer video calls to save you from travelling to meet us and you can meet us at times convenient to you.
One of the best things I experienced was the personal touch. It can be daunting dealing with solicitors and I never felt like a hindrance. Gary was always available on the phone and email for me and always responded very quickly. I know of an elderly person dealing with Gary who really appreciated being able to meet face to face in a place where she felt comfortable. I think both types of meetings are great as clients have various needs which were met very easily in the way SOS operates.
Friendly, easy to talk to, professional support from start to finish. The service was exceptional, communication was timely and never overbearing. Everything was explained clearly along with expected timelines for completion. The team went above and beyond to sort out any issues that may have arisen during the process. Overall, very satisfied with the service.
What we found best was the professionalism of the service overall, the confidentiality, empathy and understanding. Communication was always clear in both e-mail and in person. Response times to e-mails, and meetings, was very good. I believe your fees are very competitive, and good value for your service.
Subject Access Requests
Another area concerning data protection we can help advise on is how to deal with subject access requests. A Subject Access Request can be completed by any individual to obtain all, or some, data held by a data controller about them.
Make A Free Enquiry
“Call +353 61 513113 or your local office or complete this Short Enquiry (no cost or obligation)”