Call McGarr Solicitors on: 01 6351580

GDPR; Personal data belongs to people

Personal Data Doesn't work on Finders Keepers

The EU deferred the application of the GDPR personal data rules for two years to allow organisations to make the necessary internal changes to reach compliance. The first, and possibly the most difficult, is to perceive what is stated in the title here; personal data belongs to the data subject.

Personal data, collected by you, is not owned by you.

Think of it as money. Less than one year from now, your organisation must be able to account for personal data in very close detail. You will be answerable to regulators and to the data subject for the personal data.

If you’re in a business or organisation preparing their GDPR compliance project, you are going to need to include a map of all the personal data you are storing (storage,in EU law, is a form of ‘processing’) , as well as the purpose for which it is stored. You’ll also need to be able to show that you have a legal basis for that use, even if you’re only storing it. The GDPR even requires that you keep an up-to-date register of all the data processing done in your organisation, for inspection by the regulator.

Unless you prepare, the very possession of personal data could be a breach of the GDPR data protection rules and, depending on the nature of that breach, its circumstances etc., the fine for a breach could be fatal for your organisation.

That is intended by the EU; under the GDPR, personal data is potentially commercially radioactive. The EU intends to send that message that if it is mishandled, you may go out of business. There are historical reasons (see, most of the 20th Century) why the EU takes the primacy of human dignity in data protection seriously. There’s no doubt that, with the coming into force of the General Data Protection Regulation, it intends that all the organisations doing business inside the EU take it just as seriously as well.



Why bother with the GDPR?

A line of CCTV cameras

Here is news that was not (to my knowledge) on RTE. Deep Root Analytics maintained a database on an estimated 62% of the population of the USA. It contains what is known as “sensitive” information on the population. It is being used to profile the US population.

The GDPR is designed to prevent the processing of exactly such a database as Deep Root Analytics possesses.

Companies like Deep Root Analytics believe that the information they have collected is theirs, not the data subjects. They believe that they can sell it and exploit it for their profit.

The GDPR is predicated on the rejection of those ideas.

Those ideas are, currently, default ideas with regard to personal data.

This is the reason why some companies and organisations doing business in the EU must go through a metamorphosis to comply with the GDPR.

This is the reason why the new Regulators of the GDPR will definitely apply the planned fines and penalties provided for in the GDPR.

Nothing but such penalties will bring about the GDPR revolution.

Spoiling the Ship

for a ha'pworth of tar

When the EU passed the GDPR as directly effective law it deferred the implementation of the GDPR for two years to allow organisations to make the necessary changes to comply with the law.

One year of that two year period has passed. Many companies and organisations have not even begun to make the necessary changes. For some of them, there is not now enough time to make the necessary changes to reach compliance by 25th May 2018.

There is a reasonable basis for making that judgment; those companies that did start early say they have been working on the issue for a year – and are still working.

Each company and organization will have to change internally. For some, it will be possible to do this in the remaining time. For others there is not enough time. However, even for those companies or
organisations it is best to make an effort; it will be taken into account in the application of fines. Those fines will be administrative fines or court fines.

Ireland is opting for court imposed fines for its public bodies. It plans to generally relieve its public bodies from administrative fines under the GDPR. So, in order to give proper effect to the GDPR, Ireland will have to take its miscreant public bodies to court in order to apply the necessary and appropriate fines. That will be more expensive than the administrative fines.

Perhaps the Government really loves lawyers and will go out of its way to benefit them?

GDPR; Getting ready for Privacy by Design

Privacy by design

Article 25 GDPR requires organisations to adopt privacy by design and by default. Generally, these will come as new principles in data protection implementation to many of the organisations obliged to adopt those principles before 25th May 2018. That’s the date the Regulation comes into force.

Failure to do this will be easily detected; under Article 30 GDPR organisations are obliged to establish and maintain a register of data processing activities. Implementation of privacy by design and by default should be recorded in the register. Failure to record will reveal a failure to comply, attracting a fine. A false record relating to Article 30 would constitute a crime attracting the penalties under the GDPR and those penalties are very severe (a fine of up to €10 million or 2% of annual global turnover).

Implementing security for personal data is essentially, a sub-set of privacy by design and by default. Data controllers and processors must implement appropriate technical and administrative measures to protect the personal data. Those measures must be
tested regularly to ensure their effectiveness.

Again, these steps and measures must be recorded in the register of treatment activities.

These are policies that can be expected to come from the highest level of authority in an organisation. The senior management of an organisation must make sure there is  enough time to comply with the GDPR before 25th May 2018. The EU provided a period of two years to become compliant; over 50% of that time is gone.

Many organisations are gearing their compliance projects up now. Data Compliance Europe can offer assistance in assessing where you are now, compared to what you need to be doing to be ready for GDPR. This sort of Gap Analysis should be one of the first steps taken in a GDPR project, as it will set out the roadmap for everything to follow.

GDPR: Is your business a Foinavon?

GDPR is a race to the finish

Less than one year from now every business holding (i.e., processing) personal data will have undergone a significant process of internal change or will, more likely than not, be in breach of the GDPR. The change process will have started at the top of the business and will have devolved downwards in the form of training (and other changes). With a considerable amount of work businesses can make the necessary changes. Those businesses that succeed in changing and adapting will survive, those that fail will not survive the effects of the GDPR fines and other losses in the form of compensation awarded in civil action claims from individual data subjects (the people who own the personal data).

The process of change will not be easy. It will not be quick.

Organisations can get help, to change, from Data Compliance Europe.

PS. Foinavon won the Grand National in 1967 at odds of 100/1. His rivals fell at the 23rd fence in a melee. He was well behind coming to the fence and managed to swing wide as he jumped, gaining a 30 length lead on his rivals.

GDPR; The Peril of holding data without good title

title deed

If you belong to some form of “circulating library” of personal data, less than one year from now you will encounter an excruciating dilemma. Under Article 14 of the GDPR you must notify the data subjects, whose data you have just received, of that fact and of your intentions with regard to the data. If you fail to do that you will be in breach of the Regulation. If you do it, the data subjects may direct you to delete it. If there is no legal basis for your possession of the personal data in the first place it is very likely that the data subject will report you to the regulator.

What is necessary to know is this; personal data will require to be accompanied by its “title deeds”. The ownership or right to possession of personal data, and the right of transfer, must be proved.

Possession of personal data will not be cheap. Receiving it might prove to be very expensive.

Phishing Fraud Warning

Phishing warning-
People are apparently receiving these emails purporting to be relating to McGarr Solicitors from a domain called They’re not from us. Don’t click them- just delete.

This is a phishing email, not from McGarr Solicitors

The General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) comes fully into effect on 25th May

I suggest this soundbite to sum up the GDPR; “Nothing about me without me”.

The phrase is not new, it comes most recently from the UK National Health Service in the terms “No decision about me without me”.

Under the GDPR, processing of personal data (possession is processing) must be legal; it must be lawful. Each act of processing must be confirmed to be lawful and
documented. That means that organisations must show and prove compliance by
reference to records kept in relation to all personal data processing activities, specifying the purpose of the processing, the lawful basis for the processing, who the data subjects are, details of any recipients that the data may be shared with, retention policies and security measures taken.

An essential element of GDPR requirements is the obligation to have the data subject’s
consent to the processing. Forms of “consent” previously valid or sufficient may not suffice for the GDPR.

So, if an organisation cannot conform to a standard in the terms “Nothing about me
without me”, it will be acting illegally, as of 25th May 2018 if it processes personal data. Remember, possession is processing.

One Year Plus One Month

There is a revolution coming; in fact it has arrived. The revolution is favourable to persons, to individuals.

A person is, in principle, entitled to control of her data. If government or commercial interests wish to use that data they must comply with the General Data Protection Regulation (GDPR).

The GDPR is current law and comes into effect on 25th May 2018. That date represents a cliff-edge. That edge has been made more severe due to Brexit.

Brexit, as the UK has expressed it to date, is in principle a wish to evade EU laws (including the GDPR).

However, every UK-based entity/undertaking, the UK itself, will be exposed to the GDPR, subject to its provisions and obliged to comply with those provisions while it is processing the data of EU citizens.

Contemporaneous with that, every Irish entity, the Irish state itself, must ensure that any data sent to the UK from Ireland, the process of sending it, is in compliance with the GDPR. That may result in the necessity of stopping data flows to the UK, in order to avoid triggering a breach of the GDPR in Ireland.

Breach of the GDPR will expose entities to considerable penalties in the form of fines. Undertakings are exposed to the possibility of being fined up to €20 million or 4% of annual global turnover, whichever is the higher.

Undertakings in Ireland, holding data, may not hold that data unless the data was obtained fairly. The concept of fairness carries the obligation to give detailed information about how data is processed, the grounds being used to justify processing data, (just holding data is “processing”), what rights individuals have to access, delete and “port” data, and object to processing.

There is a lot to do.


“Brexit” is a neologism and a portmanteau word. It is one we have become familiar with in recent months. I doubt it is in any dictionary, being too new.

Nevertheless, looking things up in dictionaries can be useful, even though you can’t find the word you are searching for. In connection with Brexit, “nominalism” is worth a look, about which my dictionary commences – “… a denial of the existence of abstract entities of any kind…”.

Brexit is surely an abstraction, currently lacking a definition, but a complete refutation of nominalism.

Of lesser weight, but still significant, is a common error of grammar heard from Ernie Wise on the BBC in 1987; “Everyone got used to the image of Eric and I”.

Ernie was handicapped by the absence of helpful books on grammar in bookshops. There are books on grammar in bookshops but they are not helpful.

The New Yorker once featured a cartoon showing a cop writing a “traffic ticket”. The malefactor is driving a van with “ME AND WALLYS PRODUCE” on the side. The cop is saying; “Sorry, but I’m going to have to issue you with a summons for reckless grammar and driving without an apostrophe”.

Words matter.