A Business Guide to Data Protection
Sunday, May 5 2013
There are many issues to consider when starting up a company, ranging from registration to taxation, but data protection has emerged as a particularly important one for all budding entrepreneurs and businesses.
Data Protection has become a hot topic for the Irish legal system. The unprecedented growth of awareness in the area is evident both in the media and among Irish companies and individuals. The mass use of social network sites like Facebook, the use of cloud computing to store data online and our increasing reliance on technology in all areas of our life has meant that the safe and private storage and retention of our personal data is imperative. It is a case of striking a balance between opposing rights. On one side are the interests of the public and on the other is the freedom of corporate bodies to run their day to day affairs.
In the past year we have seen a shift in favour of the consumer with a greater emphasis on their rights. The result has been that companies must act to preserve their rights to privacy by ensuring that they do not breach data protection laws. Both corporate organisations and the modern state hold a great deal of information about many aspects of our daily lives. Indeed, the amounts of information we give to the state and that which the state takes from us whether it is for reasons of tax, social welfare, education or law enforcement is increasing all the time.
In one recently reported case, a data protection breach occurred when a storage box with confidential files from a counselling service collapsed and documents were found on the street visible to anyone who passed by. In the last few months a number of major telephone companies have also been fined for breaches under the data protection acts by engaging in unsolicited marketing. Experian, the world’s largest credit-checking company was investigated by the Data Protection Commissioner in November for a large number of breaches of it databases.
Social network giant Facebook may face proceedings for breaches of privacy from an Austrian student. In Europe v Facebook campaign Max Schrems, a 25 year old Austrian law student , is seeking to launch a multi-year legal battle that might significantly re- define how Facebook controls the personal data it holds on over one billion people worldwide.
The law on data protection is governed by the 1988 and 2003 Data Protection Acts. Non-compliance with the law can result in one or all of the following consequences:
- Fines can be imposed by the Data Protection Commissioner;
- Companies can be fined by the courts for breach of the acts;
- Companies may have to pay compensation to clients or customers whose rights have been breached; and
- Such breaches may generate negative publicity and have the effect of damaging the company’s reputation.
The duties placed on data controllers (i.e. companies) are not overly onerous if they are properly monitored and regulated. However, many smaller companies are unaware of the obligations under the data protection legislation. Others choose to ignore and disregard them as they feel there are no implications for non-compliance. This approach is reckless at best as the recent fines placed on a number of large corporates signal a clear message from the courts and the Data Protection Commissioner that such breaches will not be tolerated.
Here are eight simple steps you can take to ensure compliance:
- Obtain and process the information fairly.
- Keep it only for one (or more) specified or lawful purpose
- Process it only in ways compatible with the purpose it was given to you initially
- Keep it safe and secure
- Keep it accurate and up-to-date
- Ensure that it is adequate, relevant and not excessive
- Retain it no longer than is necessary for the specified purpose or purposes
- Give a copy of his/her personal data to any individual on request.
These provisions are binding on every data controller. Any failure to observe them would be a breach of the Act. In the recent case of Michael Collins v FBD, damages were awarded to an individual for the first time under the data protection sections of the 2012 Privacy Bill. This will provide for a new sort of violation of privacy.
Taking into account the jurisprudence of our courts and the European Court of Human Rights, the issue of data protection has never been more topical or significant. Companies must either educate themselves on data protection and ensure they are compliant or risk hefty fines and legal costs.
A Business Guide to Data Protection – Download PDF