The main Irish legislation pertaining to Data Protection is the Data Protection Act 1988. This Act was amended by the Data Protection (Amendment) Act 2003. This amended Act brought Irish law in line with EU Data Protection Directive 95/46/EC.
The EU General Data Protection Regulation (GDPR) came into force on 25th May 2018 and replaces the current Data Protection Directive 95/46/EC. It marks significant change in the EU Data Protection regime. The GDPR significantly increases the obligations and responsibilities in how we will collect, use and protect personal data. At the centre of the new law is the requirement for us to be fully transparent about how we are using and safeguarding personal data and most importantly to be able to demonstrate accountability and compliance for our data processing activities.
New requirements being introduced relate to:
- consent,
- breach notification,
- transparency,
- accountability
- appointment of data protection officers
This means that we as an organisation will have to revise all our policies and operational procedures on an ongoing basis to ensure we are compliant. The changes brought about by the GDPR particularly the increased burden relating to compliance and higher sanctions being imposed emphasise the need for us to review and enhance our existing practices, policies and record keeping as we have to be able to demonstrate our compliance when called upon to do so.
As a result of the foregoing, Dundalk IT has established the following high level principles relating to Data Protection in order to comply with GDPR requirements:
- Personal Data shall only be processed fairly, lawfully and in a transparent manner (Principles of Lawfulness, Fairness and Transparency)
- Personal Data shall be obtained only for specified, explicit, lawful and legitimate purposes and shall not be further processed in any manner incompatible with those purposes (Principle of Purpose Limitation)
- Personal Data shall be adequate, relevant and limited to what is necessary in realtion to the purposes for which they are processed (Principle of Data Minimisation)
- Personal Data shall be accurate, and where necessary kept up to date (Principle of Accuracy)
- Personal Data shall not be kept in a form which permits identification of a data subject for longer than is necessary for the purposes for which the personal Data are processed (Principle of Data Storage Limitation)
- Personal Data shall be processed in a secure manner which includes having appropriate technical and organisational measures in place to:
(i) prevent and/or identify unauthorised or unlawful access to or processing of Personal Data and
(ii) prevent accidental loss or destruction of or damage to Personal Data (Principles of Integrity and Confidentiality)
Further information on Data Protection can be gained from the Data Protection Commissioner’s office on www.dataprotection.ie Additionally all legislative Acts pertaining to Data Protection as noted above can be viewed by logging on to the Data Protection Commissioners website.
The Data Protection Commissioner’s Office has launched a GDPR specific website which issues guidance and help to individuals and organisations to help them become more aware of their rights and responsibilities under the GDPR. You can access it by logging on to www.GDPRandYou.ie.
Useful Links
Data Protection Commissioner - www.dataprotection.ie
DkIT Computer Services Policies and Procedures