Who owns your personal data? GDPR explained

By Noel Doherty

We have all become much more aware of how important it is to know what personal data is held by organisations such as Facebook, Google, and Apple, as well as by local service providers such as solicitors, doctors, the HSE, and Department of Social Welfare.

The scandals arising from Facebook, Cambridge Analytica, the US election, the Brexit referendum, and the Independent News and Media data breach have potential to undermine our democracy. We all need to know how our personal data is used and for what purpose.

The General Data Protection Regulation (GDPR) will come into effect on May 25. The EU regulation is directly applicable in Ireland and will be applied in conjunction with the Data Protection Bill which is currently before the Oireachtas and which it is “hoped” will be enacted as law prior to May 25.

The personal rights protected by the GDPR arise from our individual human rights. We all have a right to ownership of our personal data. We have a right to know who has access and how they are using our data. We have a right to privacy. The new regulations provide all of us with a mechanism to vindicate those rights.

Personal data is defined in the GDPR “as any information relating to a (living) natural person”.

In the event that a business or enterprise holds our personal data, then we have rights that include:

  • Our data must be processed lawfully, fairly, and in a transparent manner. We therefore have the right to know what happens to our data, the use to which it is put, and with whom it is shared;

    Our personal data may only be held for the specific, explicit, and legitimate purposes for which it was collected;

    Data collected and stored by an enterprise can only be what is necessary in relation to the use for which we agreed it was intended and additional irrelevant data cannot be held, stored, or processed;

    We have the right to expect that any personal data is accurate and kept up to date;

We have the right to expect that any computer system or filing system is appropriately protected and secure.

Most important of all, we have the right to access our personal data and to receive the information in respect of the rights set out above.

An enterprise must provide us with a copy of our data and the uses to which it is put, free of charge and within 30 days. This process is called a data subject access request.

Where an enterprise allows our data to be published or used inappropriately, we have the right to sue that enterprise whether or not we have suffered a resultant material loss.

We therefore have the right to an effective judicial remedy against -- to sue -- a data controller or processor where we consider that our rights under the GDPR have been infringed.

Enterprises that collect or store personal data therefore have onerous obligations as to how they use our data and with whom it is shared. Any breach of the data protection rules must be recorded.

Unless the breach is incidental, it must be reported to the Data Protection Commission within 72 hours. If there is a significant material risk to data subjects as a result of the breach, we must be informed immediately.

In the event of a breach, the commission has the power to impose fines up to a maximum of €20m or 4% of the enterprise’s global turnover whichever is the greater.

Enterprises must also consider the huge reputational damage that arises when there is a significant data breach which may now come before the courts.

It is hoped the GDPR will allow us all to have confidence that our personal information will be protected, used appropriately for the purpose for which it was given, and released to us when we request it.

I believe our privacy rights enshrined in the GDPR will support our democratic institutions, make organisations, large and small, more accountable and enhance personal freedoms.

Noel Doherty is a partner in Fitzgerald’s Solicitors based in Cork.

More in this Section

Dublin and Cork commit to net zero emissions by 2050

Ryanair to change share buyback plans due to Brexit

San Francisco becomes first major US city to ban e-cigarette sales

Europe looks for clarity on Facebook cryptocurrency


Stereolab: The right band at the wrong time

Kaleidoscope: The festival that is Electric Picnic for families

The High Priestess of Punk on 40 years in showbusiness ahead of Irish gig

Orla O’Regan: ‘I treasure the way my life has turned out’

More From The Irish Examiner