What do the new EU data protection rules mean for you?

25 May willbe an important day in the history of this country for more than one reason.

Not onlywillIreland decide whether to keep or repeal the Eighth Amendment to the Constitution, but itwillalso get sweeping new data protection rules.

The General Data Protection Regulation (GDPR) represents the biggest overhaul of data protection standards this country and the wider EU has seen since 1995, putting new responsibilities on those gathering, processing and storing data, and handing back power to those who own it.

So what does it all mean for you (apart from extra traffic through your email inbox as organisations scramble to get your permission to hold your data, which they probably should never have been gathering in the first place)?


GDPR is all about personal data -that is any information relating to an identified or identifiable person i.e. you or me or the guy next door.

This could mean the details you gave a social network when setting up your account, emails you store in the cloud, the medical forms you, as coach, got parents to fill in for their children at the start of GAA training this season, the HR file that your employer holds on you, etc.

The list of potential examples is vast, but you get the idea.

GDPR first of all makes anyone who holds your personal data more accountable.

In other words, they must put in place the appropriate technical and organisational measures to ensure that information is gathered, held and processed according to the new rules.

But further still, they must also be able to demonstrate they have done this, by designing privacy into everything that involves personal data each and every time, by abiding by codes of conduct and by getting certification where possible.


They also need to be transparent and clear in explaining how they process your data.

That should mean no more long, legalese-laden, impenetrable and boring (well maybe theywillstill be a bit boring) terms of service, or terms and conditions that you tick instinctively as your eyes begin to glaze over.

In particular, where children are concerned those explanationswillhave to be really clear.

It also means a person or organisation gathering your datawillhave to be clear about why they are doing this, what the legal basis for doing so is, whowillreceive the data, howwillit be moved around, how long it can be held for, your rights to access or change it, etc.

That should help stop some of the misuse and abuse of data we’ve been hearing about recently, where information is purportedly being gathered for one reason but is actually being moved and used for something else.


One of the most important aspects of the new rules for consumerswillbe around notifying users and authorities when the security of data is breached.

Under the GDPR the "supervising authority", in our case the Office of the Data Protection Commissioner (ODPC),willhave to be told within three days if private personal data is lost or stolen or exposed in any way.

So in other words, if an internet company gets hacked for example and user data is taken, the companywillhave 72 hours from when it realises this to tell the regulators.

Itwillalso have an obligation to tell its users, in circumstances where the breach puts them at a high risk.

That’s all positive because under the current rules, disclosing the loss of personal data is voluntary, and so it is suspected the vast majority of data breaches are never reported, leaving users at risk of all sorts of problems such as identity theft, fraud or damage to their reputation.

The only real exception to the new rule is that if by telling authorities the rights and freedoms of the people concerned are put at risk, then a breach does not have to be notified.


Consent is a big issue when it comes to many data dependent products and services.

Under GDPR a person must give their consent to their data being harvested and processed "by a statement or by a clear affirmative action".

And the consent must be informed, freely given and clear.

This is another good development as often it is not entirely clear to people what they are consenting to and often this lack of clarity is used by organisations holding the data to gather more than necessary or use it for more than the user ever intended.


People have always had some rights when it came to the protection and privacy of their data, like for example, the right to see what data is being stored that concerns them and to request that it be deleted -the so-called "right to be forgotten".

But often these have been poorly defined, are not extensive enough or are not enforced.

So the GDPR enshrines a whole plethora of powers in law to help the ordinary citizen.

These include a right to access personal data held by a person or organisation about them, a right to move, erase or rectify data, a right to be informed and a right to object to or even restrict the processing of that information.

The rights aren’t completely in favour of the individual -the controller of the data has rights too, and the individual has responsibilities.

But in general, provided the user can prove they have a justifiable reason to have their rights vindicated, then theywillwin out.

For example, if a person decides they want to restrict or stop a state body from processing data related to them, they can do this if the processing of the information breaks the law, the data is no longer needed by the body or the data is inaccurate.

Or if a person wants to move their data to a different company because they think they might provide a better service, there is a provision for them to do this without being impeded by the company they wish to remove the data from.


Until now, many experts have argued that regulators were pretty toothless when it comes to enforcing data protection law.

Through GDPR that is all about to change.

Because itwillgive regulators like the ODPC the ability to fine organisations that break the rules up to €20 million or 4% of global turnover for the preceding financial year.

For a small business, club or voluntary body that could be the difference between surviving and not.

For a large company such as Google or Facebook, the hit to the bottom line and by extension shareholders could be enormous.

Google’s parent company Alphabet, for example, had a turnover of $110bn in 2017.

That could mean a fine for a significant breach of up to $4.4bn -not exactly small change.

No surprise then that there has been such a flurry of activity around data protection in recent weeks and months, as companies and other bodies try to get their houses in order.

Is everyone ready? Realistically, probably not. But surveys have shown awareness levels are high.

Indeed, how could they not be with so much focus on the issue of data protection of late.

And so woe-betide those who through their own ignorance, laziness or stupidity have ignored all the warnings.

Because when it comes to GDPR, hard caseswillmake for good law.

EUdataprotectionrules Ireland
If you notice an error, highlight the text you want and press Ctrl + Enter to report it to the editor
I recommend
No recommendations yet


Post your comment to communicate and discuss this article.

Housing and homeless agency Novas, which works with vulnerable individuals and families in Limerick and the mid-west, has said it helped over 4,500 people last year. In its annual report released today, it warns of the worrying trend that those becoming homeless are getting younger. Novas works with homeless people, and those at risk of becoming homeless, in Limerick, Kerry and Tipperary. The escalation of the homelessness crisis, coupled with more people...
Irish baby name trends have taken a such a drastic turn in the past century some are becoming extinct, research has revealed. While some new entries gained traction in recent years, there are still timeless favourites that soar high on the popularity scale. The Ancestry.ie survey identified Adam and Harry as the favourite names among boys, seeing a 1,396% and 979% percentage increase since 1917 respectively. They are followed by Luke, Aidan and Mark to for...
One person was hospitalised after a crash between a horse and carriage and a car overnight. Two fire engines and an ambulance were called after the crash at 2:30am on the junction of Eccles Street and Dorset Street. The man at the helm of the cart was brought to hospital although his injuries were not believed to be serious. The horse bolted for about 100 metres after being startled by the crash but was uninjured. The carriage however received heavy damage...
A grieving Dublin woman said she is still in shock that her elderly mother died from spilling a cup of tea. Daphne Anderson (91) - originally from Glasnevin - died from sepsis, which she contracted in hospital while being treated for scalding injuries. Daphne's daughter Audrey told The Herald that her mother had been fit and active prior to the injury. She said: "My mother was fit and in good health. I can't believe that spilling a cup of tea could have ki...
Passengers were left frustrated at the weekend as Aer Lingus was forced to cancel two flights at late notice. People hoping to fly to JFK Airport in New York on Saturday afternoon were angered when the flight was cancelled. Aer Lingus flight EI109 was due to leave Dublin for JFK at 4:10pm but was cancelled just hours before. Many holiday-makers were sat in the airport at the time waiting for information when the news broke the flight would not be in operat...
Vandals who set fire to two taxis over the past four days in Crumlin have been condemned as "scumbags". One cab was burnt out on Friday night, followed by another this morning. The Dublin Taxi Drivers Facebook page shared images of the destroyed vehicles this afternoon and urged people in the area to be aware of any suspicious behaviour. In the post, the group wrote: "Two taxis burnt down in Crumlin, Friday night and one this morning on Sundrive road! "Be...
A society in a Dublin college has been suspended from all social activity for a semester after videos emerged of members getting naked and partaking in "frat style games". DCU's Accounting and Finance Society hosted an election for their first year reps in which students were allegedly performing "nude acts" as well as being told to complete "challenges". In a statement tonight, the society said they will "ensure this does not happen again" and apologised...
Despite the potential operation, Terry claimed that she is not expected to be given accommodation for at least another six months. A former soldier who is homeless and has been living in her car in Dublin has revealed she will be bed-bound for five weeks after an upcoming operation Terry O’Reilly said last week that she has been living in her car in Shankill for more than a year. The 34-year-old has now revealed that she is facing an operation to address n...
A teen who threatened to "shoot up" his Balbriggan school is unlikely to face charges, it has been revealed. He was arrested yesterday after making the threatening message and posting a picture of a gun. The 16-year-old is suspected of having a grudge and was arrested and questioned before he was released at midday yesterday. The boy uploaded a twisted message online, insisting: “Don’t come in tomorrow if you have any regard for your life, you’ve been warn...