Technology is a useful Servant but a dangerous Master
Christian Lous Lange, Norwegian politician in 1930
SOURCES OF DATA PROTECTION LAW AND THE EMERGENCE OF GDPR
In the United States the legal discussion in relation to data protection is frequently linked to the Warren & Brandeis’s Legal article in 1890 entitled “The Right to Privacy” published in the Harvard Law Review. Arguably, data protection is the modern coalface of the debate in relation to privacy and privacy protection. “The Right to be let alone. In the European Union there where three differing views that could be broadly categorized as (i) a Common Law approach (ii) a Scandinavian approach, and (iii) a German approach. The EU proposed Directive 95/46 to stop the divergence of these approaches and in reality to ensure that privacy protections did not interfere with the single market.
What is GDPR?
GDPR came into force on the 25th of May 2018 and was drafted in response to calls for reform of existing Data Protection Laws having been proposed by the European Commission in 2012. The GDPR revamped and overhauled the existing Data Protection laws in Ireland and repealed previous legislation in this regard namely the Data Protection Acts 1988 & 2003. The GDPR was designed to modernize laws that protect the personal information of individuals.
The GDPR places absolute importance on the right of an EU Citizen with respect to their personal data. The GDPR imposes certain requirements on businesses in terms of how they collect, use, store and delete your personal data or sensitive personal data. Businesses are obliged to make sure your data is accurate, up to date and available to you. More importantly it is incumbent on the business to only use your personal data or sensitive personal data for its intended purposes. If your data is no longer needed for its intended purpose, it must be deleted.
If your Medical advisors, Gym or favourite Airline shares, profits or misuses your personal data or sensitive personal data, you may be entitled to compensation.
How do I know if my Personal data has been breached?
Any business that has committed a GDPR “data” breach must notify those affected. A breach may be communicated by traditional means or through the media or the company website. You may also be made aware of a data breach through a third party. A personal data breach can range from unwelcome and unsolicited correspondence from those businesses offering services to identity theft and fraud on your bank account. Nowadays your personal data is incredibly valuable to businesses. If a business holds, uses or benefits from your personal data or sensitive personal data it is their legal obligation to make sure that data is fully protected from all potential breaches. Further, they must only use that data for its intended purposes and those purposes should have been made clear to you. It is clear from recent media reports that unfortunately many businesses are not complying with their legal obligations. It would appear that in many cases business are processing your valuable personal data and sensitive personal data for their own benefit regardless of how you intended it to be used.
How does GDPR help?
GDPR provides for significant penalties for Data Controllers and Data Processors in the event of a data breach i.e. a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. To date the biggest fine went to British Airways, which was ordered to pay $225.16m for a data breach which saw financial details and sensitive personal information of its customers obtained by hackers over a two-week period.
Under GDPR you have the following rights:
- Right to be informed as to how your personal data is being processed;
- Right to obtain a copy of any information relating to you kept on computer or in a structured manual filing system;
- Right to receive a copy of all data held by a Data Controller within one month of the request been received;
- Right to rectification of data;
- Right to be forgotten, meaning the right to obtain from the Data Controller the erasure of personal data without undue delay;
- Right to restrict further processing of your personal data where specified grounds arise; and
- Right to object to processing.
If an individual is not satisfied with the response, they receive from the Data Controller they may make a complaint to the Data Protection Commissioner or institute legal proceedings.
At Conor McLaughlin & Associates our experienced Solicitors will guide you in enforcing your rights, such as pursuing Data Controllers who have breached your rights under GDPR. We have the knowledge and experience to advise on all aspects of Data Protection. We can advise you on how to make a request under GDPR along with making complaints to the Data Protection Commissioner.
The above article is one of a series of bi-monthly legal articles drafted by Conor McLaughlin, Solicitor and Principal at Conor McLaughlin & Associates. They do not constitute legal advice and should not be acted upon without seeking legal advice particular to your set of circumstances. Conor McLaughlin & Associates have offices in Letterkenny and Bundoran, County Donegal. For further information on the above or any other legal issues you may have, please contact us on TEL: 071 984 1322, Email: [email protected] or at www.cmclassociates.com