INTRODUCTION TO DATA PROTECTION

An overview of the IrishData Protection legislation

AGENDA

• Context• The Legislation• Definitions• The Data Life Cycle• The Data Subject Rights• The Data Protection Commissioner• Enforcement

WHY COMPLY WITH THE ACTS?

• ‘It’s the law of the land!’• Protection of Brand• Avoid risk to Reputation• Protection of trust

– Employees– Suppliers– Customers

• Enables good decision-making• Makes good business sense

CONTEXT

• Social• Technological• Historical• Commercial

DATA PROTECTION AND ‘THE BRAND’

IRISH DATA PROTECTION LEGISLATION

• Data Protection Act (1988)– Only for automated processing– Only for certain data management activities

• Data Protection (Amendment) Act (2003)– Applies to manual as well as electronic data

• Electronic Communications Regulations (2011)– Specifically for online/electronic marketing

DEFINED TERMS

• Automated data• Manual data• Relevant Filing System• Personal data• Sensitive Personal data• Processing

CHARACTERS IN THE ACTS

• Data Subject• Data Controller• Data Processor

THE DATA PROTECTION RULES

The DP Characters

1. AcquireFairly

2. Specified Purpose

3. Compatible Processing

4. Keep Safe

5. Keep Accurate

6. Adequate Processing

7. Retain / Destroy

8. Allow Access

RULE 1 – FAIRLY OBTAINING DATA

• Setting Data Subject Expectations• The Fair Processing Notice

– Verbal– Electronic– Graphic

• Lawful processing conditions– Section 2(a) – ‘Ordinary Data’– Section 2(b) – ‘ Sensitive Personal Data’

• On-going fair processing

CONSENT / EXPLICIT CONSENT

• Should be…– Unambiguous– Freely given– Informed– An active indication

CONSENT FOR DIRECT MARKETING

• Default ‘opt out’• Active ‘opt in’• Indication of interest• Prior purchase of product or service• A reasonable expectation of interest• Prior consent for calls to mobiles• Identification and provision of contact details• Message must include option to opt out• Must use contact data at least once in a

twelve-month period

LAWFUL USE OF DATA

• Rule 2 – Specific purpose or purposes– Consider minimum data requirements

• Rule 3 – Compatible processing– Only process in line with specified purpose(s)

• Rule 6 – Adequate, relevant, but not excessive use– Only process the minimum necessary to satisfy

purpose

RULE 4 – KEEPING DATA SAFE

• Proportionality• Acceptable use of available technology• Applies equally to automated and manual data• Importance of staff awareness• Due diligence towards third parties

– Contract must be in place!– Negotiation of contract clauses

RULE 5 – DATA ACCURACY

• “Data are inaccurate if they are incorrect or misleading as to any matter of fact”

• Data Controller obligation

• Frequency of checks

• Data quality criteria– Completeness– Consistency– Correct representation of reality– Fitness for Use

RULE 7 – DATA RETENTION AND DESTRUCTION

• Retention schedule– No specific guidelines within the legislation– UK National Archive guidelines– HIQA Recommendations

• Destruction policy– Constructive, verifiable method

• Rule applies equally to automated and manual data

RULE 8 – RIGHT OF ACCESS TO DATA

• Entitles the Data Subject to a copy of their own data

• Formal request process– Request in writing– Adequate identification– Payment of fee

• Controller’s Obligation to respond• Opportunity to decline the request• Exemptions

ROLE OF THE DP COMMISSIONER

• Helen Dixon – Irish DP Commissioner

• Role enshrined in the legislation• Responsible for dissemination of legislation• Interpretation of legislation in various

circumstances• Enforcement of lawful processing• Investigation on request• Prosecution in the event of a breach

DATA PROTECTION OFFICER (PROPOSED)

The Controller or Processor processing more than 5000 records must designate a Data Protection Officer ('DPO') • Governance of organisation’s data management• Drafting, deployment and compliant with data policies• Influencing system and functional changes• Being the ‘go to’ person for DP issues

• Currently an optional role within organisations• May soon be mandatory in certain circumstances

ENFORCEMENT OF LEGISLATION

• ‘Triable either way’ legislation• Summary Prosecution – capped at €3,000 / €5,000• Indictment prosecution – capped at €100,000 / €250,000

• Formal notices• Information• Enforcement• Prohibition

• Mandatory breach notification• Reputational damage of a breach• Cost of recovery of market share, good will, trust

SO WHY COMPLY WITH THE ACTS?

• ‘It’s the law of the land!’• Protection of Brand• Avoid risk to Reputation• Protection of trust

– Employees– Suppliers– Customers

• Enables good decision-making• Makes good business sense

SYTORUS LTD. – WHO WE ARE

• Data Protection Consultancy• Training

• Introductory• DPO Certification• Tailored to sector

• Data Management Assessments• Interim Data Protection Officer• Liaison with Office of the DP Commissioner

• Visit www.sytorus.com