Ordinarily at this time of year, I advocate a total switch off from all things work. However, the one thing that does not take a break over the Christmas period is the obligation to report a data breach to the Data Protection Commissioner. All data breaches must be notified within 72 hours.
A Data Protection Agreement is necessary when an organisation allows any third party to access or process personal data. This includes storage of files in the cloud, the use of work management systems, marketing or bulk-email software, as well as any situation where you allow access to an individual’s personal data by anyone outside of your organisation. If you are sharing personal data, it is your obligation to ensure that there is a DPA in place.
Under GDPR, children benefit from all the same protections as adults in respect of their personal data. However, organisations must take particular care in respect of processing the personal data of children, a child being a person under the age of eighteen years.
In recent months, I have noticed an increase in fees being charged for the compliance with data subject access requests, by some organisations. The purported fee is named as being to cover the cost of redaction, administration or copying, and is in many cases unlawful. Continue reading
Under GDPR, employers are entitled to monitor employee activity if they have a lawful basis for doing so and the purpose of their monitoring is clearly communicated to employees in advance-before any data is recorded the data subject must be warned. A system used to monitor the building for security purposes will usually be easy to justify. The use of CCTV systems in other circumstances – for example, to constantly monitor employees – can be more difficult to justify and could involve a breach of the Data Protection Acts. Should an employee object to the use of CCTV cameras in a particular area, the GDPR test places the burden on the employer to demonstrate that it has “compelling legitimate grounds” for processing that override the employees’ rights, or for the establishment, exercise or defence of legal claims.
General Data Protection Regulation
On Friday May 25th 2018 GDPR came into force. Although the key principles of data protection don’t change, there are changes to the regulatory policies. Below, we look at the main changes we will now see in Irish Law.
Now more than ever, we live in a world where knowledge is power. Businesses have discovered that the more information they have about an individual, the easier it is to sell them products and services. The internet thrives on the gathering and utilising of personal information. But, as individuals, we have rights in respect of information that can individually identify us. Our rights come into effect when there is any personal information about us stored on paper, on a computer, in the cloud or by way of photograph or video.