Skillnet Breakfast Briefing on GDPR

David Cooney 20.07.2017

Part Two Consent, Consent, Consent!

Due to the detailed content delivered at the recent GDPR briefing at the Minella Hotel Clonmel, it was appropriate to split my takeaways across two separate blogs.  This event was facilitated by Clonmel Chamber, Skillnet, Hugh J. Ward & Co., and kindly sponsored by Unitec.

Following advice on safety around retention of sensitive Data by the team at ESET, we heard about the various legal ramifications of non-compliance around GDPR’s incoming legislation from Paula Carney-Hoffler, Client Credit Risk & Compliance Officer with Hugh. J. Ward & Co and Director of Regulatory Affairs , Irish Institute of Credit Management.

Interestingly, she outlined the history of Data Protection which was first introduced following Hitler’s affinity for using census data during WW2 to detrimental effect decimating human rights, and the drift towards the Cold War which prompted the very first laws around Data Protection.  

Subsequent acts were initiated in the form of directives from Europe such as ""Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data” (Treaty108) 1981.This led to the birth of the Irish Data Protection Act 1988. The European Data Protection Directive 95/96/EC{Article32} Oct 1995 which brought forth the Data Protection Amendment Act 2003.

However, incoming changes due in May 2018 will form the most radical changes seen since the initial laws implemented and will be a complete shift on ‘how’ data is managed and used going forward.  It is a cultural change and requires a shift in thinking and action for all businesses.

She outlined that a Data Privacy Officer is required for businesses with 250+ employees or those with large volumes of personal, those that process particularly sensitive data or those required by law such as Public Bodies.  This function can be outsourced, but will require a point of contact with regard to Data Management.
Should a SAR (Subject Access Request) be made, the company is obliged to respond within 30 days, providing a transparent, traceable system ensuring compliance in all elements of handling personally identifiable data.  

Should a company find themselves legally challenged by any natural person affected by mismanagement of their data, this will be handled by the courts; Additionally there are substantial fines for companies who breach the regulations fines as high a 4% of worldwide turnover or €20 million, whichever is the greater or 2% of worldwide turnover or €10m, whichever is the greater resulting in effective, proportionate and dissuasive action.

Her advice around all items of communication which is found to be personally identifiable, is Consent, Consent, Consent.  A general tick-box of consent is no longer sufficient a data subject is entitled by law to know what they are consenting too. The onus is on the business to prove that consent was obtained in a fair and transparent manner.  Nor is it acceptable to provide reams of lengthy detailed content to cover use of Personal Data.  Clear, concise simple language, with no ambiguity around proposed use of personal information.  

It is imperative that companies are preparing for this monumental shift in how Data is handled, and ensure to address internal GDPR readiness.

Many companies are hosting information events around GDPR, including a recent breakfast event in Morgan McKinley, Dublin Office.

Our team are committed to protecting your private information and assisting our clients, where possible, to ensure you are supplied with up-to-date knowledge around your responsibilities.

David Cooney's picture
Associate Director
dcooney@morganmckinley.ie