The General Data Protection Regulation or GDPR is a European Union law reinforcing the rights of citizens concerning the confidentiality of their information, and confirming that they own it. We thought it would be interesting to examine the GDPR effective 25 May 2018 from an Irish citizen’s perspective. This article is a summary of information on the Data Protection Commissioner’s website, but as viewed through a businessperson’s lens.
How the Office Defines Data Protection
The Office believes that organisations receiving personal details have a duty to keep them private and safe. This applies inter alia to information that individuals supply to government, financial institutions, insurance companies, medical providers, telecoms services, and lenders. It also applies to information provided when they open accounts.
This information may be on paper, on computers, or in video, voice, or photographic records. The true owners of this information, the individuals have a right:
- To make sure that it is factually correct
- To the assurance that it is shared responsibly
- That all with access only use it for stated purposes
Any organisation requesting personal information must state who they are, what the information is for, why they need to have it, and to whom else they may provide it.
Consumer Rights to Access Their Personal Information
Private persons have a right under the GDPR to a copy of all their information held or processed by a business. The regulation refers to such businesses as ‘data controllers’ as opposed to owners, which is interesting. They have to provide both paper and digital data, and ‘related information’.
Data controller fees for this are discretionary within limits. The request may be denied under certain circumstances. The data controller may release information about children to parents and guardians, only if it considers a minor too young to understand its significance. Other third parties such as attorneys must prove they have consent.
Consumer Rights to Port Their Data to Different Services
Since the personal information belongs to the individual, they have a right not only to access it, but also to copy or move it from one digital environment to another. The GDPR requires this be ‘in a safe way, without hindrance to usability’. An application could be a banking client that wants to upload their transaction history to a third party price comparison website.
However, the right to data portability only applies to data originally provided by the consumer. Moreover, an automated method must be available for porting. Data controllers must release the information in an open format, and may not charge for the porting service.
Consumer Rights to Complain About Personal Data Abuse
Individuals have a right under the General Data Protection Regulation to have their information rectified if they discover errors. This right extends to an assurance that third parties know about the changes – and who these third party entities are. Data controllers must respond within one month. If they decline the request, they must inform the complainant of their right to further remedial action.
If a data controller refuses to release personal information to the owner, or to correct errors, then the Data Protection Office has legal power to enforce the consumer’s rights. The complainant must make full disclosure of the history of their complaint, and the steps they have taken themselves to attempt to set things right.
Further Advice on Getting Things Ready for 25 May 2018
The General Data Protection Regulation has the full force of law from 25 May 2018 onward, and supersedes all applicable Irish laws, regulations, and policies from that date. We recommend incorporating rights of data owners who are also your customers into your immediate plans. We doubt that forgetting to do so will cut much sway with the Data Commissioner. Remember, you have one month to respond to consumer requests, and only one more month to close things out subject to the matter being complex.