Call McGarr Solicitors on: 01 6351580

GDPR – Start now!

egg timer image to illustrate article on Cerebral palsy claims statute of limitations

If you do not know about the personal data you hold, you cannot comply with the GDPR. So, trace the flow of personal data in your company. Bear in mind that the personal data of employees is covered by the GDPR.

Compliance with the GDPR will involve those self-same employees. They will need training in the application of the principles of the GDPR in your organization.

Possibly you are obliged to appoint a Data Protection Officer (DPO). If so, even if you decide you need one regardless of a lack of obligation to appoint one, there is little point in leaving it to May 2018 to do so. The DPO will be needed to help you reach compliance with the GDPR.

As your DPO will tell you quickly, many systems must be devised and implemented to ensure compliance. You will have to ensure that data protection is “baked in” to your systems. In other words, no change can take place without a rational analysis of the data protection implications and the measurement of risk for any such change. Here, speaking of change carries the assumption that your organization is not currently in compliance. It would be an unusual organization if it were to be already in compliance with the GDPR.

The GDPR requires the writing of a Data Protection Impact Assessment for change. To comply with the GDPR is to change. So, you will need to write your Data Protection Impact Assessment.

The foregoing is a cursory look at what you have to do. Start doing it now. You are possibly going to be late and not in compliance on 25th May 2018 but if you recognize the urgency you might just make it.

Start. Start now. Do not get diverted or distracted. You need to focus; you will need all the time that remains to do even the few things listed above.

GDPR and Brexit (whatever that means)

used under cc licence by Descrier

There is probably a book yet to be written on the interplay between the General Data Protection Regulation and Brexit, but some elements can be seen now.

Unusually, the GDPR permits the introduction of some national legislation on data protection issues. They include occasions where a legal obligation mandates the processing of personal data, or the processing relates to a public interest task, or the processing is carried out by a body with official authority. There are others.

As a presumption, we believe that Brexit will not happen outside the provisions of Article 50 TEU and therefore will not happen before 25th May 2018.

If the UK makes legislative provision within the scope of the GDPR it will be incumbent on the UK to include those provisions in the Brexit negotiations and receive EU assent to their recognition, otherwise the UK derogations will fail as law (from the point of view of the EU) on the happening of Brexit.

For Irish organisations one important issue would be the receipt of consent to data processing in relation to children. The GDPR sets the age for “children” and the requirement that consent be given by parents, to be up to 16 years of age. This can be subject to national derogation and reduced to 13 years of age. If the UK derogates on the point and fails to get agreement in Brexit negotiations, Irish organisations must immediately apply the provisions of the GDPR in full.

Put another way, it would be wiser, as a commercial matter, not to give recognition to any UK legislative derogations until the full conclusion of the Brexit negotiations.

Putting it in yet another way, pending the successful (with agreement) conclusion of the Brexit negotiations, Irish organisations should not accept, in relation to data processing of personal data, the inclusion of jurisdictional law clauses in such contracts, where the stipulated legal jurisdiction is the UK.

GDPR; Personal data belongs to people

Personal Data Doesn't work on Finders Keepers

The EU deferred the application of the GDPR personal data rules for two years to allow organisations to make the necessary internal changes to reach compliance. The first, and possibly the most difficult, is to perceive what is stated in the title here; personal data belongs to the data subject.

Personal data, collected by you, is not owned by you.

Think of it as money. Less than one year from now, your organisation must be able to account for personal data in very close detail. You will be answerable to regulators and to the data subject for the personal data.

If you’re in a business or organisation preparing their GDPR compliance project, you are going to need to include a map of all the personal data you are storing (storage,in EU law, is a form of ‘processing’) , as well as the purpose for which it is stored. You’ll also need to be able to show that you have a legal basis for that use, even if you’re only storing it. The GDPR even requires that you keep an up-to-date register of all the data processing done in your organisation, for inspection by the regulator.

Unless you prepare, the very possession of personal data could be a breach of the GDPR data protection rules and, depending on the nature of that breach, its circumstances etc., the fine for a breach could be fatal for your organisation.

That is intended by the EU; under the GDPR, personal data is potentially commercially radioactive. The EU intends to send that message that if it is mishandled, you may go out of business. There are historical reasons (see, most of the 20th Century) why the EU takes the primacy of human dignity in data protection seriously. There’s no doubt that, with the coming into force of the General Data Protection Regulation, it intends that all the organisations doing business inside the EU take it just as seriously as well.



Why bother with the GDPR?

A line of CCTV cameras

Here is news that was not (to my knowledge) on RTE. Deep Root Analytics maintained a database on an estimated 62% of the population of the USA. It contains what is known as “sensitive” information on the population. It is being used to profile the US population.

The GDPR is designed to prevent the processing of exactly such a database as Deep Root Analytics possesses.

Companies like Deep Root Analytics believe that the information they have collected is theirs, not the data subjects. They believe that they can sell it and exploit it for their profit.

The GDPR is predicated on the rejection of those ideas.

Those ideas are, currently, default ideas with regard to personal data.

This is the reason why some companies and organisations doing business in the EU must go through a metamorphosis to comply with the GDPR.

This is the reason why the new Regulators of the GDPR will definitely apply the planned fines and penalties provided for in the GDPR.

Nothing but such penalties will bring about the GDPR revolution.

Spoiling the Ship

for a ha'pworth of tar

When the EU passed the GDPR as directly effective law it deferred the implementation of the GDPR for two years to allow organisations to make the necessary changes to comply with the law.

One year of that two year period has passed. Many companies and organisations have not even begun to make the necessary changes. For some of them, there is not now enough time to make the necessary changes to reach compliance by 25th May 2018.

There is a reasonable basis for making that judgment; those companies that did start early say they have been working on the issue for a year – and are still working.

Each company and organization will have to change internally. For some, it will be possible to do this in the remaining time. For others there is not enough time. However, even for those companies or
organisations it is best to make an effort; it will be taken into account in the application of fines. Those fines will be administrative fines or court fines.

Ireland is opting for court imposed fines for its public bodies. It plans to generally relieve its public bodies from administrative fines under the GDPR. So, in order to give proper effect to the GDPR, Ireland will have to take its miscreant public bodies to court in order to apply the necessary and appropriate fines. That will be more expensive than the administrative fines.

Perhaps the Government really loves lawyers and will go out of its way to benefit them?

GDPR; Getting ready for Privacy by Design

Privacy by design

Article 25 GDPR requires organisations to adopt privacy by design and by default. Generally, these will come as new principles in data protection implementation to many of the organisations obliged to adopt those principles before 25th May 2018. That’s the date the Regulation comes into force.

Failure to do this will be easily detected; under Article 30 GDPR organisations are obliged to establish and maintain a register of data processing activities. Implementation of privacy by design and by default should be recorded in the register. Failure to record will reveal a failure to comply, attracting a fine. A false record relating to Article 30 would constitute a crime attracting the penalties under the GDPR and those penalties are very severe (a fine of up to €10 million or 2% of annual global turnover).

Implementing security for personal data is essentially, a sub-set of privacy by design and by default. Data controllers and processors must implement appropriate technical and administrative measures to protect the personal data. Those measures must be
tested regularly to ensure their effectiveness.

Again, these steps and measures must be recorded in the register of treatment activities.

These are policies that can be expected to come from the highest level of authority in an organisation. The senior management of an organisation must make sure there is  enough time to comply with the GDPR before 25th May 2018. The EU provided a period of two years to become compliant; over 50% of that time is gone.

Many organisations are gearing their compliance projects up now. Data Compliance Europe can offer assistance in assessing where you are now, compared to what you need to be doing to be ready for GDPR. This sort of Gap Analysis should be one of the first steps taken in a GDPR project, as it will set out the roadmap for everything to follow.

GDPR: Is your business a Foinavon?

GDPR is a race to the finish

Less than one year from now every business holding (i.e., processing) personal data will have undergone a significant process of internal change or will, more likely than not, be in breach of the GDPR. The change process will have started at the top of the business and will have devolved downwards in the form of training (and other changes). With a considerable amount of work businesses can make the necessary changes. Those businesses that succeed in changing and adapting will survive, those that fail will not survive the effects of the GDPR fines and other losses in the form of compensation awarded in civil action claims from individual data subjects (the people who own the personal data).

The process of change will not be easy. It will not be quick.

Organisations can get help, to change, from Data Compliance Europe.

PS. Foinavon won the Grand National in 1967 at odds of 100/1. His rivals fell at the 23rd fence in a melee. He was well behind coming to the fence and managed to swing wide as he jumped, gaining a 30 length lead on his rivals.

GDPR; The Peril of holding data without good title

title deed

If you belong to some form of “circulating library” of personal data, less than one year from now you will encounter an excruciating dilemma. Under Article 14 of the GDPR you must notify the data subjects, whose data you have just received, of that fact and of your intentions with regard to the data. If you fail to do that you will be in breach of the Regulation. If you do it, the data subjects may direct you to delete it. If there is no legal basis for your possession of the personal data in the first place it is very likely that the data subject will report you to the regulator.

What is necessary to know is this; personal data will require to be accompanied by its “title deeds”. The ownership or right to possession of personal data, and the right of transfer, must be proved.

Possession of personal data will not be cheap. Receiving it might prove to be very expensive.

Phishing Fraud Warning

Phishing warning-
People are apparently receiving these emails purporting to be relating to McGarr Solicitors from a domain called They’re not from us. Don’t click them- just delete.

This is a phishing email, not from McGarr Solicitors

The General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) comes fully into effect on 25th May

I suggest this soundbite to sum up the GDPR; “Nothing about me without me”.

The phrase is not new, it comes most recently from the UK National Health Service in the terms “No decision about me without me”.

Under the GDPR, processing of personal data (possession is processing) must be legal; it must be lawful. Each act of processing must be confirmed to be lawful and
documented. That means that organisations must show and prove compliance by
reference to records kept in relation to all personal data processing activities, specifying the purpose of the processing, the lawful basis for the processing, who the data subjects are, details of any recipients that the data may be shared with, retention policies and security measures taken.

An essential element of GDPR requirements is the obligation to have the data subject’s
consent to the processing. Forms of “consent” previously valid or sufficient may not suffice for the GDPR.

So, if an organisation cannot conform to a standard in the terms “Nothing about me
without me”, it will be acting illegally, as of 25th May 2018 if it processes personal data. Remember, possession is processing.