Data protection now a mainstream concern for business

PAUL LAMBERT

In the not too distant past very few organisations would have heard of data protection. While personal and informational privacy were always prized, the intricacies of this new area of law and rights were viewed by many organisations and practitioners as a niche issue outside of their day-to-day activities.

That day has gone. Data protection affects all organisations and all individuals in Ireland every day. Compliance by organisation is a requirement of Irish and EU law.

Individuals and in particular users of technology are increasingly aware of the value of their personal informational privacy. However, recent instances of data loss and overly aggressive marketing reiterate that there is still a lot to be done in terms of appraising and addressing the risks associated with certain electronic and online personal data in certain organisations. This is particularly so for smaller and non-profit organisations.

Data loss
Recent data loss and data breach incidents, and the escalating nature of hacking, sometimes involving tens of millions of users, bring focus to the importance of data protection and data security. Sony for example has been fined £250,000 in relation to data loss incidents involving 85 million of its users.

Current EU data protection law was enacted in 1995 when no one could have predicted the myriad of activities now accessible on the internet. The ever changing sophistication of online business models and of new opportunities for data collections and data processing activities bring new challenges to the data protection regime.

This, in part, is the reason for the EU proposals to overhaul the 1995 Data Protection Directive with a new, directly applicable, EU-wide Data Protection Regulation. The data protection regime will be wholly transformed.

The import and scope of data protection is vast indeed. Practically every organisation has data protection obligations. These will vary depending on what the organisation is doing, the sector, its size, whether it is commercial or non-profit, the types and categories of personal data being collected and processed, for what purposes, and contingent upon the nature of the risks of misuse, disclosure or loss of the data.

New obligations
However, while expanded and new obligations arise via the new regulation, certain rules remain at the core of data protection compliance. These include the principles and legitimising processing conditions which must be complied with when collecting and using personal data from customers, prospective customers and users. Equally, how an organisation goes about compliance will differ depending upon whether the organisation is considering internal data protection issues, such as employees, or looking outwards at customers, users and prospects.

The range of issues and concerns which arise in data protection have also increased significantly since 1995. These can range from advertising, marketing, online behavioural marketing to social networking.

Other issues which raise compliance issues for organisations include, for example:

the enhanced role of data protection officers within organisations;

increased litigation;

reporting of data loss and data breach incidents;

increased operational and management responsibilities for dealing with data protection within the organisation;

personal liability issues for officers of the organisation when something goes wrong with the organisation‘s data protection compliance;

international transfers. There is a default ban on international transfers of personal data, unless one of a specific number of exemptions can be triggered. There are new transfer solutions relating to Binding Corporate Rules (BCR) and the transfer of airline passenger personal data - which can be contentious;

children and their personal data. Children are explicitly referred to for the first time in the new proposed regulation;

social networking and related websites and the host of personal data issues they create;

cloud computing and issues of who owns the data, who can access it and if it is secure;

the

rights of individual data subjects, such as access rights, deletion rights, enhanced right to be forgotten;

the rights of individuals to seek

remedies from the courts or the Data Protection Commissioner‘s Office;

online safety and online abuse.

Organisations are not immune from these issues, as their employees can be engaged in online abuse with acts of creation, endorsement and promotion. There has been a lot of recent publicity, as well as an unprecedented amount of lobbying, in relation to the new proposed EU Data Protection regulation.

However, there is less publicity surrounding the EU proposal for a new directive dedicated to network and information security.

Security is an essential component of good data protection compliance. Organisations must have internal access controls to personal data within the organisation.

Organisations will have to deal with and properly appraise themselves of the new and developing data protection rules - in particular the interface of employees and social networking. The message is that data protection compliance is an important obligation, and that non-compliance can have many adverse consequences for organisations - be they large or small.

The balance is that good compliance can be a positive benefit to the organisation in more ways than one.

Paul Lambert, solicitor and adjunct lecturer, is author of Data Protection Law in Ireland: Sources and Issues , Clarus Press, Dublin 2013 ( claruspress.ie)