Thursday 14 November 2019

Many companies unaware of responsibilities under Data Protection Act

Data Protection Commissioner Billy Hawkes has taken action
against errant firms and imposed fines. Photo: Collins
Data Protection Commissioner Billy Hawkes has taken action against errant firms and imposed fines. Photo: Collins

The importance of data protection compliance has never been as evident as it is today.

At the start of this year the EU announced a revision of the Data Protection Acts, 1988 and 2003 which will see greater policing of businesses, and how they manage peoples' information, being introduced over the next two to five years.

Many companies throughout Ireland are unaware of their responsibilities in collecting, storing and destroying data.

That leaves them potentially open to hefty fines from the Data Commissioner, legal action from disgruntled customers or employees, and damage to their reputations in the long run.

It is worth noting too that the courts are insisting upon greater compliance by businesses and the penalties for not adhering to the law can be severe.

Most notable was the landmark fine against FBD in March this year, which saw a claimant awarded €15,000 by the judge for a breach of his data protection rights.

While the intricacies of data protection may be complicated (and you should always consult a professional for advice), there are some steps all types of businesses, from local GPs and retailers to call centres and pharmaceutical firms, can take to establish their level of compliance and identify flaws in their processes.

First things first – do you need to register as a data controller with the Data Protection Commissioner?

In essence, if you process any information about living people and are responsible for deciding what information is to be kept, then it is likely that you are a data controller and you should be registered. Assuming you are already registered, it is important to consider a number of factors, including:

* Are the individuals (often referred to as Data Subjects) that you are collecting data on, aware that you are doing so?

* Have you explained to these individuals what use you make of their data?

* Is all of the data collected relevant to the purpose for which it is processed?

All too often we read about public servants and multinationals losing customer data.

Only as recently as September, Meteor and eMobile were found guilty of data protection breaches following the loss of two laptops containing the information of more than 10,000 customers, and were ordered to pay a fine of €30,000 to two charities, by September 30, or the Probation Act would be applied.

The Data Protection Act states clearly that it is the responsibility of the person managing the data to protect it and that failure to do so may result in fines and compensation for the person whose data has been breached.

Some useful measures all businesses, regardless of size, should take towards better data storage include:

? Introduction of secure firewalls and encryption programmes for all electronic devices containing customer and employee sensitive data.

? Back-up all data. This is a valuable piece of information not just from a compliance perspective but also from the point of view of managing your business.

Whether the data is on paper or a laptop, it is important to have a duplicate of each individual's information stored in a secure manner.

? In addition to storing an individual's data, businesses are also responsible for issuing it to them in a timely fashion upon request.

Businesses should ensure that all customer files are kept up-to-date and introduce procedures for handling requests.

This is an element of the Data Protection Act that is very often overlooked and can attract the attention of the Data Commissioner.

Also, failing to provide customers with information that belongs to them won't do much for your client relationships.

The secure destruction of data is equally as important as its collection and storage. Once data is no longer of use, for example after a stated amount of time following the termination of a contract, it is the responsibility of the business to destroy that data in a secure manner.

The enforcement of data protection is becoming more stringent, with the courts ruling in favour of those whose rights have been breached.

Businesses would be advised to assess their policies and procedures now if they wish to avoid fines and legal costs in the future.

Fintan Lawlor is a dedicated data protection consultant and solicitor at Lawlor Partners

Indo Business

Also in Business