If customers give their personal data to your business then you hold a legal obligation to keep their details private and secure. Irish data protection legislation regulates the collection, storage and usage of personal data.
Robert Haniver of Mason, Hayes & Curran gives an introduction to the legal responsibilities of businesses when holding customer data.
“Whether you have customers, suppliers or you run employees, the likelihood is you will be dealing with personal data at some stage.”
Robert began his talk by explaining to the participants that if they have customers, suppliers or employees then the likelihood is that they will be dealing with some form of personal data. Personal information is any data in respect of a living individual – in physical or electronic form. Robert explained that a company dealing with personal data may be a data controller, a data processor or both. Robert then explained the rules concerning the collection of ‘basic information’ and ‘Sensitive Personal Data.’ The former requires only ‘implied consent,’ while the latter needs heightened data protection and ‘explicit content’ to obtain. Basic information could be names and email addresses collected for a mailing list while Sensitive Personal Data could include details about race, political and religious beliefs, health information, past criminal convictions, and membership of trade unions.
Robert explained that businesses need prior consent before sending marketing material to an individual who is not a present or past customer. It’s important to be aware that marketing material may be sent to a current or recent customer provided you include an opt out facility.
Websites that collect personal data must have a published Privacy Statement/Privacy Policy. This should say who you are, why you’re collecting personal data, what you’re using it for and who you’re disclosing it to. Privacy Statements must set out users’ rights to access their information, to rectify or erase obsolete data, or challenge unlawful data processing. Some websites are also required to have a cookie policy, which must be prominent. Websites may gain users’ implied consent for cookies through continuing use or by providing a tick box option. Cookies must be necessary for delivering goods or services that the individual is looking for. If a business is exporting personal data outside the EEA, it must ensure the security of that data by signing a standardised agreement with the overseas data controller or processor.
Podcast
The following podcast contains Robert’s talk on Data Protection from the video above but also has a valuable Questions and Answers at the end of the session
Apologies in advance for the low volume, we will improve this for future podcasts.
References
For more about the 8 principles of Data Protection in Ireland see:
“Data Protection Acts 1988 and 2003: A Guide for Data Controllers,” Irish Data Protection Commissioner, accessd July 27, 2015, https://www.dataprotection.ie/docs/A-Guide-for-Data-Contollers/696.htm.
