What do the new EU data protection rules mean for you?

25 May willbe an important day in the history of this country for more than one reason.

Not onlywillIreland decide whether to keep or repeal the Eighth Amendment to the Constitution, but itwillalso get sweeping new data protection rules.

The General Data Protection Regulation (GDPR) represents the biggest overhaul of data protection standards this country and the wider EU has seen since 1995, putting new responsibilities on those gathering, processing and storing data, and handing back power to those who own it.

So what does it all mean for you (apart from extra traffic through your email inbox as organisations scramble to get your permission to hold your data, which they probably should never have been gathering in the first place)?


GDPR is all about personal data -that is any information relating to an identified or identifiable person i.e. you or me or the guy next door.

This could mean the details you gave a social network when setting up your account, emails you store in the cloud, the medical forms you, as coach, got parents to fill in for their children at the start of GAA training this season, the HR file that your employer holds on you, etc.

The list of potential examples is vast, but you get the idea.

GDPR first of all makes anyone who holds your personal data more accountable.

In other words, they must put in place the appropriate technical and organisational measures to ensure that information is gathered, held and processed according to the new rules.

But further still, they must also be able to demonstrate they have done this, by designing privacy into everything that involves personal data each and every time, by abiding by codes of conduct and by getting certification where possible.


They also need to be transparent and clear in explaining how they process your data.

That should mean no more long, legalese-laden, impenetrable and boring (well maybe theywillstill be a bit boring) terms of service, or terms and conditions that you tick instinctively as your eyes begin to glaze over.

In particular, where children are concerned those explanationswillhave to be really clear.

It also means a person or organisation gathering your datawillhave to be clear about why they are doing this, what the legal basis for doing so is, whowillreceive the data, howwillit be moved around, how long it can be held for, your rights to access or change it, etc.

That should help stop some of the misuse and abuse of data we’ve been hearing about recently, where information is purportedly being gathered for one reason but is actually being moved and used for something else.


One of the most important aspects of the new rules for consumerswillbe around notifying users and authorities when the security of data is breached.

Under the GDPR the "supervising authority", in our case the Office of the Data Protection Commissioner (ODPC),willhave to be told within three days if private personal data is lost or stolen or exposed in any way.

So in other words, if an internet company gets hacked for example and user data is taken, the companywillhave 72 hours from when it realises this to tell the regulators.

Itwillalso have an obligation to tell its users, in circumstances where the breach puts them at a high risk.

That’s all positive because under the current rules, disclosing the loss of personal data is voluntary, and so it is suspected the vast majority of data breaches are never reported, leaving users at risk of all sorts of problems such as identity theft, fraud or damage to their reputation.

The only real exception to the new rule is that if by telling authorities the rights and freedoms of the people concerned are put at risk, then a breach does not have to be notified.


Consent is a big issue when it comes to many data dependent products and services.

Under GDPR a person must give their consent to their data being harvested and processed "by a statement or by a clear affirmative action".

And the consent must be informed, freely given and clear.

This is another good development as often it is not entirely clear to people what they are consenting to and often this lack of clarity is used by organisations holding the data to gather more than necessary or use it for more than the user ever intended.


People have always had some rights when it came to the protection and privacy of their data, like for example, the right to see what data is being stored that concerns them and to request that it be deleted -the so-called "right to be forgotten".

But often these have been poorly defined, are not extensive enough or are not enforced.

So the GDPR enshrines a whole plethora of powers in law to help the ordinary citizen.

These include a right to access personal data held by a person or organisation about them, a right to move, erase or rectify data, a right to be informed and a right to object to or even restrict the processing of that information.

The rights aren’t completely in favour of the individual -the controller of the data has rights too, and the individual has responsibilities.

But in general, provided the user can prove they have a justifiable reason to have their rights vindicated, then theywillwin out.

For example, if a person decides they want to restrict or stop a state body from processing data related to them, they can do this if the processing of the information breaks the law, the data is no longer needed by the body or the data is inaccurate.

Or if a person wants to move their data to a different company because they think they might provide a better service, there is a provision for them to do this without being impeded by the company they wish to remove the data from.


Until now, many experts have argued that regulators were pretty toothless when it comes to enforcing data protection law.

Through GDPR that is all about to change.

Because itwillgive regulators like the ODPC the ability to fine organisations that break the rules up to €20 million or 4% of global turnover for the preceding financial year.

For a small business, club or voluntary body that could be the difference between surviving and not.

For a large company such as Google or Facebook, the hit to the bottom line and by extension shareholders could be enormous.

Google’s parent company Alphabet, for example, had a turnover of $110bn in 2017.

That could mean a fine for a significant breach of up to $4.4bn -not exactly small change.

No surprise then that there has been such a flurry of activity around data protection in recent weeks and months, as companies and other bodies try to get their houses in order.

Is everyone ready? Realistically, probably not. But surveys have shown awareness levels are high.

Indeed, how could they not be with so much focus on the issue of data protection of late.

And so woe-betide those who through their own ignorance, laziness or stupidity have ignored all the warnings.

Because when it comes to GDPR, hard caseswillmake for good law.

EUdataprotectionrules Ireland
If you notice an error, highlight the text you want and press Ctrl + Enter to report it to the editor
I recommend
No recommendations yet


Post your comment to communicate and discuss this article.

Two people have been arrested following a stabbing incident in Dublin city centre. The incident happened on Essex Quay at around 4.40pm. A man aged in his late 20s was treated at the scene and taken to St James's Hospital with non-life threatening injuries following the incident. A man and woman, both aged in their 20s, were arrested at the scene and are being detained at Pearse Street Garda Station. Gardaí sealed off part of the south quays for several ho...
A kitchen went up in flames yesterday after some Christmas decorations were left on top of a microvwave. The Dublin Fire Brigade had to be called to quell the flames after tinsel caught fire having been left over a mircowave. Firefighters have warned others to be more careful with their decorating saying the tinsel was placed over the microwave's vent causing it to go up once the machine was turned on. They said: "Yesterday, Firefighters attended a kitchen...
A Dublin mother is extremely concerned for the welfare of her 15-year-old son after he never came home from the shop yesterday. Aleksejs Snitko went to the Tesco shop in Balbriggan yesterday, Saturday December 9 at around 4.30pm. His mother Iveta told Dublin Live that when her son left the home, he was wearing light grey basketball shoes, tight sport trousers and a warm navy jacket with a hoodie. He was also carrying a black and blue Puma school bag. The t...
A man and woman were arrested following a stabbing incident that left Dublin city centre on lockdown on Sunday evening. The pair were taken to Pearse st station after another man in his early 20s was hospitalised with 'non-fatal injuries'. It is believed a fight spilled out onto the road with one witness telling Dublin Live that she thought the man was going to be "throw him into the river". She said: "They stopped the traffic while they were fighting that...
The final report into the marine tragedy in which Doolin-based volunteer coastguard crew member Caitríona Lucas died in 2016 is critical of safety aspects of the operation. It concluded that the Delta Rigid Inflatable Boat that capsized was launched in conditions that were outside the operational limits of the vessel and that there were deficiencies with its communications and navigational equipment. Ms Lucas, a 41-year-old mother-of-two living in Liscanno...
A software development company is to create 85 jobs in Galway over the next 12 months. MathWorks says the expansion will lead to the recruitment of candidates with sales, service, marketing or administrative skills. It hopes to hire 20 people immediately with the remaining 65 roles being filled in 2019. The company opened an office in Galway two years ago. It provides sales and services support throughout Europe, the Middle East and Asia, with staff operat...
A woman was allegedly sexually assaulted by a taxi driver in North Dublin on Saturday night. The woman, believed to be in her 30s, had been picked up by a registered taxi from the Main Street in Malahide after socialising in the area and was heading in the Swords direction. It is believed after the taxi driver dropped off the other people in the car, the alleged victim was left alone with the driver for a stretch of road. The taxi driver then allegedly sex...
A man was yesterday convicted of assaulting and injuring his neighbour by “continuously punching and head-butting him”. Peter Lambe, 50, was found guilty of assaulting 62-year-old Gerard Furlong after he pinned the grandad to the ground and left him bloodied and bruised. The victim, who said he is still in constant fear, suffered serious facial injuries during the frenzied attack on March 4, 2016, which came after ongoing disputes. Mr Furlong described how...
The long-suffering father of Trevor Deely has told how he refuses to abandon his dream that his missing son will one day walk back through the front door of his family home. Heartbroken parents Michael and Ann Deely have endured yet another agonising year in which not one single lead has emerged into their youngest son’s baffling disappearance. But speaking on the eve of the 18th anniversary of the last sighting of the then-22-year-old, resolute Michael sa...