What is GDPR?
GDPR stands for the General Data Protection Regulation. It is an update to existing European law on data protection and will apply across all European Member States including Ireland. GDPR brings in important changes to the way we all handle personal data. It forces us to change the way we think about the privacy of our own personal data as well as that of others.
GDPR – what does it mean in practice?
Broadly speaking, GDPR brings in changes in two areas: (1) Organisations' responsibilities and (2) Individuals’ rights.
Changes for Organisations
Organisations can no longer gather and use our personal data to suit their own needs only. Organisations must now:
- Clearly explain to us why they are gathering our personal data and what they are going to use it for;
- Only gather the minimum amount of data necessary for the service to be provided;
- Inform us whether they will share our data with anyone else;
- Only keep our data for as long as they need it. This means organisations usually cannot keep our personal data indefinitely;
- Protect our data from loss or theft;
- Keep our data accurate and up to date.
What’s in it for me?
GDPR provides individuals with important rights. That makes sense given that our personal data relates to us.
In particular, GDPR reinforces our right to ask organisations for a copy of all personal data they are holding relating to us. We have a right to object to direct marketing practices, to ask for inaccuracies in our personal data to be corrected and, in certain cases, for our personal data to be erased. GDPR also gives us the right to seek compensation through the courts where we believe our privacy rights have been infringed.
What is personal data anyway?
Personal data is any data that permits an individual to be identified. It includes the obvious things like names, email and postal address but also data we might not think of, such as location data and online identifiers. A recent court ruling also found that exam scripts are personal data.
Anything else I should know about?
You might have heard recent media commentary about the digital age of consent. The Oireachtas recently decided to set this at 16. This means that social media and other online companies will need parental consent where they wish to use the personal data of a child under the age of 16 for marketing purposes or for creating personality profiles.