By Noel Doherty
We have all become much more aware of how important it is to know what personal data is held by organisations such as Facebook, Google, and Apple, as well as by local service providers such as solicitors, doctors, the HSE, and Department of Social Welfare.
The scandals arising from Facebook, Cambridge Analytica, the US election, the Brexit referendum, and the Independent News and Media data breach have potential to undermine our democracy. We all need to know how our personal data is used and for what purpose.
The General Data Protection Regulation (GDPR) will come into effect on May 25. The EU regulation is directly applicable in Ireland and will be applied in conjunction with the Data Protection Bill which is currently before the Oireachtas and which it is “hoped” will be enacted as law prior to May 25.
The personal rights protected by the GDPR arise from our individual human rights. We all have a right to ownership of our personal data. We have a right to know who has access and how they are using our data. We have a right to privacy. The new regulations provide all of us with a mechanism to vindicate those rights.
Personal data is defined in the GDPR “as any information relating to a (living) natural person”.
Our personal data may only be held for the specific, explicit, and legitimate purposes for which it was collected;
Data collected and stored by an enterprise can only be what is necessary in relation to the use for which we agreed it was intended and additional irrelevant data cannot be held, stored, or processed;
We have the right to expect that any personal data is accurate and kept up to date;
We have the right to expect that any computer system or filing system is appropriately protected and secure.
Most important of all, we have the right to access our personal data and to receive the information in respect of the rights set out above.
An enterprise must provide us with a copy of our data and the uses to which it is put, free of charge and within 30 days. This process is called a data subject access request.
Where an enterprise allows our data to be published or used inappropriately, we have the right to sue that enterprise whether or not we have suffered a resultant material loss.
We therefore have the right to an effective judicial remedy against -- to sue -- a data controller or processor where we consider that our rights under the GDPR have been infringed.
Enterprises that collect or store personal data therefore have onerous obligations as to how they use our data and with whom it is shared. Any breach of the data protection rules must be recorded.
Unless the breach is incidental, it must be reported to the Data Protection Commission within 72 hours. If there is a significant material risk to data subjects as a result of the breach, we must be informed immediately.
In the event of a breach, the commission has the power to impose fines up to a maximum of €20m or 4% of the enterprise’s global turnover whichever is the greater.
Enterprises must also consider the huge reputational damage that arises when there is a significant data breach which may now come before the courts.
It is hoped the GDPR will allow us all to have confidence that our personal information will be protected, used appropriately for the purpose for which it was given, and released to us when we request it.
I believe our privacy rights enshrined in the GDPR will support our democratic institutions, make organisations, large and small, more accountable and enhance personal freedoms.
Noel Doherty is a partner in Fitzgerald’s Solicitors based in Cork.