Data Protection – the Eighth Wonder of the World?
You may know that there are Seven Wonders of the World, but stop the press. There’s something even more exciting to tell. There are eight principles of Data Protection. We know….eight! Who’d have thought it?
The oldest of the Seven Wonders of the World, the Great Pyramid of Giza dates back to the 1st-2nd century BC. The eight principles of Data Protection, whilst equally impressive, only date back as far as the 1998 Data Protection Act.
General Data Protection Regulation (GDPR) won’t matter a jot to the Great Pyramid, but it will shake the foundations of the Data Protection Act, so that all of its principles are fit for purpose for a world in which data transferring and sharing have become the norm.
The first principle, Fair and Lawful, outlines how you must have legitimate reasons for collecting data on a person. Letting someone know how you are going to use their information is key. When GDPR is introduced next year, controls in this area will be extended and enhanced, which is good news for all.
For example, a criminal and credit check under GDPR must be deemed lawful and cannot be conducted, for example, on job candidates who will be working in a zoo or as a tour guide. The information being gathered must be relevant to the case in point. Therefore, GDPR will stop companies getting information about you that isn’t necessary for a new job, or whatever else might be in the offing.
Companies must make clear the reason for taking personal data and what they plan to use it for. So moving swiftly on to principle number two, the information they request must be Specific for its Purpose. Once they have information they can only use it for the original ‘intended and advised’ reason. This is good; it means they cannot sell on your data without having told you, and you therefore shouldn’t receive random spam as a result. GDPR has gone a step further and declared information about genetics and biometrics as sensitive information. This further reduces invasiveness and the potential for data to be out there that could aid identity theft.
Number three; the ‘level of data held’ by a company needs to be at an all-time minimum to comply with Data Protection. With organisations having to tell you what they are using your information for under GDPR and, because they will need your permission to hold on to your data, it will soon become more of a chore for them to hold onto it than not. I know I don’t want to receive an email from every company I deal with telling me what they are using my information for. The good news is that from May 2018 we should be informed by companies of our right to withdraw our consent for usage of our data held. But perhaps this one’s something of a double edged sword as that means…..more emails!
More contact from companies is on the horizon as they attempt to keep your data ‘Accurate and up to date’ as per principle number four. The Data Protection Act states that companies should be active in ensuring they have the correct information on an individual in the event that sensitive information or money is being exchanged. More emails.
Five; the length of time your data is stored by a company is likely to change. Data that is out of date or no longer necessary should be properly destroyed or deleted. If you ask for an organisation to remove you from their records they will, however depending on the record type and the nature of the business in question, the length of time to retain your data must be assessed against the business need.
Wouldn’t it be nice to be anonymous now and again? Well under GDPR you can be, sort of, with number six, A Right to be Forgotten. This allows you to request all your online content to be deleted from a company’s database. The Data Portability Act is even more interesting. You can ask Facebook, for example, to transfer all of your photos to another social network like Instagram. Now that’s what I call a time-saving efficiency.
Everyone has the right to access their personal data, or to ask for it to no longer be used if you feel it’s being used in the wrong context. If you come across any inaccurate data you can have it changed. And in extreme circumstances you can claim compensation for damaging data breaches. If you are ever in doubt you can make use of the Data Rights Access and request a copy of all your data held by a company; more information on that is available at Dataprotection.ie
Companies are obliged to obey principle number seven and that is to keep your personal data safe and secure. Depending on the nature of the data that is being held on you, there are different levels of security. Medical records are at a higher level of security than say your subscription to the RTE Guide. The good news is GDPR is introducing more stringent controls and any company that processes more than 5,000 personal records per year and employs 250+ employees is required to appoint a Data Protection Officer. This unfortunate individual is responsible for everything related to keeping personal data secure.
In our last blog ‘The Divorce Chapter’, we talked about the impact of Brexit on Data Protection. Data cannot be transferred outside the EEA, simply because other countries do not have the same level of data protection. Numero eight. However, due to the large volume of data being transferred to the US there is a Privacy Shield agreement with American companies. This enables data to be transferred between the EU and US legally, but GDPR will ensure companies get consent for any data to be transferred outside of the EEA. GDPR will hold a company liable, even after data has been transferred to another country. This means that companies will now have to consider the GDPR impact on their international data transfers.
The purpose of the original guide book for the Seven Wonders of the World changed from being a simple travel guide to one that provides lists of sites and locations that need to be defended or preserved. GDPR is similar in its purpose; it serves to protect. This is a good thing. Matrix Recruitment are currently undergoing major changes to ensure compliance to these new laws and want to make you familiar with these Data Protection regulations.
With offices located in Dublin, Athlone, Galway, Carlow and Waterford, our team are well placed to find you your dream job. Why not register your CV now and get in touch with a member of our team to discuss your next move.