Skip Navigation

Business

Data protection legislation eight simple steps to compliance

Data protection legislation  eight simple steps to compliance

Data protection legislation eight simple steps to compliance

With data protection issues becoming a hot topic for the Irish legal system, Fintan Lawlor advises how companies can comply with legislation.

The mass use of social network sites such as Facebook, the use of cloud computing to store data on the web, together with our general reliance on the use of technology in all areas of our day-to-day living has meant that the safe and private storage and retention of our personal data is imperative.

It is a case of striking a balance between opposing rights. On one side are the interests of the public and on the other is the permittance of corporate bodies to run their day-to-day affairs. In the past year we have seen a shift in favour of the consumer, with greater emphasis being placed on their rights. The result of this has been that companies must act to preserve the right to privacy by ensuring that they do not trample on these fundamental rights by breaching data protection laws.

Both corporate organisations and the modern State hold a great deal of information about many aspects of our daily lives. Indeed, the amounts of information that we give to the State or that the State takes from us — whether it is for reasons of tax, social welfare, education, or law enforcement — are increasing all the time.

Recent developments

On Monday 17 December last the Irish Times reported a data protection breach where a storage box with confidential files from a counselling service collapsed and documents were found on the street visible to anyone who passed by.

In the last month a number of major telephone companies have been fined for breaches under the Data Protection Acts by engaging in unsolicited marketing.

Experian, the world’s largest credit-checking company, was investigated by the Data Protection Commissioner in November for a large number of breaches of the company’s databases.

The social network giant Facebook may face proceedings against it for breaches of privacy by an Austrian student in the Europe v Facebook campaign which is taking shape across Europe. Max Schrems, a 25 year old Austrian law student is seeking to launch a multi-year legal battle that might significantly redefine how Facebook controls the personal data on over one billion people worldwide.

These are just a few examples of the many data protection/privacy issues which have come to light of late.

Eight simple steps to ensure your company is compliant

The duties placed on data controllers (companies) are not overly onerous if they are properly monitored and regulated. However, many smaller companies are unaware of the obligations under the data protection legislation. Others choose to ignore and disregard them as they feel there are no implications for non-compliance. This approach is reckless at best as the recent fines placed on a number of large corporates signals a clear message from the courts and the data protection commissioner that such breaches will not be tolerated. To ensure compliance you must:

1. Obtain and process the information fairly

2. Keep it only for one or more specified and lawful purposes

3. Process it only in ways compatible with the purposes for which it was given to you initially

4. Keep it safe and secure

5. Keep it accurate and up-to-date

6. Ensure that it is adequate, relevant and not excessive

7. Retain it no longer than is necessary for the specified purpose or purposes

8. Give a copy of his/her personal data to any individual, on request. These provisions are binding on every data controller. Any failure to observe them would be a breach of the Act.

The future of data protection law

It is evident from case law, media reporting and general consensus that the issue of data protection won’t be going away. From the recent case of Michael Collins v FBD, where damages were awarded to an individual for the first time under the Data Protection Acts, to the Privacy Bill 2012, which will provide for a new tort of violation of privacy taking into account the jurisprudence of our courts and the European Court of Human Rights, the issue of data protection has never been more topical or significant. To put it simply, companies must either educate themselves on data protection and ensure they are compliant or risk hefty fines and legal costs.

Fintan Lawlor is a first dedicated data protection consultant and a data protection expert at Lawlor Partners.