Data Protection and GDPR
Madden Law has a lot of experience in dealing with Data Protection and GDPR
GDPR Compliance & Data Law Services
Data Law has changed recently, by GDPR which was enacted in Ireland under the Data Protection Act 2018. This legislation is wide reaching and organisations should be aware of and comply with their obligations.
We provide a full range of services to ensure your organisation complies with the new data protection requirements.
We can ensure compliance with;
- Data Inventory
- Privacy Statements For Websites And Employees
- Data Protection Impact Assessments
- Subject Access Requests
- Data Controller Contracts
- Data Processor Contracts
- Outsourced Data Protection Officer
- Data Law Litigation
Frequently Asked Questions about Data Protection and GDPR
From May 25th, 2018, GDPR will be in force.
It obliges controllers of personal data to process the data lawfully, fairly, and transparently. It compels the controller to collect the data for a specified purpose, which must be communicated to the data subject in a concise and clear manner.
The controller cannot collect data that is excessive and hold it for longer than is necessary. The controller must have appropriate technical and organisational measures in place to protect against unauthorised or unlawful processing or the accidental loss or damage to the data.
GDPR applies to all personal data which is wholly or partly automated.
This means that all information held on a computer or other electronic means will be covered. This includes data that will be processed by automated means. It also applies to personal data that forms part of a filing system or intends to form part of a filing system. This includes paper or other manual records.
GDPR will apply to documents in a filing system that is structured in a way to allow access to personal data, whether easily or not.
If a filing system appears unorganised but a member of staff can locate a document within it, by reference to an internal system, then this data will come under the scope of GDPR, even though at first glance the information may not appear to be in structured filing system.
Any information that relates to an identified or identifiable natural person. This means that data belonging to a deceased person or corporate entity is not personal data.
However, the data of a deceased person may be the personal data of the next of kin of the deceased person. Similarly, information about people in a corporate entity will be personal data. An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as, name, number, location data, online identifier or one or more factors specific to the physical , physiological, genetic, mental, economic, cultural or social identity of the natural person.
The person must be capable of being identified from the data in question. This will depend on the type of processing by the organisation. When considering if the person is identifiable, the organisation must take into account all of the information under its control. If personal data is being published, a controller must consider the information that is already in the public domain, which may identify the data subject.
Again, it’ very broad.
It includes collecting, recording, organising, structuring or storing data.
It includes adapting, altering, using, disclosing, restricting, erasing and destroying data. GDPR compels a controller to make a record of all data processing activities.
It means marketing, through any media, which is sent direct to a particular person. It is, therefore, processing that person’s personal data.
It does not include junk mail or mail sent to the occupier of a premises.
To fall within the remit of direct marketing for GDPR purposes, you do not have to be selling a product or service. It includes promoting views or a campaign.
o even if you are using personal data to elicit support for a good cause rather than selling goods, you are still carrying on direct marketing under GDPR.
You must comply with all GDPR requirements in relation to all direct marketing communications sent by any media. The controller of the data must have a legitimate reason for processing the data.
The data subject must be given the right to require the controller to cease the direct marketing.
Yes, there are two options available, which are subject to conditions being satisfied.
Firstly, is the “soft opt in” option. This applies where your organisation has obtained the recipient’s contact details “in the context of the sale of a product of service”.
This applies to marketing by electronic mail, which includes, e-mail. text, picture or video message, mobile internet message and voicemail.
Four requirements must be met to to comply with the “soft opt in “option
- the product or service you are marketing is of a similar kind which was sold to the customer at the time their contact details were obtained. This excludes the marketing of third party products.
- at the time of collecting the personal details, you gave the customer an easy and free opt out option for the use of their personal data for marketing purposes.
- each time a further marketing message is sent, details of the opt out was provided.
- the sale of the product or service was within 12 months of the direct marketing.
Secondly, obtain prior consent.
The consent to marketing may involve
- clicking an icon
- sending an email
- subscribing to a service.
The customer must knowingly indicate consent by opting in. A pre-ticked box which requires the customer to untick, is not valid consent.
Data collected must not be excessive.
You need to:
- make it plain that the recipient can unsubscribe
- have a system of registering choices
- check the National Directory Database Opt Out Register