Data protection now a mainstream concern for business

Heightened security an essential component of good data protection regime

The range of data protection issues has increased significantly since EU data protection law was enacted in 1995

The range of data protection issues has increased significantly since EU data protection law was enacted in 1995

 

PAUL LAMBERT

In the not too distant past very few organisations would have heard of data protection. While personal and informational privacy were always prized, the intricacies of this new area of law and rights were viewed by many organisations and practitioners as a niche issue outside of their day-to-day activities.

That day has gone. Data protection affects all organisations and all individuals in Ireland every day. Compliance by organisation is a requirement of Irish and EU law.

Individuals and in particular users of technology are increasingly aware of the value of their personal informational privacy. However, recent instances of data loss and overly aggressive marketing reiterate that there is still a lot to be done in terms of appraising and addressing the risks associated with certain electronic and online personal data in certain organisations. This is particularly so for smaller and non-profit organisations.

Data loss
Recent data loss and data breach incidents, and the escalating nature of hacking, sometimes involving tens of millions of users, bring focus to the importance of data protection and data security. Sony for example has been fined £250,000 in relation to data loss incidents involving 85 million of its users.

Current EU data protection law was enacted in 1995 when no one could have predicted the myriad of activities now accessible on the internet. The ever changing sophistication of online business models and of new opportunities for data collections and data processing activities bring new challenges to the data protection regime.

This, in part, is the reason for the EU proposals to overhaul the 1995 Data Protection Directive with a new, directly applicable, EU-wide Data Protection Regulation. The data protection regime will be wholly transformed.

The import and scope of data protection is vast indeed. Practically every organisation has data protection obligations. These will vary depending on what the organisation is doing, the sector, its size, whether it is commercial or non-profit, the types and categories of personal data being collected and processed, for what purposes, and contingent upon the nature of the risks of misuse, disclosure or loss of the data.

New obligations
However, while expanded and new obligations arise via the new regulation, certain rules remain at the core of data protection compliance. These include the principles and legitimising processing conditions which must be complied with when collecting and using personal data from customers, prospective customers and users. Equally, how an organisation goes about compliance will differ depending upon whether the organisation is considering internal data protection issues, such as employees, or looking outwards at customers, users and prospects.

The range of issues and concerns which arise in data protection have also increased significantly since 1995. These can range from advertising, marketing, online behavioural marketing to social networking.

Other issues which raise compliance issues for organisations include, for example:

the enhanced role of data protection officers within organisations;

l increased litigation;

l reporting of data loss and data breach incidents;

l increased operational and management responsibilities for dealing with data protection within the organisation;

l personal liability issues for officers of the organisation when something goes wrong with the organisation‘s data protection compliance;

l international transfers. There is a default ban on international transfers of personal data, unless one of a specific number of exemptions can be triggered. There are new transfer solutions relating to Binding Corporate Rules (BCR) and the transfer of airline passenger personal data - which can be contentious;

l children and their personal data. Children are explicitly referred to for the first time in the new proposed regulation;

l social networking and related websites and the host of personal data issues they create;

l cloud computing and issues of who owns the data, who can access it and if it is secure;

l the

rights of individual data subjects, such as access rights, deletion rights, enhanced right to be forgotten;

l the rights of individuals to seek

remedies from the courts or the Data Protection Commissioner‘s Office;

l online safety and online abuse.

Organisations are not immune from these issues, as their employees can be engaged in online abuse with acts of creation, endorsement and promotion. There has been a lot of recent publicity, as well as an unprecedented amount of lobbying, in relation to the new proposed EU Data Protection regulation.

However, there is less publicity surrounding the EU proposal for a new directive dedicated to network and information security.

Security is an essential component of good data protection compliance. Organisations must have internal access controls to personal data within the organisation.

Organisations will have to deal with and properly appraise themselves of the new and developing data protection rules - in particular the interface of employees and social networking. The message is that data protection compliance is an important obligation, and that non-compliance can have many adverse consequences for organisations - be they large or small.

The balance is that good compliance can be a positive benefit to the organisation in more ways than one.

Paul Lambert, solicitor and adjunct lecturer, is author of Data Protection Law in Ireland: Sources and Issues , Clarus Press, Dublin 2013 ( claruspress.ie)

The Irish Times Logo
Commenting on The Irish Times has changed. To comment you must now be an Irish Times subscriber.
SUBSCRIBE
GO BACK
Error Image
The account details entered are not currently associated with an Irish Times subscription. Please subscribe to sign in to comment.
Comment Sign In

Forgot password?
The Irish Times Logo
Thank you
You should receive instructions for resetting your password. When you have reset your password, you can Sign In.
The Irish Times Logo
Please choose a screen name. This name will appear beside any comments you post. Your screen name should follow the standards set out in our community standards.
Screen Name Selection

Hello

Please choose a screen name. This name will appear beside any comments you post. Your screen name should follow the standards set out in our community standards.

The Irish Times Logo
Commenting on The Irish Times has changed. To comment you must now be an Irish Times subscriber.
SUBSCRIBE
Forgot Password
Please enter your email address so we can send you a link to reset your password.

Sign In

Your Comments
We reserve the right to remove any content at any time from this Community, including without limitation if it violates the Community Standards. We ask that you report content that you in good faith believe violates the above rules by clicking the Flag link next to the offending comment or by filling out this form. New comments are only accepted for 3 days from the date of publication.